©R Systems International Ltd Internal ISPolicy039

R Systems International Ltd.

C-40, Sector 59
Noida 201 307
(U.P.), India
http://www.rsystems.com/

Physical and Environmental

Security Policy

Document Id.
Id.:: ISPolicy039
ISguide

Version No.
No.: : 3.0
1.0

Released on
on: : 18/07/17
22/05/06

Version No: 3.0 Page 1 of 8 Release Date: 18/07/17

©R Systems International Ltd Internal ISPolicy039

Review History

S No Review Date Reviewed By Remarks

1 09/06/06 ISMS Forum Doc Changed and DCR raised

2 01/06/09 ISMS Forum Doc Changed and DCR raised
3 07/04/11 ISMS Forum No Change
4 01/06/12 ISMS Forum No Change
5 09/08/12 ISMS Forum Doc Changed and DCR raised
6 01/01/14 Manager QAG Doc Changed and DCR raised
7 15/06/15 Manager QAG Doc Changed and DCR raised
8 15/06/15 Sr. Manager QAG Doc Changed and DCR raised
9 18/07/17 AVP Admin Doc Changed and DCR raised
10 18/07/17 AVP Admin No Change
11 30/07/19 AVP Admin No Change
12 29/07/20 Head-Admin No Change
13 19/07/21 Head-Admin No Change
14 19/07/22 Head-Admin No Change

Version No: 3.0 Page 2 of 8 Release Date: 18/07/17

©R Systems International Ltd Internal ISPolicy039

DOCUMENT CONTROL SHEET

Document History
Ver. Release DCR Ref. Description of Authored/ Reviewed Approved
No. Date Change Revised By By
By
1.0 09/06/06 DCR/002 Final release QA Group ISMS CISO
Forum
2.0 01/06/09 DCR/ISMS ISMS Periodic QAG ISMS CISO
/066 Review Forum
2.0 07/04/11 NA ISMS Periodic QAG ISMS CISO
Review Forum
2.0 01/06/12 NA ISMS Periodic QAG ISMS CISO
Review Forum
2.1 09/08/12 DCR/ISMS Classification QAG ISMS CISO
/105 changed to Forum
Internal
2.2 01/01/14 DCR/ISMS RSI Logo ISMS Manager CISO
/112 Updated Team QAG
3.0 15/06/15 DCR/ISMS Document ISMS Manager CISO
/122 revised and Team QAG
updated as per
ISO 27001:2013
3.0 15/06/15 DCR/ISMS Annual Review- ISMS Sr. CISO
/132 22/06/16 Team Manager
QAG
3.0 18/07/17 DCR/ISMS Annual Review ISMS AVP CISO
/136 Team Admin

Notes:
 Only controlled hardcopies of the document shall have signatures on them.
 This is an internal document. Unauthorized access or copying is prohibited.
 Uncontrolled when printed unless signed by approving authority.

© R Systems International Limited 2022

Version No: 3.0 Page 3 of 8 Release Date: 18/07/17

©R Systems International Ltd Internal ISPolicy039

Table of Contents
1. Overview ........................................................................................................... 5
2. Objective ........................................................................................................... 5
3. Scope................................................................................................................ 5
4. Policy ................................................................................................................ 5
4.1 Secure Areas .................................................................................................. 5
4.1.1 Physical Security Perimeter ......................................................................... 5
4.1.2 Physical Entry Controls ................................................................................ 5
4.1.3 Securing Offices, Rooms and Facilities ....................................................... 6
4.1.4 Protecting against external and environmental threats ............................. 6
4.1.5 Working in Secure Areas .......................................................................... 6
4.1.6 Delivery and Loading Areas ...................................................................... 6
4.2 Equipment Security ...................................................................................... 6
4.2.1 Equipment siting and protection ................................................................ 6
4.2.2 Supporting Utilities .................................................................................... 7
4.2.3 Cabling Security ........................................................................................ 7
4.2.4 Equipment Maintenance ........................................................................... 7
4.2.5 Removal of Assets .................................................................................... 7
4.2.6 Security of Equipment and Assets Off-Premises ...................................... 8
4.2.7 Secure Disposal or Reuse of Equipment .................................................. 8
4.2.8 Unattended User Equipment ........................................................................ 8
4.2.9 Clear Desk and Clear Screen Policy ............................................................ 8

Version No: 3.0 Page 4 of 8 Release Date: 18/07/17

©R Systems International Ltd Internal ISPolicy039

Physical and Environmental Security Policy

1. Overview
This document outlines management’s intent to prevent unauthorized physical access,
damage, and interference to the RSI’s premises and information processing facilities

2. Objective
 To prevent unauthorized physical access, damage, and interference to the
organization’s premises and information.
 To prevent loss, damage, theft or compromise of assets and interruption to the
organization’s activities.

3. Scope
This policy applies to all employees, third party personnel and contractors at RSI’s
premises.

4. Policy

4.1 Secure Areas

4.1.1 Physical Security Perimeter

Security perimeters shall be used to protect areas that contain information and
information processing facilities Physical premises shall be classified (zoning of
premises) based on the sensitivity of information processing environment as critical,
dedicated, restricted and public areas and define a security perimeter to protect
areas, which house information processing facilities, telecom and network equipment,
control rooms and areas where support equipment such as UPS, etc. are housed.

4.1.2 Physical Entry Controls

A secure area is defined as a location, where IT and/ or networking equipment is
placed or departments processing sensitive information, and where only authorized
personnel are allowed to enter and work. A secure area shall have a preventive
mechanism to ensure that unauthorized individuals do not enter and a detective
mechanism to ensure that all personnel movement into the area is logged. Access to
the secure shall be granted for specific, authorized purposes and shall be issued with
instructions on the security requirements of the area.
All employees, contractors and third party users and all visitors shall wear visible
identification and shall be encouraged to challenge unescorted strangers and anyone
not wearing visible identification

Version No: 3.0 Page 5 of 8 Release Date: 18/07/17

©R Systems International Ltd Internal ISPolicy039

4.1.3 Securing Offices, Rooms and Facilities

Physical security for offices, rooms, and facilities shall be designed and implemented.
The following shall be considered to secure offices, rooms and facilities:
 Account shall be taken of the relevant health and safety regulations and standards;
 Key facilities shall be sited to avoid access by the public;
 Where applicable, buildings shall be unobtrusive and give minimum indication of their
purpose, with no obvious signs, outside or inside the building identifying the
presence of information processing activities; and
 Rooms available for information processing shall be lockable and shall have lockable
cabinets & fire proof safes wherever required.

4.1.4 Protecting against external and environmental threats

 Physical protection against damage from fire, flood, explosion, civil unrest, and other
forms of natural or man-made disaster shall be designed and applied;
 Hazardous or combustible materials shall be stored at a safe distance from a secure
area;
 Proper working of fire prevention/detection/fighting, lightning conductor and testing of
electricity safety measures shall be ensured; and
 Back-up media shall be sited at a safe distance to avoid damage from a disaster
affecting the main site

4.1.5 Working in Secure Areas

Physical protection in secure areas shall be designed and applied. Following controls
shall be enforced:
 Information processing facilities like network and server rooms will be adequately
secured using electronic access control system and access will be restricted to only
authorized personnel;
 Vacant secure areas shall be physically locked and periodically checked;
 Photographic, video, audio or other recording equipment, such as cameras in mobile
devices, shall not be allowed, unless authorized; and
 Accesses by third party personnel to information processing facilities shall be
monitored.

4.1.6 Delivery and Loading Areas

Access points for delivery and loading areas and other points where unauthorized
persons may enter the premises shall be controlled and isolated from information
processing facilities to avoid unauthorized access.

4.2 Equipment Security

4.2.1 Equipment siting and protection

All network and server equipment in RSI shall be sited and protected to reduce the risks
from environmental hazards and to minimize the opportunity of unauthorized access.

Version No: 3.0 6 Page 6 of 8 Release Date: 18/07/17

©R Systems International Ltd Internal ISPolicy039

Environmental conditions shall be monitored to ensure that they do not have adverse
effects on the operation of information processing facilities. All storage media having
non-public information shall be physically protected.
All equipments shall be maintained regularly as per the manufacturers recommended
service intervals and specifications.

4.2.2 Supporting Utilities

Equipment shall be protected from power failures and other disruptions caused by
failures in supporting utilities. Suitable power supply controlled through UPS shall be
provided for all equipment as per the manufacturers’ specifications.
All supporting utilities, such as electricity, water supply, sewage, heating/ventilation, and
air conditioning shall be adequate for the systems they are supporting. Support utilities
shall be regularly inspected and as appropriate tested to ensure their proper functioning
and to reduce any risk from their malfunction or failure.

4.2.3 Cabling Security

Power and telecommunications cabling carrying data or supporting information services
shall be protected from interception or damage.
Following shall be considered for cabling security:
 Power and telecommunications lines into information processing facilities shall be
underground, wherever possible; and
 Power cables shall be segregated from communications cables to prevent
interference.

4.2.4 Equipment Maintenance

Equipment shall be regularly maintained to ensure its continued availability and integrity.
Following shall be considered for equipment security:
 Equipment maintenance shall be carried as per the schedule provided by the vendor
for service intervals;
 Maintenance of equipment shall be performed only by authorized personnel;
 Records shall be kept of all suspected or actual faults, and all preventive and
corrective maintenance; and
 All requirements imposed by insurance policies shall be complied with.

4.2.5 Removal of Assets

Movement of information processing equipment, information, storage media or software
to off-site location or for maintenance activities shall be carried out after obtaining
appropriate authorization.

Version No: 3.0 7 Page 7 of 8 Release Date: 18/07/17

©R Systems International Ltd Internal ISPolicy039

4.2.6 Security of Equipment and Assets Off-Premises

The equipment or media taken off-premises shall be taken after proper authorization and
shall not be left unattended. Adequate insurance cover shall be provided to protect the
equipment off-site.

4.2.7 Secure Disposal or Reuse of Equipment

The owners of information assets will authorize disposal or re-use of the assets.
Adequate controls will be followed during the disposal of the equipments to prevent
compromise of the information.
Items of equipment containing storage media shall be checked to ensure that sensitive
data and licensed software has been removed or securely overwritten prior to disposal.

4.2.8 Unattended User Equipment

Users shall ensure that unattended equipment has appropriate protection. All users shall
be made aware of the security requirements and procedures for protecting unattended
equipment, as well as their responsibilities for implementing such protection which shall
include but not be limited to:
 Terminate active sessions when finished;
 Log-off mainframe computers, servers, and office PCs when the session is finished;
 Secure PCs or terminals from unauthorized use by a key lock.

4.2.9 Clear Desk and Clear Screen Policy

Refer to Access Control Policy (ISPolicy030)

Version No: 3.0 8 Page 8 of 8 Release Date: 18/07/17