Académique Documents
Professionnel Documents
Culture Documents
_______________________________________________________________
Version History
2
OFFICIAL-RESTRICTED
Table of Contents
1 Introduction .................................................................................................................................... 6
1.1 Aims of the Standard ................................................................................................................ 6
1.2 Applicable Legislation ............................................................................................................... 6
2 Physical Security Roles & Responsibilities ................................................................................ 8
2.1 Chief Information Risk Owner ................................................................................................... 8
2.2 Security Controller .................................................................................................................... 8
2.2.1 Responsibilities of the Security Controller ......................................................................... 8
2.3 Facilities Manager ..................................................................................................................... 9
2.4 Contractors ............................................................................................................................... 9
3 Physical Security Risk Assessment .......................................................................................... 11
3.1 Purpose of Physical Risk Assessments ................................................................................. 11
3.2 Scoping Physical Risk Assessments ...................................................................................... 11
3.3 Identification of Threat Sources .............................................................................................. 11
3.3.1 Typical Threat Sources ................................................................................................... 11
3.3.2 Calculating Threat Levels ................................................................................................ 12
3.4 Threat Actors .......................................................................................................................... 12
3.4.1 Threat Actor Type ............................................................................................................ 12
3.5 Physical Intruders ................................................................................................................... 12
3.6 Identification of Vulnerabilities ................................................................................................ 12
3.6.1 Vulnerable Areas ............................................................................................................. 13
3.6.2 Example – Site Vulnerability Considerations .................................................................. 13
3.7 Prioritised Physical Security Risks ......................................................................................... 14
3.8 Risk Treatment ....................................................................................................................... 14
4 Physical Perimeter Security ....................................................................................................... 16
4.1 Secure Site Design ................................................................................................................. 16
4.1.1 Fence or Wall Structures ................................................................................................. 16
4.1.2 Ceilings ............................................................................................................................ 16
4.1.3 Floors ............................................................................................................................... 17
4.1.4 Windows .......................................................................................................................... 17
4.1.5 Doors ............................................................................................................................... 17
4.1.6 Sprinkler Systems ........................................................................................................... 17
4.1.7 Water and Gas Lines ....................................................................................................... 17
4.1.8 HVAC ............................................................................................................................... 18
4.1.9 Power Requirements ....................................................................................................... 18
4.2 Intrusion Detection System ..................................................................................................... 18
4.3 Availability of Information about Data Centre ......................................................................... 18
5 Physical Entry Controls .............................................................................................................. 20
5.1 Baseline Physical Access Controls ........................................................................................ 20
5.1.1 Closed Circuit Television (CCTV) Monitoring .................................................................. 20
5.1.2 Security Patrols ............................................................................................................... 20
5.1.3 Authorised Access Points ................................................................................................ 20
5.2 General Building Access ........................................................................................................ 21
5.3 Access Card Infrastructure ..................................................................................................... 21
5.3.1 Access Passes ................................................................................................................ 21
5.3.2 Challenging Non-Pass Holders ....................................................................................... 22
5.3.3 Return of Access Passes ................................................................................................ 22
5.3.4 Loss and Theft of Passes ................................................................................................ 22
5.3.5 Tailgating Prevention ....................................................................................................... 22
3
OFFICIAL-RESTRICTED
4
OFFICIAL-RESTRICTED
Table of Figures
5
1 Introduction
This Standard presents the official Government of Uganda (GoU) approach for
managing the physical security risks affecting sites hosting critical information
infrastructure (CII). In accordance with the National Information Security Policy
(NISP), this Standard aims to reduce the vulnerability of CII to physical security
threats including crime, natural disasters and acts of terrorism.
ii. Uganda (2005a), "The Access to Information Act, 2005", in The Uganda
Gazette, The Government of Uganda, Entebbe, Uganda.
iii. Uganda (2006), The Police (Amendment) Act, 2006, The Government of
Uganda, Entebbe, Uganda.
iv. Uganda (2009b), The National Security Council Act, The Government of
Uganda, Entebbe, Uganda.
vi. Uganda (2011a), "The Computer Misuse Act, 2011", in The Uganda
Gazette, The Government of Uganda, Entebbe, Uganda.
vii. Uganda (2011b), "The Electronic Signatures Act, 2011", in The Uganda
Gazette, The Government of Uganda, Entebbe, Uganda.
viii. Uganda (2011c), "The Electronic Transactions Act, 2011", in The Uganda
Gazette, The Government of Uganda, Entebbe, Uganda.
OFFICIAL-RESTRICTED
I.
Physical
Security Roles
and Responsibilities
7
2 Physical Security Roles & Responsibilities
The NISP mandates that all public and private sector organisations bound by the
National Information Security Framework (NISF) have in place an organisation to
manage effectively its information security activities including physical security.
In common with information and personnel security functional areas, the NISP
mandates the creation of suitable physical security management structures with
defined accountability at all levels. As a minimum requirement, parties using this
Standard must have in place the following physical security roles.
2.4 Contractors
It is likely that the organisation will outsource some physical security functions at
sites hosting CII assets. Thus, the Security Controller and/or Facilities Manager
would have to manage a number of contractors either corporate or individual.
The contracts could include companies and/or individuals that provide security
guards to patrol the facility and manage the front desk 24/7. If one is in place,
the Facilities Manager shall supervise and allocate tasks to contractors daily.
The Facilities Manager would liaise with the contractors on the supply of suitable
security staff. On behalf of the Security Controller, the Facilities Manager shall
ensure that contract staff have suitable licenses, hold, and maintain their security
clearances. The Manager shall also address contractor performance issues.
9
OFFICIAL-RESTRICTED
II.
Physical Security
Risk Assessment
10
3 Physical Security Risk Assessment
The NISP mandates that all public and private sector organisations bound by the
NISF adopt a formal, consistent and policy-guided risk management approach to
guide all their security activities. Therefore, CII owners/operators must undertake
security risk assessments for all sites that host sensitive IT assets.
The two threat sources are the most typical. However, the list might be longer.
As such, parties using this Standard should identify all threat sources that apply.
Burglars that act on their own behalf are a threat actor rather than a source.
12
OFFICIAL-RESTRICTED
The risk assessment shall evaluate the site location’s vulnerability to nature
disasters such as floods, earthquakes, earth movements, mudslides and snow.
Organisations shall avoid locations with high vulnerability to natural disasters.
3.6.2.2 Visibility
Highly visible sites will identify the existence of sensitive IT assets and increase
their exposure to the risk of physical intrusion. It is sensible to avoid such sites.
It is not advisable to host sensitive IT assets in sites that are in close proximity to
possible hazards and localities with high local crime rates.
13
OFFICIAL-RESTRICTED
Secure sites must have ample access to heating, ventilation and air-conditioning
(HVAC) resources. Hence, joint tenancies could pose an issue to large CII sites.
The prioritised physical security risk list serves as input for SS2.
14
OFFICIAL-RESTRICTED
III.
Physical Perimeter
Security
15
4 Physical Perimeter Security
The NISP requires the implementation of an adequate physical perimeter around
critical or sensitive information processing facilities to stop unauthorised physical
access. In accordance with the NISP, this Standard regards the perimeter as the
whole area surrounding the building hosting CII assets including roads, footpaths
and any other areas just outside the building. The physical security perimeter is
the first layer of a ‘layered’ or ‘defence-in-depth’ approach to physical security
that progressively increases the difficulty of security controls the closer one gets
to areas containing sensitive CII assets. Below are the major issues to consider.
4.1.2 Ceilings
Ceiling of secure sites must have the capacity hold the weight of the equipment
such as IT as well as Heating, Ventilation and Air-Conditioning (HVAC) systems.
The ceiling must also have adequate fire rating i.e. at least 1 hour for normal site
areas and 2 hours for secure rooms storing media.
OFFICIAL-RESTRICTED
4.1.3 Floors
In common with ceilings and walls, secure sites must have slab floors with ample
capacity to bear the physical weight of IT and HVAC equipment i.e. loading. The
floor must equally have the recommended fire rating. Secure sites also require
raised floors. Raised floor protect IT and HVAC equipment against ground static
build up. The floor should also use surfaces with no electricity conductivity.
Raised floors could also help reduce damage from mild flooding.
4.1.4 Windows
Secure sites usually have a limited number of windows, if at all. Where windows
are in place, they must be translucent and shatterproof. Secure sites can also
use tempered glass windows that are about seven times more break resistant.
Windows in fixed frames reduce the likelihood that intruders would remove
windowpanes from outside.
4.1.5 Doors
Doors in secure facilities must resist forcible entry and have a fire rating equal to
the walls and ceiling discussed above. Secure sites must also have clearly
marked, monitored and/or alarmed emergency exits. For the safety of staff in the
secure sites, electrical door locks on emergency exits must default to a disabled
state if power outages occur. To reduce the risk of physical intrusions during
power outages, security guards must man the exit doors during an emergency.
17
OFFICIAL-RESTRICTED
4.1.8 HVAC
The facility must have an adequate HVAC system. The HVAC system must be
on a separate infrastructure from the rest of the building. For example, the HVAC
must have dedicated power circuits. The Emergency Power Off switch must be
in a secure but easy to find location. The air-conditioning vents and ducts must
have adequate protection to thwart physical intruder attacks. The air-conditioning
system must also provide outward, positive air pressure to prevent the inward
flow of contaminants into the facility.
18
OFFICIAL-RESTRICTED
IV.
Physical Entry
Controls
19
5 Physical Entry Controls
The NISP mandates that secure areas within information processing facilities
must have suitable entry controls to stop unauthorised personnel from gaining
access. The physical entry controls implemented must match the business and
information security requirements of the CII assets.
Visitors shall only obtain unescorted access passes to secure or controlled areas
of the site if they provide the Security Controller and/or Facilities Manager
evidence of holding an appropriate security clearance for the site in advance of
their visit. The security officer at reception must reject all requests for unescorted
badges for individuals without an advance written confirmation from the Security
Officer. Individuals attending secure sites must submit to appropriate searches of
outer clothing, bags, packages and other property. Refusal to grant permission
for the searches would result into denial of access to the secure site for visitors.
The security officer must report the incident to management who might raise the
matter with the visitor/contractor’s organisation. For permanent member of staff,
the security officer must create an incident report about the refusal of permission
to conduct a search for line management that may lead to disciplinary action.
As discussed next, access cards may also serve as access passes to identify
persons within a secure facility. However, the two features are usually separate.
21
OFFICIAL-RESTRICTED
sight when not at the secure site. If access passes uses a Personal Identity
Number (PIN), holders must memorise it and destroy the original copy. Access
passes may also contain access control features associated with computerised
access cards e.g. to deny access to the site outside formal working hours.
22
OFFICIAL-RESTRICTED
security team must make a report for management that could lead to disciplinary
action. In addition, security awareness, education and training must address the
risks of tailgating and consequences including disciplinary action.
The Security Controller and Facilities Manager are responsible for the master
key plan including protecting it against unauthorised disclosure and access.
23
OFFICIAL-RESTRICTED
Visitors must obtain a written security briefing form at reception before obtaining
their access pass. The security officer might also explain to the visitor issues
such as emergency procedures.
24
OFFICIAL-RESTRICTED
Visitors must not bring the items listed below into secure facilities hosting IT
assets marked SECRET and above without the express written permission of the
Security Controller. These include:
Smartphone with cameras, voice and video recording features;
Personal computers of all types;
Third party-issued computer devices of all types;
Cameras; and
Any other record devices
The security staff shall require all visitors to declare or deny possession of any
item on the prohibited list. If in possession, security staff shall require the visitors
to deposit the assets into a secure lock until departure. Hosts shall ensure that
their visitors have retrieved all their personal possessions before departure.
25
OFFICIAL-RESTRICTED
V.
Internal Data
Centre Physical
Access Control
26
6 Internal Data Centre Physical Access Control
According to the NISP, internal data centre access controls aim to protect the
areas that support sensitive information processing and storage activities.
Access controls include stricter personnel security and authentication controls.
The general access control policy for the data centre addresses the areas below.
Class B data centres shall host information assets classified up to and including
SECRET. In accordance with the business impact tables in SS1, an attack on a
Class B data centre could cause serious disruptions to services, affecting the
organisation’s ability to achieve its core business objectives.
Class C data centres shall host information assets classified up to and including
OFFICIAL-RESTRICTED. In accordance with the business impact tables in SS1,
an attack on a Class C data centre could cause moderately serious disruptions
to services including non-permanent loss of the ability to provide some services.
from the main site depending on the transport and communication infrastructure.
A Class B data centre can be 5 to 10 kilometres away in the same city. Lastly, a
Class C data centre may reside in the same building as the production site.
The only Class C requirements are the installation of intrusion detection alarms
at the site when left unattended. Staff may check the alarm periodically.
28
OFFICIAL-RESTRICTED
6.2.1 Delivery
All couriers must deliver mail and packages to the front desk of the secure site.
The security staff at the front desk reception would sign for any mail, parcels
requiring a signature, and record the items in a mail register. The security staff
shall transfer normal mail and parcels to a secure mailroom after conducting the
step in 6.2.2. Where the recipient expects classified information, the security
staff shall maintain the custody of the mail or parcel until the recipient signs for it.
29
OFFICIAL-RESTRICTED
VI.
Equipment Security
30
7 Equipment Security
As outlined in the NISP, and in keeping with US ISO/IEC 27001, organisations
must protect equipment against physical and environmental threats. The security
measures outlined below would help reduce the risk of unauthorised access to
information and loss or damage to equipment.
Recent reports have confirmed that threat sources notably foreign intelligence
services can gain unauthorised access to the telecom infrastructure of global
large organisations and governments. Therefore, secure sites must conduct
regular sweeps of their cable infrastructure for unauthorised listening devices.
OFFICIAL-RESTRICTED
32
OFFICIAL-RESTRICTED
33
OFFICIAL-RESTRICTED
VII.
Media Security,
Distribution and
Information Back-Ups
34
8 Media Security, Distribution and Back-ups
US ISO/IEC 27002 recommends that organisations adopt a series of procedures
to control and physically protect media. The overall goal of the measures is to
prevent the unauthorised disclosure, modification, removal or destruction of
assets, and interruption to business activities. In accordance with the NISP, this
Standard requires that CII owners/operators adopt the following measures.
36
OFFICIAL-RESTRICTED
VIII.
Secure Disposal and
Re-Use of Equipment
37
9 Secure Disposal and Re-Use of Equipment
This phase involves the activities to end the project. From an information security
viewpoint, the closure phase coincides with the decommissioning, disposal
and/or transfer of information system assets. All organisations that own and/or
operate CII must have in place processes to help ensure that decommissioning
and disposal activities conform to the requirements in the NISP. As defined in
the NISP, the processes must aim to help CII system owners and their supply
chain to manage the security risks associated with the disposal and re-use of
computer storage media holding classified or sensitive GoU information.