ISO:Physical and Environment Security
Physical and Environment Security
Hornbills head office building has a secure perimeter which ensures that persons not in scope do not have ready access to secure areas. The office has a manned reception. Visitors gain entry by using an intercom at the outside door. Reception then allow them into the building once the visitor has been verified. Visitors sign in at reception and reception then alerts Hornbill Technologies staff of the visitor. The date and time of entry and departure of visitors along with the purpose of visits must be recorded in a register maintained and controlled by Reception.
No visitors are allowed entry without a member of staff being aware. Visitors are escorted by their host whilst on-site. The office is locked out of hours.
Home workers are subject to a risk assessment to identify any relevant risks and the necessary controls. Home workers should comply with the clear desk and clear screen policies, ensure access is controlled as if in the office and have appropriate security measures (e.g. lockable files, secure shredding facilities) as well as secure communications via VPN or similar with the office.
Data cables enter the building below ground and are routed via protective trunking. Power cables enter underground. Internal cabling is set into conduit buried in walls, ceilings and floors to minimise interference. Power cabling is similarly protected.
Secure disposal or re-use of equipment
Hard disks are cleared of all software and all Organizational information prior to disposal or re-use, as set out below.
The Chief Technical Officer is responsible for the secure disposal of storage media and the disposal of all information processing equipment is routed through his office. A log (REC 9.1) is retained showing what media were destroyed, disposed of, and when. The asset inventory is adjusted once the asset has been disposed of.
Devices containing confidential information are wiped prior to disposal and are never re-used. If necessary, the device(s) are put beyond practical use. Devices containing confidential information that are damaged are subject to a risk assessment prior to sending for repair, to establish whether they should be repaired or replaced.
All media are disposed of in line with WEEE regulations on disposal of computer equipment, through the Organization’s approved contractor. The contractor is a licensed waste carrier and relevant Waste Transfer Notes are retained by the Chief Technical Officer for minimum of two years.
Documents containing confidential information which are to be destroyed are shredded by their owners or disposed of as confidential waste. The contractor employed is a registered waste carrier and provides Certificates of Destruction where appropriate and Waste Transfer notes which are retained for a minimum of two years.