8. Physical and Environmental Security
Procedures should be in place to ensure that secure areas are protected by appropriate entry controls to ensure that only authorised personnel are allowed access. Security perimeters should be defined to protect areas that contain confidential or sensitive information and/or information systems. Appropriate physical security for offices, rooms, facilities etc. should therefore be implemented and offices housing systems containing non-public data should be kept locked. Where appropriate, physical protection should be provided against damage from natural, or man-made disasters, such as fire, flood, explosion etc. All users are required to ensure that systems are not left open to access by intruders to buildings, or by unauthorised colleagues.
Procedures should be in place to ensure that equipment hosting data not open for public access are not accessible in public areas. Equipment should be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access. Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities. Procedures should be in place to ensure that media containing information is protected against unauthorised access, misuse or corruption during transportation beyond the unit's/University's physical boundaries.
Procedures exist to ensure that equipment, information or software is not taken off-site without prior authorisation. Security should be applied to off-site equipment taking into account the different risks of working outside the University/unit's premises. Procedures should exist to ensure that any sensitive data and licensed software have been removed or securely overwritten when equipment is sold on, transferred or scrapped.