Table of Contents
This document articulates requirements that management must address in defining a policy to implement adequate physical and environmental security controls at Secretariats and their respective Agencies or Contractors' facilities to secure and protect information assets, infrastructure and Information Technology (IT) resources.
The Secretariats and their respective Agencies must implement the appropriate combination of controls (administrative, technical, physical) to provide reasonable assurance that security objectives are met.
Agencies must achieve compliance with the overall information security goals of the Commonwealth including compliance with laws, regulations, legal agreements, policies and standards to which their technology resources and data, including but not limited to personal information (PI), are subject.
WHO THIS POLICY APPLIES TO
All Secretariats and their respective Agencies and entities governed by the overarching Enterprise Information Security Policy must adhere to requirements of this supporting policy.
The requirements described in this document must be followed by:
- Executive Department employees
- Executive Department Secretariats and their respective Agencies, in addition to any agency or organization that connects to the Commonwealth's wide area network (MAGNet), are required to ensure compliance by any business partner that accesses Executive Department IT Resources or shared environments, e.g. MAGNet; and
- Contractors or vendors performing work in or providing goods and services to Commonwealth managed spaces
- Visitors to any Commonwealth managed physical space (e.g. offices, buildings, and network closets) or resource
Other Commonwealth entities are encouraged to adopt, at a minimum, security requirements in accordance with this Enterprise Physical and Environmental Security Policy or a more stringent agency policy that addresses agency specific and business related directives, laws, and regulations.
Secretariats and their respective Agency or Contractors' facilities housing IT Resources (e.g. telephone networks, data networks, servers, workstations, storage arrays, tape back-up systems, tapes) must protect the physical space in accordance with the data classification of the IT Resource or the operational criticality of the equipment.
Agencies are required to implement controls to secure against unauthorized physical access, damage and interference to the agency's premises, information and other assets including, but not limited to, personal information (PI) and IT Resources by implementing:
1. Workforce security: Secretariats and their respective Agencies must implement administrative and managerial controls that engage the workforce through awareness and participation. To accomplish this, Secretariats and their respective Agencies must:
1.1. Identify a management team that will be responsible for managing and enforcing the requirements detailed in this policy. The Secretariat or Agency ISO or designee must be part of the management team
1.2. Implement appropriate procedures that address at a minimum:1.2.1. Misplaced or stolen keys or any other items used to gain physical access
1.2.2. Suspicion of any potential physical security threat including potential break-ins or the presence of unauthorized persons
1.2.3. Changes in procedures for medical, fire or security events
1.2.4. Ensure storage of and access to sensitive information or resources on portable media are handled in a manner that is consistent with this policy and the classification level of the data
1.3. Educate any individual requiring access to Commonwealth managed space of their responsibility to comply with this policy prior to providing access, including:1.3.1. Helping to ensure that agency access points (entrances/exits) in work areas remain secure. Specifically, locked doors must remain locked and any access codes, keys, badges or other access devices must not be left in accessible places or shared in an unauthorized manner
1.4. Notify employees that failure to comply with this policy and related policies and procedures may result in disciplinary action
1.5. Notify vendors, consultants, or contractors that failure to follow this policy or related policies and procedures may be grounds for termination of existing agreements and may be considered in evaluation and negotiation for future agreements
2. Least privilege: Agencies must apply the principle of least privilege when granting physical access rights to individuals.
Physical access controls must be granted at the lowest level of access, rights, privileges, and security permissions needed for an individual to effectively perform authorized tasks on any IT Resource or information or within a Commonwealth managed facility.
It is important to understand the role of the individual who is granted access and how that role impacts the privilege requirements. For example, the role of a delivery driver, the individual responsible for janitorial services in secure areas, and the network administrator each have different roles that require varying levels of privilege.
Agencies must also address the technical, operational and managerial controls necessary to achieve compliance with least privilege in those instances where authorized users have physical access to logically separated data, applications and/or virtualized hosts.
3. Visitor control: Agencies must develop and enforce procedures to monitor and control access to secure IT facilities and offices by visitors. Examples of visitors may include contractors, vendors, customers, friends/family of employees and employee candidates. Procedures must address:
3.1. Requirements for use and maintenance of visitor logs
3.2. Requirements for visitor identification
3.3. Requirements specific to a given security zone, e.g. escorted access to highly sensitive areas
4. Facility access controls of IT Resources: Secretariats and their respective Agencies must implement, or ensure third party implementation of, physical access controls for all Agency IT data centers and offices that they are responsible for, including access controls for public areas, deliveries and loading areas. Access controls must be implemented based on the data classification or operational criticality of the IT Resources that are housed within a given facility or security zone.
A security risk assessment must be performed and documented to locate (map) physical areas and the levels of security needed at each location. Appropriate levels of security controls must be installed at areas needing higher levels of security.
Acceptable methods for implementing such controls include but are not limited to:
4.1. Electronic Card Access
4.2. Traditional Lock and Key Access
4.3. Motion and Breach Detection System
4.4. Video Monitoring
4.5. Security Service Provider or Third Party Monitoring Service
4.6. Attendants, Security Guards or Police Officers
4.7. Paper or Electronic Logs
5. Equipment and environmental security: Secretariats and their respective Agencies are responsible for ensuring that Commonwealth managed facilities (including IT data centers, offices or facilities that house telephone networks, data networks, servers, workstations, and other IT-related systems) can implement adequate environmental safeguards to ensure availability and protect against damage (e.g. from high heat, high humidity, etc.). Environmental safeguards that must be evaluated, implemented and maintained as appropriate include:
5.1. Secure installation and maintenance of Network cabling that protects against damage to the physical cabling and/or unauthorized interception of data traversing the network cables
5.2. Ability to monitor and detect variation in temperature and humidity associated with the use of Heating, Ventilation and Air Conditioning (HVAC) systems
5.3. Use of industry standard methods for maintaining consistent power supply including backup generators and/or Uninterrupted Power Supplies (UPS)
5.4. Use of industry standard network components including routers, switches, intelligent hubs and associated cabling
5.5. Use of leak detection devices (water)
5.6. Use of fire detection and suppression devices including fire extinguishers and sprinkler systems
5.7. Protection against environmental hazards such as floods, fires, etc.
Any changes to the deployed environmental safeguards which affect the availability of assets or information must be reported immediately to the business owner, service manager and ISO or management team as required by Secretariat or Agency procedures.
6. Equipment Maintenance: Agencies must have maintenance procedures in place to accomplish the following:
6.1. Keeping all systems and IT equipment maintained and updated per manufacturer recommendations to ensure availability and integrity of the data and services provided by the equipment
6.2. Ensuring that all maintenance, troubleshooting and repair services are provided by authorized personnel
6.3. Keeping current documentation including maintenance logs, fault logs, diagnostic details, service records and corrective measures taken
6.4. Ensuring adequate controls are implemented for off-site equipment prior to sending the equipment off-site for any reason. At a minimum, Agencies must:6.4.1. Securely remove any sensitive data that does not need to reside on the equipment
6.4.2. Have reasonable assurance that the party responsible for the equipment while it is off site understands and accepts responsibility for protecting the equipment, information about the equipment or information stored on the equipment at the appropriate level based on the sensitivity classification of the equipment and associated information
7. Secure disposal, removal, or reuse of equipment: Agencies must document and implement procedures to reasonably ensure secure handling and disposal of IT-related equipment, particularly hardware that contains data classified as having high or medium sensitivity. Procedures must, at a minimum, accomplish the following:
7.1. Secure removal or overwriting of Licensed software prior to disposal
7.2. Effective and permanent removal of the contents/data on the storage device of computing equipment using industry standard techniques or tools to make the original information non-retrievable
Note: Using the standard delete or format function is an unacceptable method of achieving this goal
7.3. Ensure all equipment containing storage media, e.g., fixed hard drives are checked to verify that any licensed software or information classified as having medium or high sensitivity are removed or overwritten prior to disposal
7.4. Specify whether damaged storage devices, particularly those containing information classified as having high or medium sensitivity, must be repaired or destroyed. Procedures may require that a risk assessment be performed to determine how the device will need to be handled. For example, does the content of the device indicate that the device should be physically destroyed rather than sent out for repair or discarded?
ROLES AND RESPONSIBILITIES
All agencies and entities governed by the overarching Enterprise Information Security Policy are subject to the referenced roles and responsibilities in addition to those specifically stated within this supporting policy. The roles and responsibilities associated with implementation and compliance with this policy are as follows:
Assistant Secretary for Information Technology
- Approval and adoption of the Enterprise Physical & Environmental Security Policy and its revisions.
Secretariat Chief Information Officer (SCIO) and Agency Head
- Exercise due diligence in adhering to the requirements contained in this policy.
- Provide communication, training and enforcement of this policy that support the security goals of the Secretariat, its agencies and the Commonwealth.
- Provide proper third party oversight as applicable for any IT Resources, systems and IT facilities including physical and environmental controls.
- Agency Heads are responsible for signing off on the agency's acceptable risk level for meeting IT security objectives.
Enterprise Security Board (ESB)
- Recommend revisions and updates to this policy and related standards.
Facilities and Environmental Services Management
- Implement adequate physical and environmental security controls at agency facilities to secure and protect information assets, infrastructure and IT Resources.
Secretariat or Agency Information Security Officer (ISO)
- Ensure that the goals and requirements of the Enterprise Physical & Environmental Security Policy are implemented and met.
Information Technology Division (ITD)
- After review of any related recommendations of the Enterprise Security Board, issue revisions and updates to this policy and related standards.
- Required to acknowledge and comply with the Enterprise implementation of this policy at a minimum or a more stringent agency specific policy before being provided access to Commonwealth IT Resources, information or property.
Primary references that were used in development of this policy include:
Executive Order 504
Additional information referenced includes:
M.G.L., Ch 93H
M.G.L., Ch 93I
M.G.L., Ch 66A
HIPAA Security Rule
SANS Audit Checklist
Appendix: Terms and Document History
Key terms used in this policy have been provided below for your convenience. For a full list of terms please refer to the Information Technology Division's web site where a full glossary of Commonwealth Specific Terms is maintained.
Business Partner - A generic term referring to both contracted business partners and statutory business partners as those terms are defined in the Commonwealth Glossary of Terms (and below).
Contracted Business Partner - An entity under contract with the Commonwealth with which the Commonwealth has an agreement to share data or engage in secure communications for a limited purpose. Contracted business partners do not include individuals who are under contract with and paid directly by the Commonwealth.
Least Privilege - The principle of least privilege means to give a user only those powers/privileges which are absolutely essential to perform his/her job responsibilities.
Statutory Business Partner - Individuals or entities that are not under contract with the Commonwealth and have a statutory right to access data held by the Commonwealth.
Visitor - An individual who has a business need for temporary access to systems and/or equipment residing in the facility or a need to meet on-site with an employee.
|Next Review Date|
|10/29/2010||ITD-SEC-10.1 Enterprise Physical & Environmental Security Policy||10/29/2010||10/29/2011|
|03/05/2012||Review Date Update||01/18/2012||01/18/2013|