NATIONAL INFORMATION SECURITY FRAMEWORK (NISF) PUBLICATION

_______________________________________________________________

Security Standard No. 5 –

Physical Security
_______________________________
 OFFICIAL-RESTRICTED

Version History

No. Date Section Amendment

1.0 08/01/2014 Draft Initial draft for NITA-U consideration

2
 OFFICIAL-RESTRICTED

Table of Contents
1 Introduction .................................................................................................................................... 6
1.1 Aims of the Standard ................................................................................................................ 6
1.2 Applicable Legislation ............................................................................................................... 6
2 Physical Security Roles & Responsibilities ................................................................................ 8
2.1 Chief Information Risk Owner ................................................................................................... 8
2.2 Security Controller .................................................................................................................... 8
2.2.1 Responsibilities of the Security Controller ......................................................................... 8
2.3 Facilities Manager ..................................................................................................................... 9
2.4 Contractors ............................................................................................................................... 9
3 Physical Security Risk Assessment .......................................................................................... 11
3.1 Purpose of Physical Risk Assessments ................................................................................. 11
3.2 Scoping Physical Risk Assessments ...................................................................................... 11
3.3 Identification of Threat Sources .............................................................................................. 11
3.3.1 Typical Threat Sources ................................................................................................... 11
3.3.2 Calculating Threat Levels ................................................................................................ 12
3.4 Threat Actors .......................................................................................................................... 12
3.4.1 Threat Actor Type ............................................................................................................ 12
3.5 Physical Intruders ................................................................................................................... 12
3.6 Identification of Vulnerabilities ................................................................................................ 12
3.6.1 Vulnerable Areas ............................................................................................................. 13
3.6.2 Example – Site Vulnerability Considerations .................................................................. 13
3.7 Prioritised Physical Security Risks ......................................................................................... 14
3.8 Risk Treatment ....................................................................................................................... 14
4 Physical Perimeter Security ....................................................................................................... 16
4.1 Secure Site Design ................................................................................................................. 16
4.1.1 Fence or Wall Structures ................................................................................................. 16
4.1.2 Ceilings ............................................................................................................................ 16
4.1.3 Floors ............................................................................................................................... 17
4.1.4 Windows .......................................................................................................................... 17
4.1.5 Doors ............................................................................................................................... 17
4.1.6 Sprinkler Systems ........................................................................................................... 17
4.1.7 Water and Gas Lines ....................................................................................................... 17
4.1.8 HVAC ............................................................................................................................... 18
4.1.9 Power Requirements ....................................................................................................... 18
4.2 Intrusion Detection System ..................................................................................................... 18
4.3 Availability of Information about Data Centre ......................................................................... 18
5 Physical Entry Controls .............................................................................................................. 20
5.1 Baseline Physical Access Controls ........................................................................................ 20
5.1.1 Closed Circuit Television (CCTV) Monitoring .................................................................. 20
5.1.2 Security Patrols ............................................................................................................... 20
5.1.3 Authorised Access Points ................................................................................................ 20
5.2 General Building Access ........................................................................................................ 21
5.3 Access Card Infrastructure ..................................................................................................... 21
5.3.1 Access Passes ................................................................................................................ 21
5.3.2 Challenging Non-Pass Holders ....................................................................................... 22
5.3.3 Return of Access Passes ................................................................................................ 22
5.3.4 Loss and Theft of Passes ................................................................................................ 22
5.3.5 Tailgating Prevention ....................................................................................................... 22

3
 OFFICIAL-RESTRICTED

5.3.6 Access Logging ............................................................................................................... 23

5.4 Keys and Combinations .......................................................................................................... 23
5.4.1 Master Key System ......................................................................................................... 23
5.4.2 Key/Combination Registers ............................................................................................. 24
5.4.3 Key and Combination Lock Audit .................................................................................... 24
5.5 Visitor Controls ....................................................................................................................... 24
6 Internal Data Centre Physical Access Control ......................................................................... 27
6.1 Data Centre Classifications .................................................................................................... 27
6.1.2 Location Requirements ................................................................................................... 27
6.1.3 Data Centre Infrastructure Perimeter .............................................................................. 28
6.2 Mail and Package Control ...................................................................................................... 29
6.2.1 Delivery ............................................................................................................................ 29
6.2.2 Visual Screening and Inspection ..................................................................................... 29
7 Equipment Security ..................................................................................................................... 31
7.1 Equipment Location and Protection ........................................................................................ 31
7.2 Cabling Security...................................................................................................................... 31
7.3 Power Supplies ....................................................................................................................... 32
7.4 Clear Desk Policy ................................................................................................................... 32
7.5 Supporting Facilities Physical Access Controls ...................................................................... 32
7.6 Fire Protection ........................................................................................................................ 32
7.7 Managing Physical Security Incidents .................................................................................... 33
8 Media Security, Distribution and Back-ups............................................................................... 35
8.1 Portable and Removable Media Security ............................................................................... 35
8.2 Information Backups ............................................................................................................... 36
9 Secure Disposal and Re-Use of Equipment .............................................................................. 38
9.1 Asset Management ................................................................................................................. 38
9.2 Decommissioning Plan ........................................................................................................... 38
9.3 Secure Sanitisation Procedure ............................................................................................... 38

4
 OFFICIAL-RESTRICTED

Table of Figures

Figure 1 – Examples of Site Vulnerabilities and Threats ...................................................................... 13

5
1 Introduction
This Standard presents the official Government of Uganda (GoU) approach for
managing the physical security risks affecting sites hosting critical information
infrastructure (CII). In accordance with the National Information Security Policy
(NISP), this Standard aims to reduce the vulnerability of CII to physical security
threats including crime, natural disasters and acts of terrorism.

1.1 Aims of the Standard

This Standard is for individuals with responsibility for physical security. It aims to
help Security Controllers implement effective measures to stop the unauthorised
physical access, damage, and interference to information, premises and
resources. Physical security also protects staff against violence and other harm
resulting from threats such as natural disasters and acts of terrorism.

1.2 Applicable Legislation

The laws that guide physical security tasks include, but are not limited to, the
following Acts of Parliament of Uganda and their supporting legal instruments.

i. Uganda (1964), The Official Secrets Act, The Government of Uganda,

Entebbe, Uganda.

ii. Uganda (2005a), "The Access to Information Act, 2005", in The Uganda
Gazette, The Government of Uganda, Entebbe, Uganda.

iii. Uganda (2006), The Police (Amendment) Act, 2006, The Government of
Uganda, Entebbe, Uganda.

iv. Uganda (2009b), The National Security Council Act, The Government of
Uganda, Entebbe, Uganda.

v. Uganda (2010), "The Regulation of Interception of Communications Act,

2010", in The Uganda Gazette, The Government of Uganda, Entebbe,
Uganda.

vi. Uganda (2011a), "The Computer Misuse Act, 2011", in The Uganda
Gazette, The Government of Uganda, Entebbe, Uganda.

vii. Uganda (2011b), "The Electronic Signatures Act, 2011", in The Uganda
Gazette, The Government of Uganda, Entebbe, Uganda.

viii. Uganda (2011c), "The Electronic Transactions Act, 2011", in The Uganda
Gazette, The Government of Uganda, Entebbe, Uganda.
 OFFICIAL-RESTRICTED

I.
Physical
Security Roles
and Responsibilities

7
2 Physical Security Roles & Responsibilities
The NISP mandates that all public and private sector organisations bound by the
National Information Security Framework (NISF) have in place an organisation to
manage effectively its information security activities including physical security.
In common with information and personnel security functional areas, the NISP
mandates the creation of suitable physical security management structures with
defined accountability at all levels. As a minimum requirement, parties using this
Standard must have in place the following physical security roles.

2.1 Chief Information Risk Owner

As mandated in the NISP, the Chief Information Risk Owner is a Board member
with overall responsibility for risk management within a CII owning or operating
organisation. The individual is specifically responsible for:
 Ensuring that the organisation’s risk policy addresses physical security risks;
 Giving the Security controller appropriate resources and support;
 Overseeing physical security risk mitigation activities; and
 Reporting to the Board on physical security and other risks at least quarterly.

2.2 Security Controller

The Security Controller is the individual responsible for the daily implementation
of physical security measures in a site hosting CII assets. The individual answers
to the Chief Information Risk Owner who retains overall accountability on behalf
of the Board. Security Controllers at premises hosting information assets with
SECRET classification and above must be Ugandan. The Security Controller
shall be the employee of the CII owner. Organisations operating a large CII at
several locations, such as a Ministry operating a large IT system nationally, may
appoint a full time Security Controller and a team of local contacts.

2.2.1 Responsibilities of the Security Controller

The Security Controller shall perform a number of duties including:
 Leading a team of all other professionals in information processing facilities
such as the network, security and facilities management teams;
 Interpreting and ensuring the correct implementation of Board instructions on
physical security;
 Maintaining the asset register for the facilities under their control;
 Serving as a subject matter expert for management on a range of matters
affecting physical security such as security clearance levels for IT projects;
 OFFICIAL-RESTRICTED

 Serving as a contact for the national security vetting organisation(s);

 Establishing and maintaining appropriate contacts with relevant authorities
e.g. law enforcement, fire department, supervisory authorities;
 Ensuring that users accept and comply with the relevant Security Operating
Procedures (SyOPs) for IT systems in the facility under their management;
 Preparing and implementing the physical security aspects of the Information
Security Risk Management Plan defined in Security Standard No. 2 – Risk
Management and Accreditation (SS2) such as physical security audits;
 Consulting within the CII organisation on security controls and supervising
the implementation of physical security requirements resulting from audits
and/or new contracts such as the modification of buildings to enable the
secure handling, storage and processing of classified information assets;
 Organising and/or contributing to security awareness, education and training
courses and security briefings for staff on a range of physical security threats
including terrorism and acts of violence against staff; and
 Handling all physical security incidents at the information processing facilities
under their control including the timely reporting of incidents to the Chief
Information Risk Owner and relevant authorities such as law enforcement.

2.3 Facilities Manager

As discussed above, the Security Controller is in charge of all physical security
matters. It might be prudent to appoint a Facilities Manager to handle day-to-day
security issues or matters relating to a facility. The facilities manager may serve
as the local security point of contract representing the Security Controller. The
Security Controller may take direct control of the facility in the absence of the
Facilities Manager. The Security Controller cannot physical reside in all sites
hosting a multi-location CII. In that case, the Facilities Manager would have a
responsibility for physical security on instruction of the Security Controller.

2.4 Contractors
It is likely that the organisation will outsource some physical security functions at
sites hosting CII assets. Thus, the Security Controller and/or Facilities Manager
would have to manage a number of contractors either corporate or individual.
The contracts could include companies and/or individuals that provide security
guards to patrol the facility and manage the front desk 24/7. If one is in place,
the Facilities Manager shall supervise and allocate tasks to contractors daily.
The Facilities Manager would liaise with the contractors on the supply of suitable
security staff. On behalf of the Security Controller, the Facilities Manager shall
ensure that contract staff have suitable licenses, hold, and maintain their security
clearances. The Manager shall also address contractor performance issues.

9
 OFFICIAL-RESTRICTED

II.
Physical Security
Risk Assessment

10
3 Physical Security Risk Assessment
The NISP mandates that all public and private sector organisations bound by the
NISF adopt a formal, consistent and policy-guided risk management approach to
guide all their security activities. Therefore, CII owners/operators must undertake
security risk assessments for all sites that host sensitive IT assets.

3.1 Purpose of Physical Risk Assessments

As outlined in Security Standard No. 1 – Technical Risk Assessment (SS1), like
other risk assessments, physical security risk assessments aim to identify,
analyse and evaluate the risks that physical intruders could pose to CII assets.
The physical risk assessments shall:
 Identify all intruders seeking to breach physical security controls e.g. burglars
and operatives of foreign intelligence services and criminal groups;
 Identify how the physical intruders could gain access to sensitive IT assets;
 Identify the risks physical intruders pose to organisational IT assets;
 Establish the motivation and capabilities of the physical intruders;
 Prioritise the identified physical intruder risks;
 Evaluate adequacy of existing countermeasures; and
 Draw up cost-effective and proportionate risk treatment plans.

3.2 Scoping Physical Risk Assessments

SS1 and Security Standard No. 2 – Risk Management and Accreditation (SS2)
presented detailed information about the identification, evaluation and treatment
of risks in CII projects. This Standard does not reproduce this information. The
next sections summarise the most pertinent information from SS1 and SS2 that
apply to physical security risk assessments.

3.3 Identification of Threat Sources

Parties applying this Standard shall identify the physical security threat sources.

3.3.1 Typical Threat Sources

The most common physical security threat sources are:
 Foreign Intelligence Services; and
 Organised Crime Groups
 OFFICIAL-RESTRICTED

The two threat sources are the most typical. However, the list might be longer.
As such, parties using this Standard should identify all threat sources that apply.
Burglars that act on their own behalf are a threat actor rather than a source.

3.3.2 Calculating Threat Levels

In accordance with SS1, the criteria below shall assist in calculating threat levels
for physical security threat sources:
 Capability
 Motivation
 Clearance/Vetting Level
 Value for Information Security Property
 Threat Level

3.4 Threat Actors

In keeping with SS1, this Standard treats actors separately from threat sources.

3.4.1 Threat Actor Type

This Standard considers physical intruders as the only threat actor type.

3.5 Physical Intruders

Parties that attempt to gain physical access to CII capabilities are highly capable
and motivated. In SS1, threat levels, physical intruders score top marks for
capability i.e. 5 and close to highest on motivation i.e. 4. Physical intruders are a
potent threat actor type because they usually rely on the resources of foreign
intelligence services and organised crime syndicates. In addition, it is impossible
to reduce the threat level of burglars through security vetting.

3.6 Identification of Vulnerabilities

This Standard requires that parties using this Standard identify weaknesses in
security controls that physical intruders could use to compromise security.

12
 OFFICIAL-RESTRICTED

3.6.1 Vulnerable Areas

ISO/IEC 27001:2011 identifies the physical environment as one of the vulnerable
areas. Annex D in ISO/IEC 27001:2011 contains examples of vulnerabilities and
threats that could result from an insecure site or physical environment.

Physical Examples of Vulnerabilities Examples of Threats

Environment
Inadequate or careless use of Destruction of equipment and media
Site physical access control to
buildings and rooms
Location in an area susceptible to Flood
flood
Unstable power grid Loss of power supply

Lack of physical protection of the Theft of equipment/media or documents

building, doors and windows

Figure 1 – Examples of Site Vulnerabilities and Threats

Annex D contains more examples of potential vulnerabilities and threats.

3.6.2 Example – Site Vulnerability Considerations

In accordance with ISO/IEC 27001:2011, CII owners/operators must assess the
following areas for potential sources of vulnerabilities when selecting a site to
host sensitive IT assets.

3.6.2.1 Natural Disasters

The risk assessment shall evaluate the site location’s vulnerability to nature
disasters such as floods, earthquakes, earth movements, mudslides and snow.
Organisations shall avoid locations with high vulnerability to natural disasters.

3.6.2.2 Visibility

Highly visible sites will identify the existence of sensitive IT assets and increase
their exposure to the risk of physical intrusion. It is sensible to avoid such sites.

3.6.2.3 Local Environments

It is not advisable to host sensitive IT assets in sites that are in close proximity to
possible hazards and localities with high local crime rates.

13
 OFFICIAL-RESTRICTED

3.6.2.4 Tenancy Arrangements

Secure sites must have ample access to heating, ventilation and air-conditioning
(HVAC) resources. Hence, joint tenancies could pose an issue to large CII sites.

3.6.2.5 Transport Infrastructure

Secure sites should be away from transport infrastructure such as highways to

reduce the risks of pollution and noise.

3.6.2.6 External Services

Secure sites should be located in areas with reasonable access to emergency

services, fire, police and medical facilities.

3.7 Prioritised Physical Security Risks

In line with SS1, this step creates a list of all physical security risks starting from
the highest Risk Levels to the ones with the lowest Risk Levels. As a minimum
requirement, the prioritised list of risks shall have the following fields:
 Risk ID;
 Security Domain;
 Threat Actor Type;
 Risk Description; and
 Risk Level

The prioritised physical security risk list serves as input for SS2.

3.8 Risk Treatment

SS2 contains information on how to create plan to treat risks. Parties using this
Standard should follow the approach for physical security risks. In accordance
with IEC/ISO 31010:2009, the treatment plans shall seek to mitigate or modify
the adverse effects of physical security risk materialisation to acceptable levels.

14
 OFFICIAL-RESTRICTED

III.
Physical Perimeter
Security

15
4 Physical Perimeter Security
The NISP requires the implementation of an adequate physical perimeter around
critical or sensitive information processing facilities to stop unauthorised physical
access. In accordance with the NISP, this Standard regards the perimeter as the
whole area surrounding the building hosting CII assets including roads, footpaths
and any other areas just outside the building. The physical security perimeter is
the first layer of a ‘layered’ or ‘defence-in-depth’ approach to physical security
that progressively increases the difficulty of security controls the closer one gets
to areas containing sensitive CII assets. Below are the major issues to consider.

4.1 Secure Site Design

Like other types of security, the physical perimeter serves it role most effectively
if it is secure by design. Hence, the construction planning or remodelling phase
of a secure site creation must consider its physical security requirements. The
Security Controller and/or the secure site design task force shall consult widely
within the organisation as well as external, for example, law enforcement, fire
departments, supervisory authorities to minimise the risk of late and expensive
alterations to the facility and/or compensating controls to satisfy security needs.
The main issues to consider in designing a secure site are:

4.1.1 Fence or Wall Structures

Fences or wall structures help secure an area and designate the boundary of a
secure site. Fences or walls also provide a psychological deterrent to casual
trespassers. A 1-metre high fence usually deters a casual trespasser. A 2-metre
high is difficult to climb easily. In general, 2.4-metre high fence with ‘top guard’
usually deters most determined physical intruders. Having noted that foreign
intelligence services and criminal groups commit the bulk of physical intrusions,
it is safe to assume that they would have the capability and motivation to subvert
any fencing structure. As a result, highly sensitive facilities usually supplement
the fence structure with security guard patrols and intrusion detection systems.
The walls of secure sites must extend from true floor to true ceiling. Additionally,
entire wall must have an acceptable fire rating of at least 1 hour. The secure
rooms that store media must have a higher fire rating of at least 2 hours.

4.1.2 Ceilings
Ceiling of secure sites must have the capacity hold the weight of the equipment
such as IT as well as Heating, Ventilation and Air-Conditioning (HVAC) systems.
The ceiling must also have adequate fire rating i.e. at least 1 hour for normal site
areas and 2 hours for secure rooms storing media.
 OFFICIAL-RESTRICTED

4.1.3 Floors
In common with ceilings and walls, secure sites must have slab floors with ample
capacity to bear the physical weight of IT and HVAC equipment i.e. loading. The
floor must equally have the recommended fire rating. Secure sites also require
raised floors. Raised floor protect IT and HVAC equipment against ground static
build up. The floor should also use surfaces with no electricity conductivity.
Raised floors could also help reduce damage from mild flooding.

4.1.4 Windows
Secure sites usually have a limited number of windows, if at all. Where windows
are in place, they must be translucent and shatterproof. Secure sites can also
use tempered glass windows that are about seven times more break resistant.
Windows in fixed frames reduce the likelihood that intruders would remove
windowpanes from outside.

4.1.5 Doors
Doors in secure facilities must resist forcible entry and have a fire rating equal to
the walls and ceiling discussed above. Secure sites must also have clearly
marked, monitored and/or alarmed emergency exits. For the safety of staff in the
secure sites, electrical door locks on emergency exits must default to a disabled
state if power outages occur. To reduce the risk of physical intrusions during
power outages, security guards must man the exit doors during an emergency.

4.1.6 Sprinkler Systems

Fire safety ratings for walls, ceilings, doors and other physical structures assist in
fire prevention. In conjunction with procedural measures such as the storage of
combustible materials such as paper in secure rooms, sites can reduce the risk
of fire. However, if all fails and a fire breaks out, a sprinkler system is one of the
most effective fire suppression devices in a secure site. As such, staff must know
the location and how to use the system. Automatic sprinklers release water on
fire detection. Other types of sprinklers have valves that use sensing systems.

4.1.7 Water and Gas Lines

The facility must have secure but easy to find shutoff valves for water, gas and
other liquid supplies that support the site. In addition, the water drains to the site
must flow away from the building to prevent accidental flooding of the facility by
blocked pipes. In addition, outward flowing pipes avoid the risk of the backward
flow of contaminants into the secure information processing facility.

17
 OFFICIAL-RESTRICTED

4.1.8 HVAC
The facility must have an adequate HVAC system. The HVAC system must be
on a separate infrastructure from the rest of the building. For example, the HVAC
must have dedicated power circuits. The Emergency Power Off switch must be
in a secure but easy to find location. The air-conditioning vents and ducts must
have adequate protection to thwart physical intruder attacks. The air-conditioning
system must also provide outward, positive air pressure to prevent the inward
flow of contaminants into the facility.

4.1.9 Power Requirements

The secure facility must have established backup and alternate power sources.
Secure sites require dedicated feeders and circuits. In common with HVAC,
water and gas controls, access to electrical distribution panels must be easy but
secure. The facility must allow the secure installation of power cables and wiring.

4.2 Intrusion Detection System

Secure sites must have Intrusion Detection System (IDS) devices or sensors on
all external entry points, including windows, particularly on the ground floor to
identify unauthorised entry. The Security Controller and/or Facilities Manager
shall have a plan to monitor and respond to interference with the IDS devices.
The site must also have in place a maintenance plan for IDS devices that
ensures that not all devices are offline at the same time. Where resources allow,
secure sites shall install multiple IDS devices from different manufactures to
ensure the facility remains protected even if an intruder successful interferes
within one brand. The security team must also permanently lock and retain keys
for vulnerable parts of the site such as the windows on the ground floor. Security
can only open the windows in emergencies with authorisation and supervision.

4.3 Availability of Information about Data Centre

This Standard earlier noted that high visibility is a potential vulnerability to secure
site. As a result, it is vital that CII operators located secure sites in non-descript
buildings. Under no circumstance shall the buildings carry signs announcing the
existence of information processing facilities.

18
 OFFICIAL-RESTRICTED

IV.
Physical Entry
Controls

19
5 Physical Entry Controls
The NISP mandates that secure areas within information processing facilities
must have suitable entry controls to stop unauthorised personnel from gaining
access. The physical entry controls implemented must match the business and
information security requirements of the CII assets.

5.1 Baseline Physical Access Controls

The NISP mandates the adoption of a set of baseline physical access controls to
safeguard information resources in the secure facilities. The following are vital:

5.1.1 Closed Circuit Television (CCTV) Monitoring

Secure sites must have an extensive fixed CCTV to cover all its environs
including the fenced compound, physical perimeter walls and important internal
corridors, rooms and access/exit points. The cameras must have features such
as illumination and sensitivity to support physical security objectives. The site
must have the capability to monitor the cameras remotely. CCTV could pose
privacy and national security issues. Therefore, CCTV operations must operate
within the confines of relevant laws, regulations and ethics.

5.1.2 Security Patrols

Secure sites must have competent security patrol cadre. The security team shall
conduct external and internal patrolling of the site on a regular but random basis.
Where practical, the security patrols should occur at least hourly. Security patrols
are one of the areas that a CII operator might consider outsourcing to external
providers given the challenge of training and maintaining security skills internally.

5.1.3 Authorised Access Points

All visitors to the secure site must use the authorised access points only. A site
should have at least two separate access points for vehicles and pedestrians.
The physical security measures must prevent the use of designated fire exits to
gain access and/or exit the secure site. As discussed above, fire exits are vital
during emergencies when they have proper oversight by security or other staff.
However, a Security Controller or Facilities Manager may authorise controlled
use of fire exits e.g. when the main entrance is inaccessible due to protests.
 OFFICIAL-RESTRICTED

5.2 General Building Access

A secure site must have a security officer at reception to manage access to the
building at all times it is open. The security officer must not permit anyone to
enter controlled areas of the site beyond reception unless they hold a valid staff,
escorted or unescorted visitor pass. The security officer must not allow an
escorted visitor to leave the reception when not accompanied by the host or a
designated temporary host who is usually a permanent member of staff.

Visitors shall only obtain unescorted access passes to secure or controlled areas
of the site if they provide the Security Controller and/or Facilities Manager
evidence of holding an appropriate security clearance for the site in advance of
their visit. The security officer at reception must reject all requests for unescorted
badges for individuals without an advance written confirmation from the Security
Officer. Individuals attending secure sites must submit to appropriate searches of
outer clothing, bags, packages and other property. Refusal to grant permission
for the searches would result into denial of access to the secure site for visitors.
The security officer must report the incident to management who might raise the
matter with the visitor/contractor’s organisation. For permanent member of staff,
the security officer must create an incident report about the refusal of permission
to conduct a search for line management that may lead to disciplinary action.

5.3 Access Card Infrastructure

Secure sites must have in place an access card infrastructure to help enforce
physical access controls. As a minimum requirement, the site-wide system must
have the capacity to:
 Produce employee access cards with a picture;
 Log activity associated with each access card;
 Allocate access rights depending on business and/or job requirements; and
 Disable lost or stolen access cards.

As discussed next, access cards may also serve as access passes to identify
persons within a secure facility. However, the two features are usually separate.

5.3.1 Access Passes

All persons at a secure facility must have access passes that they must carry at
all times. The pass helps identify the individual to security and other staff on site.
Staff and long-term contractors may retain the access passes for the duration of
their employment at the site. The pass must have a limited amount of information
that usually includes a photograph, badge and employee number. The pass
must not carry any details about the access group, user privileges and location
of the office location for the holder. The pass may also have a contact address at
the back for the return of lost cards. If possible, the return address must be
different from that of the secure site. Access pass holders must keep them out of

21
 OFFICIAL-RESTRICTED

sight when not at the secure site. If access passes uses a Personal Identity
Number (PIN), holders must memorise it and destroy the original copy. Access
passes may also contain access control features associated with computerised
access cards e.g. to deny access to the site outside formal working hours.

5.3.2 Challenging Non-Pass Holders

All staff and contractors must display their access passes at all times. It is usual
to wear the access badges around the neck. All staff and contractors in a secure
site have a duty to challenge any person not in possession of, or displaying, a
valid access pass. The level of seniority does not come into consideration. Staff
and contractors that misplace or loss their pass might request a temporary one
for the day at the security office. However, security must report regular losses
and/or misplacement of passes to the line manager. The individual might have to
attend security awareness, education and training to increase their knowledge of
security. Alternatively, the incidents may attract a written warning and/or
disciplinary action depending on their impacts on business activities.

5.3.3 Return of Access Passes

All staff and contractors must surrender access passes to their line manager on
the last day of their employment. The line manager must subsequently hand
over the pass to security.

5.3.4 Loss and Theft of Passes

All staff and contractors must report the loss of passes to security immediately.
The timely reporting would enable security to disable the access pass and thus
minimise the risk of unauthorised access. Staff must report stolen passes to the
police and describe the circumstances of the theft. If a user subsequently finds
the presumed lost and/or stolen access pass, he or she must return the original
pass to security and withdraw any police reports filed. The user must provide the
full account of the circumstances for the discovery of the supposedly stolen card.

5.3.5 Tailgating Prevention

Tailgating is a problem in some automated physical access controls that arises
when staff with legitimate access open doors for others for entry into and exit
from controlled sites. Systems such as turnstiles do not have this problem
because they allow entry of one person at a time. Tailgating can defeat attempts
to detect, and tie to users, unauthorised information processing activities. Thus,
secure sites must configure access control systems to stop users from leaving a
secure facility if the same card did not open the door. The access control system
must flag this issue to the security team who would then ask the user to explain
the circumstances leading to the failure to depart from a section of the site. The

22
 OFFICIAL-RESTRICTED

security team must make a report for management that could lead to disciplinary
action. In addition, security awareness, education and training must address the
risks of tailgating and consequences including disciplinary action.

5.3.6 Access Logging

In accordance with the NISP, access management requirements, access control
systems must record all entries to sensitive information processing facilities.
Business and security requirements must guide the log retention period.
However, this Standard recommends a minimum of 120 days. As a minimum
requirement, the access logs must capture the following details:
 Date, time and duration of the access attempt;
 If the access attempt succeeded or failed;
 Identify of the user who attempted access;
 The entry point through which access occurred; and
 Identify of the administrative user who modified access privileges.

5.4 Keys and Combinations

Secure facilities must have in place a comprehensive plan to account for all keys
and combinations for internal and external doors and windows at all times.

5.4.1 Master Key System

Where feasible, CII operators can use a master key system for large sensitive
facilities. The system comprises of a master key and sub master keys. Under the
system, the locks have two different keys i.e. master and sub master key. The
master key is able to open all locks in the system. On the other hand, the sub
master can only open one lock. Organisations must develop a plan to manage
the keys. The plan must identify:
 The master and sub master keys;
 The doors;
 Users;
 Access required; and
 Key quantities

The Security Controller and Facilities Manager are responsible for the master
key plan including protecting it against unauthorised disclosure and access.

23
 OFFICIAL-RESTRICTED

5.4.2 Key/Combination Registers

However, it is likely that many facilities would not have the resources to operate
master key systems. In that case, CII operators must create a numbering system
to identify uniquely all keys and combinations. The register would:
 Identify what keys/combinations open what doors/windows/areas etc;
 Identify who has signed out what key/combinations;
 Identify persons authorised to have access to named rooms/areas; and
 Help stop persons not on the authorised list accessing keys/combinations.

5.4.3 Key and Combination Lock Audit

The Security Controller shall conduct a regular audit of keys and combinations
as part of the general security assurance and compliance programme.

5.5 Visitor Controls

No visitor must attend secure sites without authorisation from the CII system
owner’s Security Controller and/or his or her authorised alternative approvers.
The host must avail the Security Controller the name of the visitor in advance to
enable the validation of their security clearance with the appropriate national
security vetting organisation(s). The level of security clearance would determine
if the visitor is eligible for either escorted or unescorted passes. The visit
approving officer and Facilities Manager shall jointly complete and return to the
security officer at reception a Visitor Form. The security officer at reception must
contact the host when the visitor arrives at reception.

5.5.1.1 Visitor Briefing

Visitors must obtain a written security briefing form at reception before obtaining
their access pass. The security officer might also explain to the visitor issues
such as emergency procedures.

5.5.1.2 Control of Escorted Visitors

Under no circumstance should a visitor carrying an unescorted badge go about

unaccompanied. Anyone who discovers an unaccompanied unescorted visitor
anywhere on the site must report the matter to the security staff immediately.

24
 OFFICIAL-RESTRICTED

5.5.1.3 Prohibited Visitor Items

Visitors must not bring the items listed below into secure facilities hosting IT
assets marked SECRET and above without the express written permission of the
Security Controller. These include:
 Smartphone with cameras, voice and video recording features;
 Personal computers of all types;
 Third party-issued computer devices of all types;
 Cameras; and
 Any other record devices

The security staff shall require all visitors to declare or deny possession of any
item on the prohibited list. If in possession, security staff shall require the visitors
to deposit the assets into a secure lock until departure. Hosts shall ensure that
their visitors have retrieved all their personal possessions before departure.

25
 OFFICIAL-RESTRICTED

V.
Internal Data
Centre Physical
Access Control

26
6 Internal Data Centre Physical Access Control
According to the NISP, internal data centre access controls aim to protect the
areas that support sensitive information processing and storage activities.
Access controls include stricter personnel security and authentication controls.
The general access control policy for the data centre addresses the areas below.

6.1 Data Centre Classifications

Security Standard No. 3 – Security Classification (SS3) states that classifications
levels indicate the level of security controls required to protect valuable, sensitive
and business critical assets. Higher business impacts of a security compromise
coincide with more stringent the security controls and vice versa. Therefore, CII
owners/operators must match data centre and security classifications as follows:

6.1.1.1 Class A Data Centres

This is a data centre hosting information classified TOP SECRET. In accordance

with the business impact tables outlined in SS1, an attack on a Class A data
centre could cause catastrophic disruption to services, leading to the permanent
loss of a core service or a facility supporting the entire organisation or a major
division or affiliate.

6.1.1.2 Class B Data Centres

Class B data centres shall host information assets classified up to and including
SECRET. In accordance with the business impact tables in SS1, an attack on a
Class B data centre could cause serious disruptions to services, affecting the
organisation’s ability to achieve its core business objectives.

6.1.1.3 Class C Data Centres

Class C data centres shall host information assets classified up to and including
OFFICIAL-RESTRICTED. In accordance with the business impact tables in SS1,
an attack on a Class C data centre could cause moderately serious disruptions
to services including non-permanent loss of the ability to provide some services.

6.1.2 Location Requirements

As outlined above, the three data centre classifications have varying security
requirements. In accordance with the NISP, business needs determine the
minimum distances between the data centre and the production facilities. In this
Standard, a Class A data centre should be between 50 and 100 kilometres away
 OFFICIAL-RESTRICTED

from the main site depending on the transport and communication infrastructure.
A Class B data centre can be 5 to 10 kilometres away in the same city. Lastly, a
Class C data centre may reside in the same building as the production site.

6.1.3 Data Centre Infrastructure Perimeter

Given their different security requirements, the example below demonstrates the
potential differences in infrastructure perimeter security:

6.1.3.1 Class A Data Requirements

Class A requirements could include:

 Construction of a high secure perimeter with true floor-to-ceiling perimeter or
motion detectors and raised floors;
 Elimination of the visibility of the site from within and outside the building;
 Installation and activation of motion detection sensors out of hours to identify
human intrusion. The motion sensors must be connected to alarm system in
the security office and/or the police and fire station to enable rapid response;
 Installation of comprehensive CCTV for the whole facility; and
 Windows with sheet metal or other attack-resistant material for data centres
not housed inside another building.

6.1.3.2 Class B Data Requirements

Class B requirements could include:

 Installation of secure safety glass;
 Limitation of entrance vulnerabilities such as windows or external hinges on
entrance doors;
 No special protection for external windows against physical attack; and
 The facility must meet fire protection standards.

6.1.3.3 Class C Data Requirements

The only Class C requirements are the installation of intrusion detection alarms
at the site when left unattended. Staff may check the alarm periodically.

28
 OFFICIAL-RESTRICTED

6.2 Mail and Package Control

Secure sites must have documented procedures for handling mail and other
packages safely. The procedures include the following:

6.2.1 Delivery
All couriers must deliver mail and packages to the front desk of the secure site.
The security staff at the front desk reception would sign for any mail, parcels
requiring a signature, and record the items in a mail register. The security staff
shall transfer normal mail and parcels to a secure mailroom after conducting the
step in 6.2.2. Where the recipient expects classified information, the security
staff shall maintain the custody of the mail or parcel until the recipient signs for it.

6.2.2 Visual Screening and Inspection

Security staff at front desk reception must visually inspect all mail items and
parcel for potential security concerns before transferring them to the secure
mailroom and/or the custody of the recipient. Whilst, there is no unique feature to
confirm a security concern, suspicious signs may include:
 Smelly packages;
 Unusually shaped packages;
 Items with a job title or address to the entire organisation rather than an
individual;
 Unusually heavy items;
 Excessively sealed items;
 Powder or liquid leakages; and
 Illness and irritation of eyes or nose on opening.

Security must follow formal procedures for handling suspicious packages.

29
 OFFICIAL-RESTRICTED

VI.
Equipment Security

30
7 Equipment Security
As outlined in the NISP, and in keeping with US ISO/IEC 27001, organisations
must protect equipment against physical and environmental threats. The security
measures outlined below would help reduce the risk of unauthorised access to
information and loss or damage to equipment.

7.1 Equipment Location and Protection

The design of the secure site must locate production equipment such as servers,
desktops, firewalls, routers, switches and hubs in the secure part of the site. The
site design must ensure that only authorised users such as network and telecom
engineers gain physical access to the servers and other devices. As discussed
earlier, a comprehensive access card infrastructure must be in place to control
access privileges and record successful and failed access attempts. The site
must have additional security measures for equipment whose successful
compromise could cause extreme and/or catastrophic impacts on the rest of the
facility and service. For example, security enforcing devices such as firewalls
and intrusion detection systems must reside in the most secure rooms.

7.2 Cabling Security

Secure sites must have in place controls for protecting cables for power and
telecom lines supporting vital IT services. The physical security measures aim to
prevent the unauthorised access or disruption of data transmissions through
active and passive attacks. Passive attacks include eavesdropping, wiretapping
and deep packet inspection. The following might improve cabling security:
 Installation of armored conduit and locked rooms or boxes at inspection and
termination points;
 Use of alternative routings or transmission media; and
 Use of fiber optic cabling.

Recent reports have confirmed that threat sources notably foreign intelligence
services can gain unauthorised access to the telecom infrastructure of global
large organisations and governments. Therefore, secure sites must conduct
regular sweeps of their cable infrastructure for unauthorised listening devices.
 OFFICIAL-RESTRICTED

7.3 Power Supplies

Secure sites must have in place adequate and dependable electrical power
supply. The power supplies must also be consistent to reduce the risk of surges
and interference that damage equipment over the long-term. Where consistent
power is unattainable, sites should use devices such as power conditioning to
help reduce the risk of power surges. In addition, secure site require adequate
backup power to continue operations and to reduce the risk of damage to IT
equipment in an event of a blackout. Individual devices must have access to
Uninterruptible Power supply (UPS) to enable orderly shutdown in an event of a
power outage. The sites may also use diesel generators during power outages
of 15 minutes or more. However, diesel generators are noisy and expensive to
run for long periods. Sites must also draw up and test shutdown procedures for
periods of prolonged power failures.

7.4 Clear Desk Policy

Secure sites must enforce a clear desk policy. The policy requires that materials
not required at the current time must be under lock and key.

7.5 Supporting Facilities Physical Access Controls

Data process equipment in the secure facility relies on a range of supporting
facilities. The supporting facilities include the telecom room i.e. wiring closet,
emergency power sources for generators, batteries; HVAC room and storage
facilities for IT and network equipment that is not in use. The failure to enforce
adequate physical security measures on the supporting facilities could endanger
the continuity of CII operations. In accordance with SS1, the physical access
controls applied to secure supporting faculties must be commensurate with the
impact of their compromise on the business services that the site supports.

7.6 Fire Protection

Good secure site designs have adequate measures to protect against, detect
and suppress fire outbreaks. As discussed earlier, fire prevention involves the
adoption of designs and infrastructure that stop fires from breaking out in the first
place. If somehow a fire breakout, detection enables staff identify it when it is still
manageable. Fire containment involves a range of techniques and controls put in
place to stop a fire from spreading. As discussed earlier, fire graded floors;
ceiling and walls serve as fire barriers. In addition, the design vents and the
HVAC system could also minimise the spread of fire. When all fails, the secure
site must have fire suppression equipment such as fixed and portable fire
extinguishers. Finally, all fire protection measures must prioritise the safety of
staff and fire fighters.

32
 OFFICIAL-RESTRICTED

7.7 Managing Physical Security Incidents

The NISP requires that CII owners/operators put in place sufficient measures to
reduce the likelihood and impact of security incidents. The measure must also
enable the quick resumption of business activities. This Standard requires that
organisations put in place effective measures to prevent, detect and respond to
physical security incidents including terrorist attacks, incursions and break-ins.
Security Standard No. 6 – Incident Management (SS6) presents the formal GoU
approach for managing incidents that applies to physical security incidents.

33
 OFFICIAL-RESTRICTED

VII.
Media Security,
Distribution and
Information Back-Ups

34
8 Media Security, Distribution and Back-ups
US ISO/IEC 27002 recommends that organisations adopt a series of procedures
to control and physically protect media. The overall goal of the measures is to
prevent the unauthorised disclosure, modification, removal or destruction of
assets, and interruption to business activities. In accordance with the NISP, this
Standard requires that CII owners/operators adopt the following measures.

8.1 Portable and Removable Media Security

The NISP presents requirements to help balance the benefits and risks of using
mobile devices. Given that, this Standard complies with the NISP, all the
recommendations in the policy apply to here. Therefore, organisations must use
the following policies in conjunction with the advice contained in the NISP:
 Management approval is required before the use of portable and removable
media such as laptops outside the secure site;
 Organisations must assign portable and removable media such as laptops to
a traceable user to ensure accountability for actions undertaken on them;
 Users of portable and removable media must comply with Clear Desk and
Clear Screen policy to reduce the risk of unauthorised access to data. The
Clear Screen part of the policy is pertinent in exposed environments;
 Users must store portable and removable media under lock and key when
not in use;
 Laptops must be physically secured with an appropriate device for any length
of time when they are left unattended even during office hours;
 Laptop users must store their files on the network wherever possible to
minimise the impact of the loss of the physical device; and
 Portable and removable media such as laptops must not be left unsecured or
exposed to hostile environmental conditions.
 OFFICIAL-RESTRICTED

8.2 Information Backups

Information backups help ensure the integrity and availability of data, software
and documentation and enable quick recovery from disasters or media failures.
CII owners and operators must use these guidelines alongside the mandated
minimum information backup requirements in the NISP:
 Designated IT staff must conduct regular backups of essential business
information and software;
 Organisations must store at least eleven backup cycles at an offsite location
which is a safe distance away in an event of a disaster at the main site;
 Organisations must provide backup information adequate physical and
environment protection to ensure its recoverability when required; and
 Management must support the enforcement of the backup retention period
against pressures such as tape re-use.

Organisational information backup policies must contain detailed instructions on

how to handle information backups for sensitive IT assets.

36
 OFFICIAL-RESTRICTED

VIII.
Secure Disposal and
Re-Use of Equipment

37
9 Secure Disposal and Re-Use of Equipment
This phase involves the activities to end the project. From an information security
viewpoint, the closure phase coincides with the decommissioning, disposal
and/or transfer of information system assets. All organisations that own and/or
operate CII must have in place processes to help ensure that decommissioning
and disposal activities conform to the requirements in the NISP. As defined in
the NISP, the processes must aim to help CII system owners and their supply
chain to manage the security risks associated with the disposal and re-use of
computer storage media holding classified or sensitive GoU information.

9.1 Asset Management

One of the outcomes of the NISP mandatory security accreditation requirements
is the creation of a detailed plan for managing security risks to the system
throughout their lifecycle. CII owners can satisfy the requirement by conducting
an inventory of assets drawing up and maintaining a register of assets. The
unified asset register is invaluable during the decommissioning process because
it makes it easy to identify ownership of assets.

9.2 Decommissioning Plan

Organisations must devise a plan to guide all decommissioning activities. The
CII owner must approve the plan.

9.3 Secure Sanitisation Procedure

Sanitisation is one of the decommissioning activities. It is the general process of
removing data from storage media securely. The process aims to offer the asset
owner and other interested parties reasonable assurance that unauthorised
parties would not retrieve or reconstruct the erased data using keyboard or
laboratory attacks. The assets include:
 Networking Devices;
 Magnetic Disks and Tapes;
 Office Equipment;
 Solid State Devices (SSDs); and
 Optical Disks

Sanitisation covers disposal, clearing, purging and destroying. Organisations

must draw on the NISP recommendations to define departmental procedures to
help ensure that asset decommissioning proceeds in a timely and cost effective
manner. The procedures must contain secure sanitisation levels to guard against
the retrieval or reconstruction of data from a decommissioned asset.