Unit 5 –Security

LO4. Manage organisational security.

12. Security Compliance.

1
Physical and Environmental
security policy.
▪The term physical and environmental security refers to
measures taken to protect systems, buildings, and
related supporting infrastructure against threats
associated with their physical environment.
▪Physical and environmental safeguards are often
overlooked but are very important in protecting
information.

2
Physical and Environmental
security policy.

▪Buildings and rooms that house information and

information technology systems must be afforded
appropriate protection to avoid damage or unauthorized
access to information and systems.
▪In addition, the equipment housing this information (e.g.,
filing cabinets, data wiring, laptop computers, and
portable disk drives) must be physically protected.

3
Human Resource security policy.
▪All employees must be screened prior to employment,
including identity verification using a passport or similar
photo ID and at least two satisfactory professional
references. Additional checks are required for
employees taking up trusted positions.
▪All employees must formally accept a binding
confidentiality or non-disclosure agreement concerning
personal information provided to or generated by them
in the course of employment.

4
Human Resource security policy.

All new employees must be screened. The screening must

be conducted in accordance with relevant legislation and
Human Resource Policies of the Government.
The screening must include verification of:
▪ Identity
▪ Education
▪ Skills and experience
▪ Employment history
▪ Character references.

5
Human Resource security policy.

▪Human Resources department must inform

Administration, Finance and Operations when an
employee is taken on, transferred, resigns, is
suspended or released on long-term leave, or their
employment is terminated.

6
Access control policy.
▪ Access control policies are high-level requirements that
specify how access is managed and who may access
information under what circumstances.
▪ User access to corporate IT systems, networks,
applications and information must be controlled in
accordance with access requirements specified by the
relevant Information Asset Owners, normally according to
the user's role.
▪ Generic or test IDs must not be created or enabled on
production systems unless specifically authorized by the
relevant Information Asset Owners.
7
Access control policy.

▪Access control is a security technique that regulates

who or what can view or use resources in a computing
environment. It is a fundamental concept in security that
minimizes risk to the business or organization.

8
Access control policy.

▪There are two types of access control: physical and

logical.
▪Physical access control limits access to campuses,
buildings, rooms and physical IT assets.
▪Logical access control limits connections to computer
networks, system files and data.

9
Physical Access Control policy

The main points about the importance of physical access

control policy include:
▪Protects equipment, people, money, data and other
assets
▪Physical access control procedures offer
employees/management peace of mind
▪Reduces business risk substantially
▪Helps safeguard logical security policy more accurately

10
What Access Policies Address?

▪ Access control policies manage who can access

information, where and when. Your company can better
maintain data, information, and physical security from
unauthorized access by defining a policy that limits access
on an individualized basis.
▪ Providing different levels of access rights to all employees,
as well as all consultants, temporary employees, and
business partners can help limit risk exposure and make it
easier to monitor and maintain a robust security posture.

11
Lesson Summary

▪Physical and Environmental security policy

▪Human Resource security policy
▪Access control policy

12