MOVEit Transfer Vulnerability: Lack of Supply Chain Visibility Exacerbates Breach View Post

G. Physical Security

This domain covers the physical security controls you have implemented to protect your organisation's physical premises.

00) Does your organisation rely upon any physical premises, such as offices, warehouses or data centres?

Answer yes if your organisation uses any physical premises in order to provide your services, products or to run your operations. This could include, but is not limited to, office space, warehouses, or data centres. It includes data centres used to host cloud services provided by your organisation, even if you do not have direct control of those premises. It also includes office space used by your people, even if you are a cloud-first organisation.

Physical Security
Scoping
Read more

01) Does your organisation enforce a secure physical perimeter around all of its physical locations (e.g. offices, data centres...)?

Answer yes if your organisation has implemented a secure physical perimeter around all of its physical locations. Please provide a Physical Security Policy document (as a PDF file) as evidence or reference a section of a previously provided security policy in the notes.

Physical Security
Secure Perimeter
Read more

02) Does your organisation use CCTV to monitor entry and exit points of all premises?

Answer yes if your organisation uses CCTV cameras on all of its premises entry and exit points.

Physical Security
CCTV
Read more

03) For how many days does your organisation keep CCTV footage?

Please state the number of days that the CCTV footage is kept for. If different retention times are used depending on the CCTV system, please state the different retention times in the notes and enter the lowest retention time in the answer box.

Physical Security
CCTV
Read more

04) Does your organisation use an access control system on it's premises entry and exit points that includes logging of access?

Answer yes if your organisation uses an access control system to control the movement of people in and out of its physical premises, and if this system keeps a digital log of access.

Physical Security
Building Access Control
Read more

05) For how many months does your organisation keeps its physical access control audit logs?

Please state the number of months that the access logs are kept for. If different retention times are used depending on the access control system, please state the different retention times in the notes and enter the lowest retention time in the answer box.

Physical Security
Building Access Control Logs
Read more

06) Are all of your organisation's physical premises secured with an alarm?

Answer yes if all of your organisation's physical premises are secured with an alarm that once triggered, is investigated either by a private security team or the police.

Physical Security
Alarm
Read more

07) Are all of your organisation's physical premises manned 24/7 by a security team or reception team?

Answer yes if all of your organisation's physical premises are staffed 24/7 by an onsite security team, reception team, or both. If security is present for some hours (not 24/7), please answer no and state in the notes section the times during which the premises are manned.

Physical Security
Security Team
Manned Security
Read more

08) Does your organisation use visitor log books (or the digital equivalent) to record visitors at all premises?

Answer yes if your organisation uses a physical or digital system to record the arrival of visitors, and the time at which they leave the premises.

Physical Security
Visitor Logging
Read more

09) Does your organisation require visitors to undergo an ID check on arrival at all premises?

Answer yes if your organisation requires all visitors to undergo an ID check on arrival to ensure that they are the person that they claim to be.

Physical Security
ID Check
Read more

10) Does your organisation protect sensitive equipment from power failures?

Answer yes if your organisation uses controls (such as Uninterruptible Power Supplies, UPS) to protect sensitive equipment from power failures.

Physical Security
Environmental Risk
Power Failure
Read more

11) Does your organisation ensure confidential paper waste is disposed of securely?

Answer yes if your organisation disposes of all confidential paper waste in a secure manner (typically either by shredding or incineration), or if a third party is used to dispose of the waste securely.

Physical Security
Confidential Waste
Secure Disposal
Read more