12 new national NIS2 framework versions published! Read more ->
Cyberday back to normal - related blog
Physical access to the facility, servers and network components shall be managed.
Guidance
- Consider to strictly manage keys to access the premises and alarm codes. The following rules should be considered:
- Always retrieve an employee's keys or badges when they leave the company permanently.
- Change company alarm codes frequently.
- Never give keys or alarm codes to external service providers (cleaning agents, etc.), unless it is possible to trace these accesses and restrict them technically to given time slots.
- Consider to not leaving internal network access outlets accessible in public areas. These public places can be waiting rooms, corridors...
Physical access shall be managed, including measures related to access in emergency situations.
Guidance
- Physical access controls may include, for example lists of authorized individuals, identity credentials, escort requirements, guards, fences, turnstiles, locks, monitoring of facility access, camera surveillance.
- The following measures should be considered:
- Implement a badge system and create different security zones.
- Limit physical access to servers and network components to authorized personnel.
- Log all access to servers and network components.
- Visitor access records should be maintained, reviewed and acted upon as required.
Physical access to critical zones shall be controlled in addition to the physical access to the facility.
Guidance
E.g. production, R&D, organization’s critical systems equipment (server rooms…)
Assets related to critical zones shall be physically protected.
Guidance
- Consider protecting power equipment, power cabling, network cabling, and network access interfaces from accidental damage, disruption, and physical tampering.
- Consider implementing redundant and physically separated power systems for organization’s critical operations.
Visitors shall have access to secure areas only with permission, after they are appropriately identified and their access rights shall be limited to the necessary facilities. All visits are recorded in the visitor log. In addition, staff have guidelines about safe operating in connection with visits.
Secure areas of the organization cannot be accessed unnoticed. The premises are protected by appropriate access control. Only authorized persons have access to the secure areas.
Organisation's premises and the operating environments of the equipment are actively protected by security.
Access to areas where confidential information is handled or stored should be restricted to authorized individuals through appropriate access control, e.g. using a two-step authentication mechanism such as an access card and a passcode.
The organization shall allow only pre-approved personnel access to security restricted areas.
All entry and exit points shall be blocked, documented and controlled by access control systems by default.
All access to security restricted areas must create log events and the organization must determine how long the logs will be retained.
Access to buildings containing critical systems must be constantly monitored to detect unauthorized access or suspicious activity. The following issues should be taken into account in monitoring practices:
Information related to surveillance systems should be kept confidential, as disclosure of information can facilitate undetected breaches. The monitoring systems themselves must also be properly protected, so that the recordings or system status cannot be affected without permission.
Security personnel use camera surveillance to verify unauthorized access, sabotage, or other alarms at the organization's premises.
.png)
