Policy 15: Physical security for entity resources
Purpose
This policy describes the physical protections required to safeguard people, information and assets (including ICT equipment) to minimise or remove security risk.
Overview
Entities must implement physical security measures that minimise or remove the risk of harm to people, information, and physical assets.
In doing so, entities must consider the expected business impact if those resources were compromised, lost or damaged.
When determining the appropriate business impact level for a physical asset, it can be useful for entities to consider its value, classification, importance or attractiveness.
After entities have considered the security risks to their resources, they must choose appropriate containers, cabinets, secure rooms and strong rooms to protect them. In certain instances, it is mandatory to use security equipment that the Security Construction and Equipment Committee has approved.
Entities must implement physical security measures to prevent sensitive and classified discussions from being overheard (either deliberately or accidentally). Entities can minimise the risk of being overheard by implementing audio security measures and controlling the environment in which the discussion takes place.
Entities must identify the appropriate physical security measures to protect ICT assets and the information held or communicated on ICT equipment. The required level of protection is based on either the highest business impact level identified if the ICT assets were compromised, or the aggregate of information held or communicated on the ICT equipment.
At the end of the useable life of physical assets, entities must ensure they are disposed of securely, in line with the PSPF.
When working away from the office, entities must consider the security risks of the environments in which their personnel operate.