Compliance checklist

Data protection regulations

Regulatory responsibilities include the control of physical access to data, and come with serious commercial penalties for non-compliance.

General Data Protection Regulation (GDPR)

New, harmonised, EU Data Protection & Privacy Law:

Effective from 25 May 2018, replacing European Data Protection Directive 95/46/EC. This regulation requires prompt compulsory notification of breaches and imposes large financial penalties for non-compliance on organisations within the EU. Organisations outside the EU handling EU citizens’ data will need to prove “adequacy” – in other words operate to standards equivalent to the GDPR from 2018.

Personal data is to be protected against accidental or malicious actions that could lead to unauthorised disclosure, dissemination or access; with the expectation that solutions implemented provide data protection by default.

FISMA

US Federal Information Security Management Act:

Organizations must limit physical access to information systems, equipment and the respective operating environments to authorized individuals.

Sarbanes-Oxley Act

Applicable to U.S. public enterprises:

Physical access to IT infrastructure systems supporting financial reporting should be restricted to authorized personnel only, and that access should be monitored and reviewed on a periodic basis.

HIPAA

Health Insurance Portability and Accountability Act passed by US Congress 1996:

Physical measures, policies and procedures must protect a covered entities electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Data security standards

Standards and best practice demand that physical access to data and critical utilities be restricted and controlled.

PCI-DSS

Payment Card Industry Data Security Standard:

All entities  that  handle or store cardholder data are required to ensure payment security is maintained.

Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted.

ISO 27001

International standard for information security management system (ISMS) best practice, and ISO/IEC 27002 code of guidelines:

Defined physical perimeters and barriers, with physical entry controls and working procedures, should protect the premises, offices, rooms, delivery/loading areas etc. against unauthorized access. ICT equipment, plus supporting utilities (such as power and air conditioning) should be secured.

SSAE 16 and ISAE 3402

Professional standards for Service Organization Controls (SOC) for financial information:

Logical and physical access controls processes must manage how the organization restricts logical and physical access to the system, provides and removes that access, and prevents unauthorized access.

ANSI/TIA-942

Data centre infrastructure standards

Covering many design aspects including architectural and physical security considerations for 4 levels of protection.

Best practice data centres employ a layered approach to physical access control; starting at the perimeter and segregating access rights between higher and lower security areas within the site (this can include time-limited access rights to individual server racks). Recommended implementations of these layers incorporate anti-tailgating and anti-passback measures, multi-factor identity authentication and video surveillance.

Access controls for data centres need to allow for the inevitable visits of technicians to maintain equipment, their access needs to be limited to only the appropriate areas and server racks.

General physical access control standards

Covering safe emergency exit through secured doors and the grading of systems according to  security risk.

EN 179, EN 1125 and PR 13637

Emergency and panic exit standards:

Installations should comply with the appropriate standards for either ‘emergency exit devices’ EN 179, suitable for situations where people will be familiar with escape facilities, or ‘panic exit devices’ EN 1125, required for use in public buildings, shops, entertainment venues, etc. These two standards are to be combined within PR 13637, expected to be effective in 2017.

EN 60839 Part 11-2

Electronic access control system application guidance:

Covering the grading of security risk based on the value of the assets to be protected and the threat from adversaries. Ranging from ‘Grade 1: Low risk’ e.g. Hotels to ‘Grade 4: High risk’ e.g. military facilities.