• Table of Contents:
• Title Page
• Chapter 1: Security Policy
• Chapter 2: Security Organisation
• Chapter 3: Information Classification
• Chapter 4: Control of Classified Material
• Chapter 5: Personnel Security
• Chapter 6: Contractors and Other Third-Party Access
• Chapter 7: Physical and Environmental Security
• Chapter 8: Communications and Systems Security Management
• Chapter 9: Control of Access to Information Systems
• Cross-Reference to AS/NZ ISO/IEC 17799:2001
• Glossary of Abbreviations

Chapter 7: Physical and Environmental Security

"Defence in Depth"

1. Risk management allows flexibility through various levels of protection against unauthorised access to classified material.

2. Protective security uses a multi-layered approach, known as "defence in depth". Defence in depth means combining several measures to make unauthorised access difficult for an external intruder or an employee who does not "need to know". These measures should complement and support one another. They may control:

• physical space

• procedures

• personnel

• technology.

3. Physical security measures must be designed to meet the threat to security posed by the ill-intentioned person who already has authority to enter the site, building or secure zone, rather than the intruder from outside.

4. The main physical defences are those nearest the protected information. In a government organisation with much classified material, other precautions may be needed for "defence in depth" or to guard against human error. Precautions may include:

• security keys and containers to protect classified information

• access control measures

• security alarm systems to detect unauthorised access and alert a response

• physical barriers to deter, detect and delay unauthorised entry.

5. Physical measures may be complemented by procedural and personnel measures such as:

• the "need to know" principle, limiting access to official information to people who require it to carry out their duties

• a security classification system that identifies material that needs special protection

• a personnel security system that ensures appropriate approval or clearance for access to official material

• logical controls which minimise security risks to departmental IT systems

• education or training programme.

Security Awareness

6. Good security must include the co-operation of staff who fully know their responsibilities. Managers and staff should receive security education to meet their individual responsibilities and needs.

7. For specialist advice on security awareness training, consult the NZSIS.

Planning Accommodation

8. Careful planning of the layout within a site, building or secure zone can reduce security vulnerabilities and costs.

9. For guidance on security aspects of accommodation planning, see the NZSIS Protective Security Manual.

Physical Security Perimeter

10. Physical protection can come from establishing several security perimeters around facilities storing classified material. A security perimeter is any physical barrier such as a wall, card-controlled entry or staffed reception desk.

11. A risk assessment will help decide the location, strength and nature of each barrier.

12. A perimeter may be:

• natural boundaries

• fences or walls

• the outer walls of a building

• divisions within a building.

13. The purpose of a perimeter is to physically, psychologically or legally deter intruders.

14. Perimeter security may be enhanced by:

• perimeter intrusion-detection systems (PIDS)

• security lighting

• closed-circuit television (CCTV)

• security guards

• warning signs and notices.

15. For guidelines see the NZSIS Protective Security Manual.

Storage Facilities

16. Facilities for the storage of classified material may comprise sites containing a number of buildings, buildings standing alone or secure zones within buildings.

Surveys

17. Facilities that will store classified material should be surveyed for securing all possible means of access, including:

• all entrances

• ground-floor or accessible windows

• skylights

• personnel inspection covers and the like.

18. Surveys should be repeated at frequent intervals, preferably every 12 months or when its use or the threat level changes.

19. For guidance on securing building exteriors, see the NZSIS Protective Security Manual.

Security Assessment

20. In assessing security risks, facilities are rated by level of resistance to forced and surreptitious attack. The ratings are:

• Grade I - specially designed structural barriers that deny unauthorised entry outside normal working hours

• Grade II - structural barriers that deter unauthorised entry outside normal working hours

• Grade III - standard building material and hardware that provide limited security.

21. Assessments should also consider security threats from neighbouring premises.

22. Facilities used to process or store classified material should:

• be unobtrusive

• have minimum indication of purpose

• have no obvious signs either outside or inside suggesting the presence of classified material.

General Design Features

23. Facilities that store or process classified material should have as few access points as safety and the functions of the site allow.

24. Access points should have physical security controls such as:

• window bars

• grilles

• shutters

• security doors.

25. Controls may be enhanced by intrusion-detection systems, CCTV or guard services.

26. For more to consider when assessing security risks and appropriate countermeasures see the NZSIS Protective Security Manual.

Intrusion-Detection Systems

27. Intrusion-detection systems (IDS) are designed to detect actual or attempted unauthorised entry, identify its location and signal a response with an alarm. IDS can:

• provide continuous surveillance over secure areas

• extend coverage into areas not usually accessible to guards.

28. When selecting, installing and using IDS, take care to avoid the possibility of:

• intruders circumventing the system

• technical problems

• excessive false alarms.

29. Organisations considering an IDS for areas with national security material classified CONFIDENTIAL or above must consult the guidelines in the NZSIS Protective Security Manual. Seek advice from NZSIS if in doubt about any aspect of a system or its installation.

Non-Governmental Standards and Agencies

30. Two New Zealand Standards and one non-governmental agency directly address intrusion-detection systems:

• NZS 4301:Part 1:1993 Intruder Alarm Systems - applies to systems installed in client's premises, including systems which comply with occupancy class 4 - national and corporate security

• NZS 4301:Part 3:1993 Intruder Alarm Systems - applies to detection devices for internal use

• National Supervisory Council for Security Systems (NSCSS) - applies to devices of any occupational class, including class 4 - national and corporate security, approved by NSCSS (see Chapter 2 paragraph 58).

31. Systems or devices which comply with these standards are not approved to protect national security material classified CONFIDENTIAL or above (see paragraph 0). However, for protection of official information classified RESTRICTED or SENSITIVE and below, NSCSS approved IDS may be considered to provide a level of assurance that other systems may not provide.

Physical Entry Controls

32. Secure areas should be protected from unauthorised access by controls such as:

• authentication controls, such as card plus PIN, to authorise and validate entry to areas with classified information, including information-processing facilities

• a securely maintained audit trail of access

• some form of visible identification worn by all staff

• a policy of challenging unescorted strangers and anyone not wearing identification

• regular review and update of access rights to secure areas

• controls for visitors:

  • supervision or clearance for specific, authorised purposes
  • instructions on emergency procedures and security requirements
  • recording their date and time of entry and departure.

33. For more detail on using physical entry control systems, see the NZSIS Protective Security Manual

Visitors

34. Visitors to areas housing official information should not be allowed unrestricted movement.

35. Prior notice should be given to the guard or receptionist of expected visitors and whether they need to be escorted within the building.

36. On arrival, each visitor should be:

• issued a pass that is clearly displayed

• conducted either to the "host" or to a waiting room observed by a receptionist or guard.

37. Unless they have given prior notice of a visit, "hosts" should be asked by telephone if they will receive visitors.

38. If calling on more than one person, a visitor should be escorted between offices.

39. The last-visited person must make sure that a visitor leaves the building when their business is complete, and that they return any issued pass to the guard or receptionist. The last-visited person or an assigned staff member should escort the visitor to the exit.

40. Entry and exit to areas where classified material may be visible or accessible should be avoided. Visitors should be:

• advised that no photographs or recordings of any type may be taken at any time during the visit to areas where classified information is held, processed or handled, except with specific departmental approval

• asked, where necessary, to hand in mobile telephones and other recording and communications equipment.

41. To be effective, measures for visitor control should include a register of each visitor's name and the staff member authorising the visit. It should also show:

• the visitor's department, agency or firm; or in the case of private individuals, their private address

• the names of employees visited

• the times of the visitor's arrival and departure

• the reason for the visit.

42. The visitor control record should be held at the guard or reception point, or by a designated employee if there is no guard or reception point.

43. The visitor control record should be covered to prevent visitors from seeing details of other visitors.

44. At the end of each day, all visitors' passes should be checked, and action taken to account for any not returned.

45. The visitor register should be retained for a period of two years, to be available for any possible security investigations.

46. In organisations with a large flow of inquiries or visitors, the reception desk should be near the main entrance.

Entry by Media Representatives

47. If permission is granted for visits by media representatives to areas where classified material is used, handled or stored, the following additional procedures should be observed:

• a designated staff member should accompany media representatives throughout the visit

• classified material should be locked away or at least hidden

• the media representatives must be reminded that no photographs or recordings of any type may be taken at any time during the visit, except with specific approval of their escorting staff member.

Instructions to Guards or Receptionists

48. Where guards or receptionists carry out security functions such as checking passes or maintaining records of staff entering or leaving at unusual hours, they should receive precise written instructions which should contain:

• details on which pass holders may be admitted

• names and telephone numbers to report incidents of security significance both during and outside working hours.

49. The instructions should be customised for every entrance to every building.

50. Close liaison between those controlling the guards or receptionists and the organisation's security personnel will ensure that:

• the written instructions are understood, observed and updated

• the guards or receptionists carry out their duties well.

Securing Facilities, Rooms and Offices

51. A secure zone may be a locked office, or several rooms inside a physical security perimeter, which may be locked or contain lockable cabinets or safes.

52. Consider the following controls for secure zones:

• locate important facilities away from public access

• lock unattended doors and windows

• use external protection for windows, particularly at ground level

• install intrusion-detection systems:

  • to professional standards
  • with regular testing
  • to cover all external doors and accessible windows
  • to alarm unoccupied areas at all times and other areas as needed
• locate information-processing facilities managed by the organisation in a different place than those managed by third parties

• locate support functions and equipment such as photocopiers and fax machines in a secure area so that information cannot be compromised

• restrict public access to directories and internal telephone books that identify the location of "sensitive" facilities.

Security Containers

53. The protection of classified material depends on:

• the security container

• the lock on the container

• the location of the container within the site, building or secure zone.

54. For minimum requirements for locks, containers and their sites, when storing material classified CONFIDENTIAL and above, see the NZSIS Protective Security Manual;for a list of approved equipment for storing material classified CONFIDENTIAL or above, see Part 2, "Equipment Catalogue".

[ Previous | Next ]