Skip to contentCYBERINFO
|

Control 7.3 : Securing Offices, Rooms and Facilities

Summary

Physical security for offices, rooms, and facilities should be designed and implemented to prevent unauthorized access, damage, and interference. This focuses on the internal layout and the protection of specific work areas within the broader perimeter.

Applicability

In-Scope: Mandatory for any office environment. It addresses risks such as shoulder surfing, unauthorized use of unattended workstations, and the protection of printed sensitive information.

Out-of-Scope: Never out-of-scope for physical office locations.

Implementation Guidance

Microsoft 365 / Entra ID

  • Screen Locking: Use Microsoft Intune to enforce a mandatory inactivity timeout that automatically locks computer screens after a maximum of 5 minutes of idle time.

  • Print Security: Implement Microsoft Universal Print with Secure Release functionality, requiring a user to authenticate at the printer before their sensitive document is physically produced.

  • Environmental Monitoring: Use IoT sensors integrated with Azure to monitor for environmental threats like fire, flood, or extreme temperature changes in rooms containing critical hardware.

Evidence Checklist

  • Facility Hardening Plan: Documentation describing the physical security features of the office, such as reinforced doors or shatterproof glass.

  • Clean Desk Policy: A formal policy requiring sensitive information and removable media to be locked away when workstations are unattended.

  • Inspection Logs: Records of periodic, after-hours walkthroughs conducted to ensure compliance with clear desk and clear screen rules.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How are high-traffic areas, such as reception or mailrooms, physically separated from areas where sensitive data processing occurs?

  • What controls are in place to prevent an unauthorized person from viewing a specialist's screen from a window or a public hallway?

  • Are sensitive areas, such as the server room, windowless or equipped with reinforced glass and internal security cameras?

  • How do you ensure that vacant desks or empty office spaces are not used as unauthorized staging areas for hardware or sensitive files?