Appropriate measures in regard to access control, environment, and protection must be in place to properly protect physical computer systems and information resources from physical harm or unauthorized access and disclosure. These resources include informational assets that are not computer related. All employees, vendors, contractors and partners are responsible for ensuring that information resources and computer systems have proper and adequate physical security.
Access to the office must be logged either electronically or on log sheets. The person getting access must be required to log in and the log in requirement must not be voluntary. Places where authentication devices or data storage facilities exist must require access logs records to be maintained.
- Removal or addition of computer equipment belonging to the company must be logged and accounted for within the office.
- All those who have access to where organizational computer systems are must pass a security background check or be escorted by a staff member who has passed a security background check.
- Computer equipment that allows access to systems without password controls such as account login must be protected in rooms with proper physical access controls. These controls must include mandatory logging of access and proper construction of the room to prevent unauthorized break-in.
- Office premises must be secured in the absence of an authorized employee, with all physical locks on entryway doors engaged.