Skip to main content

This chapter of the ISM provides guidance on physical security.

Protecting physical assets is an important part of a ensuring an organisation’s cyber security. This chapter outlines physical security measures for facilities and systems, ICT equipment and media.

Facilities and systems

Facilities containing systems

The application of defence-in-depth to the protection of systems is enhanced through the use of successive layers of physical security. The first layer of security is the use of Security Zones for a facility.

Deployable platforms should meet physical security requirements as per any other system. Notably, physical security certification authorities dealing with deployable platforms may have specific requirements that supersede the security controls in these guidelines. As such, personnel should contact their physical security certification authority to seek guidance.

In the case of deployable platforms, physical security requirements may also include perimeter controls, building standards and manning levels.

Security Control: 0810; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system.

Server rooms, communications rooms and security containers

The second layer in the protection of systems is the use of a higher Security Zone or secure room for a server room or communications room while the final layer is the use of lockable commercial cabinets or security containers. All layers are designed to limit access to people without the appropriate authorisation to access systems at a facility.

Security Control: 1053; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification.

Security Control: 1530; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in.

Security Control: 0813; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Server rooms, communications rooms and security containers are not left in unsecured states.

Security Control: 1074; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled.

Network infrastructure

While physical security can provide a degree of protection to data communicated over network infrastructure, organisations can have reduced control over data when it is communicated over network infrastructure in areas not authorised for the processing of such data. For this reason, it is important that data communicated over network infrastructure outside of areas in which it is authorised to be processed is appropriately encrypted.

Security Control: 0157; Revision: 6; Updated: Jun-21; Applicability: O, P, S, TS
Data communicated over network infrastructure in areas not authorised for the processing of such data is encrypted as if it was communicated through unsecured spaces.

Controlling physical access to network devices

Adequate physical protection should be provided to network devices, especially those in public areas, to prevent an adversary physically damaging a network device with the intention of interrupting services.

Physical access to network devices can also allow an adversary to reset devices to factory default settings by pressing a physical reset button, connecting a serial interface to a device or connecting directly to a device to bypass any access controls. Resetting a network device to factory default settings may disable security settings on the device including authentication and encryption functions as well as resetting administrator accounts and passwords to known defaults. Even if access to a network device is not gained by resetting it, it is highly likely a denial of service will occur.

Physical access to network devices can be restricted through methods such as physical enclosures that prevent access to console ports and factory reset buttons, mounting devices on ceilings or behind walls, or placing devices in locked rooms or cabinets.

Security Control: 1296; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access.

Bringing Radio Frequency and infrared devices into facilities

Radio Frequency (RF) devices, such as mobile devices, wireless keyboards and Bluetooth devices (e.g. keyboards, headphones and pointers), as well as infrared (IR) devices, can pose a security risk to organisations, especially when they are capable of recording or transmitting highly classified audio or data. In highly classified environments, it is important that organisations understand the security risks associated with the introduction of such devices and should maintain a register of those that have been authorised for use in such environments.

In deciding which RF or IR devices to authorise to be brought into SECRET and TOP SECRET areas, organisations may want to consider any existing mitigating measures such as whether any IR communications would be prevented from travelling outside secured spaces, whether systems of different sensitives or classifications are used in the same spaces, and if any temporary or permanent method of blocking RF or IR transmissions has been applied to windows or the facility.

Security Control: 1543; Revision: 2; Updated: Sep-21; Applicability: S, TS
An authorised RF and IR device register is maintained and regularly audited for SECRET and TOP SECRET areas.

Security Control: 0225; Revision: 3; Updated: Sep-21; Applicability: S, TS
Unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas.

Security Control: 0829; Revision: 4; Updated: Mar-19; Applicability: S, TS
Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas.

Preventing observation by unauthorised people

The inside of facilities without sufficient perimeter security are often exposed to observation through windows. Ensuring systems are not visible through windows will assist in reducing this security risk. This can be achieved by using blinds or curtains on windows.

Security Control: 0164; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards.

Further information

Further information on emanation security considerations associated with bringing RF devices into highly classified environments can be found in the emanation security section of the Guidelines for Communications Infrastructure.

Further information on encryption can be found in the Guidelines for Cryptography.

Further information on the certification and accreditation authorities for physical security can be found in the Attorney-General’s Department (AGD)’s Protective Security Policy Framework (PSPF), Entity facilities policy.

Further information on physical security for Security Zones, secure rooms and security containers can be found in AGD’s PSPF, Entity facilities policy.

ICT equipment and media

Securing ICT equipment and media

ICT equipment and media needs to be secured when not in use. This can be achieved by implementing one of the following approaches:

  • securing ICT equipment and media in an appropriate security container or secure room
  • using ICT equipment without hard drives and sanitising memory at shut down
  • encrypting hard drives of ICT equipment and sanitising memory at shut down
  • sanitising memory of ICT equipment at shut down and removing and securing any hard drives.

If none of the above approaches are feasible, organisation may wish to minimise the potential impact of not securing ICT equipment when not in use. This can be achieved by preventing sensitive or classified data from being stored on hard drives (e.g. by storing user profiles and documents on network shares), removing temporary user data at logoff, scrubbing virtual memory at shut down, and sanitising memory at shut down. It should be noted though that there is no guarantee that such measures will always work effectively or will not be bypassed due to circumstances such as an unexpected loss of power. Therefore, hard drives in such cases will retain their sensitivity or classification for the purposes of reuse, reclassification, declassification, sanitisation, destruction and disposal.

Security Control: 0161; Revision: 5; Updated: Mar-19; Applicability: O, P, S, TS
ICT equipment and media are secured when not in use.

Further information

Further information on ICT equipment and media can be found in the Guidelines for Communications Systems, Guidelines for ICT Equipment and Guidelines for Media.

Further information on the encryption of media can be found in the Guidelines for Cryptography.

Further information on the handling of ICT equipment can be found in AGD’s PSPF, Physical security for entity resources policy.