Physical Access Policy

Description

The rules in this policy apply to physical access to any corporate facilities, but you own access to the computer rooms along with facilities management. The majority of the rules in this policy are specific to access to computer rooms, which loosely refers to any room containing sensitive computer equipment such as the network operation center, help desk, server room, or telecommunications room. If your organization already has a well-developed policy regarding access to your buildings, you can delete anything that doesn’t pertain to access to computer rooms.

Read on for excerpts from the actual policy:

Scope

This policy applies to all _COMPANY facilities.

Policy

The following rules define _COMPANY’s policy regarding physical access to facilities

1. Only those authorized by _COMPANY may enter restricted areas of corporate facilities.
2. Access to all computer room doors must be secured to prevent access into the room at all times. Exceptions must be approved by the IT Department.
3. Individuals needing temporary access to computer rooms must contact the IT Department.
4. Each computer room door will have signs on both sides indicating it is to be closed and locked and whom to notify if it is found unsecured. If anyone notices any computer room door without a sign, report it to the IT Department.
5. Plant Security staff will regularly monitor all computer room doors. Outside of normal business hours, plant security will monitor doors to computer areas to ensure they are secured to prevent access into the room. If any door is not secure, plant security is to secure the door and notify the IT Department.
6. The Identification Badge System must generate a log entry every time a badge is read. The Identification Badge reader on the computer room door must indicate the date, time, room location, badge number, and whether badge access level is valid for that room.
7. Long-term access to computer rooms must be approved. Anyone needing long-term access to computer rooms must send a security access request to the IT Department.  The request must include the following information at a minimum: name of requestor, name of person needing access, facility, area(s) where access is needed, and explanation of why the access is needed.
8. The Identification Badge System access list must be reviewed at least quarterly. Any discrepancies found must be corrected immediately.
9. Anyone having badge access to a computer room must not give or loan their badge to another to gain access to a computer room.
10. Anyone having badge access may open the door for someone not having badge access if they know who they are and why they need access. Under no circumstances can the badge holder leave while the visitor is in the computer room.
11. Do not enter areas where you are not authorized.
12. For areas where you are authorized entry, do not allow unauthorized personnel to enter with you.
13. To gain access to restricted areas, request access from the person responsible.
14. The preferred method of physical access control is electronically controlled locks, with card key access systems. These systems provide logs of entry, and one can easily revoke access for personnel no longer authorized.
15. For sensitive areas, security cameras, with video tape recordings made of all activity is recommended.
16. Door locks can be an effective means of restricting access. Keys, which cannot be legally duplicated, should be employed. Tight control of issued keys must be maintained, being sure to obtain keys from personnel when their access is no longer appropriate.