Certification and accreditation authorities
Information on the certification and accreditation authorities for physical security are outlined in the Attorney-General’s Department (AGD)’s Protective Security Policy Framework (PSPF), Entity facilities policy.
Facilities containing systems
The application of defence-in-depth to the protection of systems is enhanced through the use of successive layers of physical security. The first layer of security is the use of Security Zones for a facility.
Deployable platforms should meet physical security requirements as per any other system. Notably, physical security certification authorities dealing with deployable platforms may have specific requirements that supersede the security controls in these guidelines. As such, personnel should contact their physical security certification authority to seek guidance.
In the case of deployable platforms, physical security requirements may also include perimeter controls, building standards and manning levels.
Security Control: 0810; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system.
Server rooms, communications rooms and security containers
The second layer in the protection of systems is the use of a higher Security Zone or secure room for a server room or communications room while the final layer is the use of lockable commercial cabinets or security containers. All layers are designed to limit access to people without the appropriate authorisation to access systems at a facility.
Security Control: 1053; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification.
Security Control: 1530; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in.
Security Control: 0813; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Server rooms, communications rooms and security containers are not left in unsecured states.
Security Control: 1074; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled.
While physical security can provide a degree of protection to information communicated over network infrastructure, organisations can have reduced control over information when it is communicated over network infrastructure in areas not authorised for the processing of such information. For this reason, it is important that information communicated over network infrastructure outside of areas in which it is authorised to be processed is appropriately encrypted.
Security Control: 0157; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces.
Controlling physical access to network devices
Adequate physical protection should be provided to network devices, especially those in public areas, to prevent an adversary physically damaging a network device with the intention of interrupting services.
Physical access to network devices can also allow an adversary to reset devices to factory default settings by pressing a physical reset button, connecting a serial interface to a device or connecting directly to a device to bypass any access controls. Resetting a network device to factory default settings may disable security settings on the device including authentication and encryption functions as well as resetting administrator accounts and passwords to known defaults. Even if access to a network device is not gained by resetting it, it is highly likely a denial of service will occur.
Physical access to network devices can be restricted through methods such as physical enclosures that prevent access to console ports and factory reset buttons, mounting devices on ceilings or behind walls, or placing devices in locked rooms or cabinets.
Security Control: 1296; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access.
Preventing observation by unauthorised people
The inside of facilities without sufficient perimeter security are often exposed to observation through windows. Ensuring systems and information are not visible through windows will assist in reducing this security risk. This can be achieved by using blinds or curtains on windows.
Security Control: 0164; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards.
Further information on encryption can be found in the Guidelines for Cryptography.
Further information on physical security for Security Zones, secure rooms and security containers can be found in AGD’s PSPF, Entity facilities policy, at https://www.protectivesecurity.gov.au/physical/entity-facilities/Pages/default.aspx.