Physical and Environmental Security Policy

Physical and Environmental Security Policy

Designated information technology facilities and other operational facilities shall be protected with physical security measures to prevent unauthorized persons from gaining access, or to prevent other physical threats as applicable.

Physical Access Controls

Physical Access Controls will be sufficient to meet with Physical Access Standard

KX Visitor Access

Visitor Access Controls will be sufficient to meet the Physical Access Standard

Physical Environment and Climate

• KX employs and maintains fire suppression devices / systems which can be automatically or manually activated in the event of a fire.
• Fire detection and suppression devices (where present)/ systems activate automatically and provide automated notification of any activation to emergency responders and key KX personnel.
• KX conducts fire drills for all employees at least once per year in buildings controlled by KX. In other locations, building management is responsible for conducting fire drills in accordance with the lease.
• KX places appropriate equipment to avoid damage from fire and flood. Reasonable precautions should be taken to protect from earthquake, explosion, civil unrest, and other forms of natural or man-made disaster.
• KX regularly monitors and maintains within acceptable levels the temperature and humidity within facilities containing information systems.
• KX protects the information systems from water damage resulting from broken plumbing lines or other sources of water leakage by ensuring that master shutoff valves are known and accessible to key personnel and are working properly.
• The water supply is stable and adequate to supply air conditioning, humidification equipment and fire suppression systems (where used).
• KX monitors for malfunctions in the water supply system that may damage equipment or prevent fire suppression from acting effectively in buildings controlled by KX. In other locations, building management is responsible for monitoring in accordance with the lease.
• Power and telecommunications lines into information processing facilities are underground where possible or subject to adequate alternative protection.
• Network cabling is protected from unauthorized interception or damage, for example by using a conduit or by avoiding routes through public areas.
• Power cables are segregated from communications cables to prevent interference.
• Clearly identifiable cable and equipment markings are used to minimize handling errors, such as accidentally patching the wrong network cables.
• A documented patch cable list is used to reduce the possibility of errors.
• Sensitive or critical systems controls include the use of fiber optic cabling.
• Sensitive or critical systems controls include the use of electromagnetic shielding to protect the cables.
• Sensitive or critical systems controls include technical sweeps and physical inspections for unauthorized devices being attached to the cables.
• Sensitive or critical systems controls include controlled access to patch panels and cable rooms.
• KX maintains a redundant air-cooling system as deemed necessary by management.

Equipment Security

• Relevant health and safety regulations and standards are incorporated in the securing of offices, rooms, and facilities.
• To secure offices, rooms, and facilities, key facilities are located to avoid access by the public.
• To secure offices, rooms, and facilities, buildings are unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building identifying the presence of information processing activities.
• To secure offices, rooms, and facilities, directories and internal telephone books identifying locations of sensitive information processing facilities are not readily accessible by, or available to the public.
• Items requiring special protection are isolated to reduce the general level of protection required.
• Lightning protection is applied to all buildings and lightning protection filters are fitted to all incoming power and communication lines, where required by regulation.
• Equipment processing sensitive information is protected to minimize the risk of information leakage.
• Environment should be monitored for conditions that could adversely affect the operation of information processing security.

Power Supply Protection

• KX protects power equipment for the information system from damage and destruction.
• KX employs redundant power cabling paths.
• For specific locations within a facility containing concentrations of information system resources (such as, Data Centers, server rooms, mainframe rooms, etc), KX provides the capability of shutting off power to the area of the office where any information technology component that may be malfunctioning (for example, due to an electrical fire) or threatened (for example, due to a water leak) without endangering personnel by requiring them to approach the equipment.
• KX provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.
• KX provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.
• KX provides a long-term alternate power supply for the information system that is self-contained and not reliant on external power generation.
• Uninterruptible Power Supply (UPS) equipment is checked regularly to ensure it has adequate capacity and is tested in accordance with the manufacturer’s recommendations.
• KX employs and maintains automatic emergency lighting systems that activate in the event of a power outage or disruption.

Equipment Off Premises

• Equipment and media taken off premises are not to be left unattended in public places.  Portable computers are carried as hand luggage and disguised where possible when travelling.  Portable computers should never be checked as luggage.
• Manufacturer’s instructions for protecting equipment are observed at all times.  For example, protection against exposure to strong electromagnetic fields.
• Adequate insurance coverage is provided for offsite equipment.  Security risks offsite, such as damage, theft, or eavesdropping may vary considerably between locations and are used when determining the most appropriate controls.
• Equipment, information, or software is not taken offsite without prior authorization.
• Employees, contractors, and third-party users who have authority to permit offsite removal of assets are clearly identified.
• Time limits for equipment removal are set and returns checked for compliance.
• Equipment is logged as being removed offsite and logged when returned.
• Equipment that is authorized to be taken offsite shall conform to the standards equivalent to those for onsite equipment used for the same purposes.

Physical Access Management

• KX monitors physical access to information systems to detect and respond to incidents.
• KX monitors real time intrusion alarms and surveillance equipment.
• KX employs automated mechanisms to ensure potential intrusions are recognized and appropriate response actions initiated.
• KX controls the delivery of information system related items (examples include hardware, firmware, and software).
• KX controls information system related items (examples include hardware, firmware, and software) entering the facility.
• KX maintains appropriate records of information system related items (examples include hardware, firmware, and software) entering the facility.
• KX controls the removal of information system related items (examples include hardware, firmware, and software).
• KX controls information system related items exiting the facility (examples include hardware, firmware, and software).
• KX maintains appropriate records of information system related items exiting the facility (examples include hardware, firmware, and software).
• All deposits and withdrawals of tapes and other storage media from the library should be authorized and logged.

Equipment Maintenance

• All equipment shall be maintained in accordance with the suppliers’ recommended service intervals and specifications.
• Only authorized maintenance personnel shall carry out repairs and service the equipment.