Skip to contentCYBERINFO
|

Control 7.6 : Working in Secure Areas

Summary

Procedures for working in secure areas should be designed and implemented. This ensures that personnel follow specific safety and security protocols when they are inside high-risk zones, such as data centers or restricted record rooms, to prevent unauthorized actions or accidental damage.

Applicability

In-Scope: Required for any organization with high-security physical zones. It mitigates the risk of accidental damage or unauthorized data viewing by personnel who have been granted access to sensitive infrastructure.

Out-of-Scope: Only applicable if there are no physical areas designated as secure or restricted within the organization's facilities.

Implementation Guidance

Microsoft 365 / Entra ID

  • Supervision: Use Microsoft Teams to coordinate buddy system schedules, ensuring no single person is left unsupervised in critical hardware areas.

  • Logging: Maintain a SharePoint List to log the start and end times of all maintenance work performed in secure areas for audit purposes.

  • Communication: Use Microsoft Viva Engage to post reminders about prohibited items, such as cameras or recording devices, within restricted zones.

Evidence Checklist

  • Secure Area Procedures: Documented rules for behavior inside restricted zones, including requirements for escorts and prohibited items.

  • Work Logs: Evidence of sign-in and sign-out sheets for personnel and contractors entering secure areas.

  • Training Records: Proof that staff have been briefed on the specific risks and protocols associated with working in restricted environments.

Practical Audit Advice

Here are some questions the auditor might ask:

  • What is the process for ensuring that third-party maintenance staff are escorted while working in a secure area?

  • How are personnel informed about specific prohibited items before they enter a restricted zone?

  • Can you demonstrate how you verify that a secure area has been properly locked and the alarm set after a work session ends?

  • Is there a clean-area policy in effect for spaces containing critical hardware to prevent accidental damage?