Skip to main content

Guidelines for Physical Security

This chapter of the ISM provides guidance on physical security.

Protecting physical assets is an important part of a ensuring an organisation’s cyber security. This chapter outlines physical security measures for facilities and systems, ICT equipment and media.

Facilities and systems

Physical access to systems

The application of the defence-in-depth principle to the protection of systems is enhanced through the use of successive layers of physical security. The first layer of physical security being the use of a security zone for facilities containing systems.

Deployable platforms should also meet physical security requirements. Notably, physical security certification authorities dealing with deployable platforms may have specific requirements that supersede the security controls in these guidelines. This may include perimeter controls, building standards and manning levels. As such, organisations implementing deployable platforms should contact their physical security certification authority to seek additional guidance.

Security Control: 0810; Revision: 5; Updated: Dec-21; Applicability: O, P, S, TS
Systems are secured in facilities that meet the requirements for a security zone suitable for their sensitivity or classification.

Physical access to servers, network devices and cryptographic equipment

The second layer of physical security is the use of an additional security zone for a server room or communications room. This is then further supplemented by the use of security containers or secure rooms for the protection of servers, network devices and cryptographic equipment.

Security Control: 1053; Revision: 3; Updated: Dec-21; Applicability: O, P, S, TS
Servers, network devices and cryptographic equipment are secured in server rooms or communications rooms that meet the requirements for a security zone suitable for their sensitivity or classification.

Security Control: 1530; Revision: 1; Updated: Dec-21; Applicability: O, P, S, TS
Servers, network devices and cryptographic equipment are secured in security containers or secure rooms suitable for their sensitivity or classification taking into account the combination of security zones they reside in.

Security Control: 0813; Revision: 4; Updated: Dec-21; Applicability: All
Server rooms, communications rooms, security containers and secure rooms are not left in unsecured states.

Security Control: 1074; Revision: 3; Updated: Dec-21; Applicability: All
Keys or equivalent access mechanisms to server rooms, communications rooms, security containers and secure rooms are appropriately controlled.

Physical access to network devices in public areas

Unprotected network devices in public areas could lead to either accidental or deliberate physical damage resulting in an interruption of services. Alternatively, unauthorised access to network devices may allow an adversary to reset them to factory default settings, thereby removing any security controls, or connect directly to them in order to bypass network access controls. Even if access to a network device is not gained by resetting it to factory default settings, it is highly likely that it will cause an interruption of services.

Physical access to network devices can be restricted through physical security controls such as enclosures that prevent access to their console ports and factory reset buttons, mounting them on ceilings or behind walls, or securing them in security containers.

Security Control: 1296; Revision: 3; Updated: Dec-21; Applicability: All
Physical security controls are implemented to protect network devices in public areas from physical damage or unauthorised access.

Bringing Radio Frequency and infrared devices into facilities

Radio Frequency (RF) devices, such as mobile devices, wireless keyboards and Bluetooth devices (e.g. keyboards, headphones and pointers), as well as infrared (IR) devices, can pose a security risk to organisations, especially when they are capable of recording or transmitting audio or data. In SECRET and TOP SECRET areas, it is important that organisations understand the security risks associated with the introduction of RF and IR devices and maintain a register of those that have been authorised for use in such environments.

In deciding which RF or IR devices to authorise to be brought into SECRET and TOP SECRET areas, organisations should consider any existing mitigating measures such as whether any IR communications would be prevented from travelling outside secured spaces, whether systems of different sensitives or classifications are used in the same spaces, and if any temporary or permanent method of blocking RF or IR transmissions has been applied to the facility.

Security Control: 1543; Revision: 2; Updated: Sep-21; Applicability: S, TS
An authorised RF and IR device register is maintained and regularly audited for SECRET and TOP SECRET areas.

Security Control: 0225; Revision: 3; Updated: Sep-21; Applicability: S, TS
Unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas.

Security Control: 0829; Revision: 4; Updated: Mar-19; Applicability: S, TS
Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas.

Preventing observation by unauthorised people

Without sufficient perimeter security, the inside of a facility is often observable by unauthorised people, either directly or with the assistance of equipment using a telephoto lens. Ensuring systems, in particular workstation displays and keyboards, are not visible through windows, such as via the use of blinds, curtains, privacy films or workstation positioning, will assist in reducing this security risk.

Security Control: 0164; Revision: 3; Updated: Dec-21; Applicability: All
Unauthorised people are prevented from observing systems, in particular workstation displays and keyboards, within facilities.

Further information

Further information on emanation security considerations associated with bringing RF devices into SECRET and TOP SECRET areas can be found in the emanation security section of the Guidelines for Communications Infrastructure.

Further information on the certification and accreditation authorities for physical security can be found in the Attorney-General’s Department (AGD)’s Protective Security Policy Framework (PSPF), Entity facilities policy.

Further information on the physical security requirements for specific security zones can be found in AGD’s PSPF, Entity facilities policy.

Further information on selecting security zones, security containers and secure rooms for the protection of ICT equipment can be found in AGD’s PSPF, Physical security for entity resources policy.

ICT equipment and media

Securing ICT equipment and media

ICT equipment and media needs to be secured when not in use. This can be achieved by implementing one of the following approaches:

  • securing ICT equipment and media in an appropriate security container or secure room
  • using ICT equipment without hard drives and sanitising memory at shut down
  • encrypting hard drives of ICT equipment and sanitising memory at shut down
  • sanitising memory of ICT equipment at shut down and removing and securing any hard drives.

If none of the above approaches are feasible, organisation may wish to minimise the potential impact of not securing ICT equipment when not in use. This can be achieved by preventing sensitive or classified data from being stored on hard drives (e.g. by storing user profiles and documents on network shares), removing temporary user data at logoff, scrubbing virtual memory at shut down, and sanitising memory at shut down. It should be noted though that there is no guarantee that such measures will always work effectively or will not be bypassed due to circumstances such as an unexpected loss of power. Therefore, hard drives in such cases will retain their sensitivity or classification for the purposes of reuse, reclassification, declassification, sanitisation, destruction and disposal.

Security Control: 0161; Revision: 5; Updated: Mar-19; Applicability: All
ICT equipment and media are secured when not in use.

Further information

Further information on ICT equipment and media can be found in the Guidelines for Communications Systems, Guidelines for ICT Equipment and Guidelines for Media.

Further information on the encryption of media can be found in the Guidelines for Cryptography.

Further information on selecting security zones, security containers and secure rooms for the protection of ICT equipment can be found in AGD’s PSPF, Physical security for entity resources policy.

Was this information helpful?
Was this information helpful?

Thanks for your feedback!

 
Optional

Tell us why this information was helpful and we’ll work on making more pages like it