Physical Controls (Domain 7)

Req: Define and use security perimeters to protect areas that contain sensitive information and associated information processing facilities. Perimeters must be clearly defined, physically sound, and commensurate with the value of the assets they protect.

Impl: Identify all areas containing in-scope assets: server rooms, network equipment, paper document storage, executive offices with sensitive data. Define perimeter type per area: locked door (basic), alarmed zone (intermediate), access-controlled secure area (advanced). Document the perimeter map. Physical perimeters must have no gaps — check false ceilings, raised floors, shared wall partitions.

Req: Secure areas must be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Entry controls must log and manage access.

Impl: For each perimeter zone: define who is authorized, what verification method is used (PIN, card, biometric), and how access is granted and revoked. Install access control readers for server rooms and other secure areas. Maintain access logs. Review access rights regularly — include physical access in the quarterly access review. Visitor management: sign-in, escort requirement, temporary access badge.

Req: Design and apply physical security for offices, rooms, and facilities. Security design should follow 'security by default' principles — not an afterthought.

Impl: Apply defense-in-depth to physical layout: reception buffer zone, general office access-controlled, server room highest restriction. Key design principles: no external signage identifying the location of sensitive assets, no visitor view of security systems, secure areas not visible through windows. Fire doors meet fire resistance standards. Server room: locked, ventilated, alarmed, temperature-controlled.

Req: Premises must be monitored for unauthorized physical access. Monitoring must be continuous or risk-based and must cover all entry points to secure areas. Monitoring records must be retained and reviewed.

Impl: Deploy CCTV or equivalent monitoring at: main building entrances, server room entrance, secure area access points. Define retention period for monitoring recordings (typically 30–90 days, aligned with regulatory requirements). Assign monitoring review responsibility. Define the response procedure when unauthorized access is detected. For small organizations: alternative to CCTV includes security guard logs and alarm system records.

Req: Design and apply physical protection against natural disasters, deliberate attacks, and accidents. Identify threats relevant to the location and implement appropriate countermeasures.

Impl: Identify physical threats for the specific location: flooding risk (Jakarta/coastal cities), earthquake risk (Java, Sumatra), fire risk, power failure, civil unrest. For each identified threat: implement countermeasure (elevated server room floor for flooding, UPS and generator for power, fire suppression for fire). Document the threat assessment and the controls implemented. Test controls annually (generator test, fire suppression test, UPS failover test).

Req: Design and apply procedures for working in secure areas. Minimize unsupervised work in secure areas. Control what can be brought into and out of secure areas.

Impl: Publish secure area working rules covering: no photography without authorization, no personal devices unless specifically approved, escorts required for non-authorized visitors, lone working in high-security areas requires defined controls, what can be removed from secure areas and how. Post rules at secure area entrances.

Req: A clear desk policy for papers and removable media and a clear screen policy for information processing facilities must be defined and enforced. Sensitive information must not be left exposed when areas are unattended.

Impl: Define the clear desk policy: all papers filed or shredded when leaving desk, removable media stored securely, sensitive documents not left on printers. Define clear screen: automatic screen lock after defined inactivity period (≤5 minutes), manual lock required when leaving workstation. Conduct periodic walk-around audits to verify compliance. Connect violations to disciplinary process.

Req: Equipment must be sited and protected to reduce risks from environmental threats and hazards, and opportunities for unauthorized access. Physical layout must protect equipment.

Impl: Server racks not visible from reception or windows. UPS and power equipment protected from water exposure. Network switches and patch panels in locked cabinets. End-user equipment positioned so screens are not visible from public areas or from desk neighbor view if handling confidential data (privacy screens where warranted).

Req: Assets used off-premises must be protected. Laptops, mobile devices, and any equipment taken outside the organization's premises must be subject to security controls equivalent to those applied on-premises.

Impl: Define off-premises asset security requirements in the acceptable use policy and remote working policy: full disk encryption mandatory, screen lock required, no leaving devices unattended in public, report loss/theft within 1 hour. Maintain a register of assets authorized for off-site use. For high-sensitivity work in public: use privacy screens, avoid public WiFi for sensitive data.

Req: Storage media must be managed through its lifecycle: acquisition, use, transportation, and disposal. Media containing sensitive data requires special handling and authorized disposal.

Impl: Maintain a register of all removable media (USB drives, external hard drives, backup tapes) containing in-scope data. Define authorization controls for removable media use. Encrypt removable media containing sensitive or personal data. For media transport: use approved courier with tracking. For media disposal: certificate of secure destruction required for media containing sensitive or personal data.

Req: Equipment must be protected from power failures and other disruptions caused by failures in supporting utilities. UPS for critical systems, generator for extended outages, power conditioning where required.

Impl: Map utility dependencies for all in-scope systems: power, cooling, water (for some cooling systems), internet connectivity. For each critical dependency: implement appropriate resilience (UPS for short outages, generator for extended, redundant ISP connections). Test annually. Monitor utility status continuously. Define response procedure for utility failures.

Req: Power and telecommunications cabling carrying data or supporting information services must be protected from interception, interference, or damage. Physical cabling infrastructure must be documented.

Impl: Document all cabling routes in a cabling diagram. Protect data cables from physical damage: use conduit in high-risk areas, secure patch panels in locked cabinets. Separate power and data cabling runs to prevent interference. Label all cables clearly. Inspect cabling infrastructure annually as part of physical security audit.

Req: Equipment must be correctly maintained to ensure its continued availability and integrity. Maintenance must follow manufacturer recommendations. Maintenance records must be retained.

Impl: Maintain an equipment maintenance schedule covering: UPS battery replacement cycle, server hardware maintenance contracts (vendor SLAs), generator servicing, HVAC/cooling system maintenance. Retain maintenance records. For externally maintained equipment: ensure maintenance only by authorized personnel, record all maintenance activities, verify equipment integrity after maintenance. Sensitive data must be removed before equipment leaves the organization's control for maintenance.

Req: All items of equipment containing storage media must be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Impl: Define a secure disposal procedure covering: hard disk drives (NIST SP 800-88 media sanitization guidelines — overwrite, degauss, or physical destruction based on data sensitivity), SSDs (specific secure erase commands or physical destruction for high-sensitivity data), mobile devices (factory reset + MDM unenrollment), paper documents (cross-cut shredding). Obtain and retain destruction certificates from third-party disposal vendors. Personal data on disposed equipment must be permanently irrecoverable — relevant to UU PDP.