Loading...
 
Page actions
Print

Physical Access to Computer Systems

Policy Reference

Category Physical Security
Approval Date  01-29-2010
Scope All Personnel

Purpose

To control and monitor physical access to confidential and sensitive information.

Policy

  1. The City  will monitor physical access at all access points where confidential and sensitive information is stored.
  2. The City  will use cameras to monitor sensitive areas, auditing the video data and correlating it with other entities when necessary, while ensuring that the video data is stored for at least three months.
  3. The City  will control physical access to physical areas containing confidential or sesitive data by authenticating visitors before authorizing access to facilities or areas other than areas designated as publicly accessible.
  4. The City  will ensure that visitors are specificially designated as authorized or not authorized to enter areas where confidential information is managed or stored.
  5. The City will ensure that all visitors in said areas are issued and prominently displaying their non-employee visitor badge or token.
  6. The City  will ensure that all visitors are asked to surrender any physical tokens they were issued (card keys, badges) before leaving the facilities, or when the token has expired.
  7. The City  will maintain a visitor log or other audit trail of visitor activity - and ensure that the log or audit trail is retained for a minimum of three months.
  8. The City  will enter the user's name, firm, and areas of acceptable access into the visitor log.
  9. The City  will maintain all records in the visitor's log for a minimum of 90 days or as otherwise prescribed by law.
  10. The City will ensure that it places its routers and other key managed networking devices in either locked cabinets or locked rooms.
  11. The City  will restrict access to cryptographic keys to the fewest number of custodians necessary.

Compliance

  1. Restrict physical access to cardholder data. § 9, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 1.2
  2. Procedures should be developed to provide for the physical and environmental protection of buildings, staff, media, papers, storage areas, desktop computers, and laptop computers. SM4.5.2, CB3.3.2(d), CI2.4.2(d), UE4.1.1(b), UE6.4.1, The Standard of Good Practice for Information Security
  3. The organization must ensure physical access to cardholder data environments are monitored and controlled. § 9.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2
  4. SM4.5.3(c), CI2.8.7(b), The Standard of Good Practice for Information Security  
  5. A log should be kept of all visitors to the site. The log should contain the date and time of entry and departure. Visitors should be supervised at all times, unless they have been previously approved. § 9.1.2, ISO 17799:2005 Code of Practice for Information Security Management