Physical Security

Entry control of individuals

The organization should implement policies and procedures to control the entry of individuals and controlled items to the data center premise and/or facility itself as well as zones/areas/rooms within the data center facility. These policies and procedures should include possible scenarios and countermeasures for emergency and/or pandemic related situations. A security matrix should be established with categorization of individuals to include, but not be limited to, the following categories:

  1. Organization employees.
  2. Permanent contractors (e.g. cleaners, security).
  3. Vendors, suppliers and contractors.
  4. Customers.
  5. Visitors.

The organization should create sub-categories to further refine access control based on security zones and restricted area (e.g. Mechanical rooms, UPS rooms).

Where visitors enter the restricted facility, they should be, at all times, accompanied and/or monitored based on code, industry regulation and company policy.

The policies should describe for each defined category within the security matrix the levels or areas it has access to. A formal system of access control of personnel to each security zone based on their security categorization should be established and enforced around the clock by either technical means and/or process.