Physical security

PHY050

Secure your ICT equipment

Physical security measures for ICT equipment help to ensure your organisation stays operational.

ICT equipment is essential for processing, storing, and communicating your organisation’s information.


Which ICT equipment you need to protect

ICT equipment that requires protection includes any device that can store information electronically, such as:

  • computers — desktop, laptop, or tablet
  • photocopiers, multi-function devices (MFDs), and printers
  • fax machines
  • mobile phones
  • digital cameras
  • personal electronic devices
  • storage media — for example, portable hard drives, USB sticks, CDs, DVDs, radio frequency identification (RFID) tags and systems
  • network equipment — for example, routers, switches
  • voice systems — for example, PABX.

For information about protecting servers, other communications network devices, supporting network infrastructure, and gateway devices, go to Secure your ICT system equipment.


Where to locate ICT equipment

You should locate ICT equipment in a security zone that is suitable for protecting either the aggregate of information stored on the equipment, or the value of the equipment, whichever requires the greater protection. 


How much protection to give ICT equipment

Base the level of protection you give to ICT equipment on the highest Business Impact Level (BIL) that would result from:

  • the compromise, loss of integrity or unavailability of the aggregate of electronic information held on the equipment, or
  • the loss or unavailability of the ICT equipment itself.

Using tamper-evident seals

You can seal access to ICT equipment using New Zealand Security Intelligence Service (NZSIS) approved tamper-evident wafer seals suitable for application to hard surfaces.

Seals may give a visual indication of unauthorised access into the equipment if the seals are removed or broken.

Refer to the Approved Products List (APL) when selecting wafer seals. This list is classified, contact the PSR team for more information.


Where to store ICT equipment when not in use

When your ICT equipment is stored in dedicated ICT facilities, meet the physical security controls detailed in the supporting documents below.

When your ICT equipment is not stored in dedicated ICT facilities, apply the physical security controls in Security zones.

Add any additional controls when you need to based on your security risk assessment.

If your organisation can’t meet the requirements, seek advice from the Government Communications Security Bureau (GCSB) on additional logical or technological solutions that may be available to lower the risks to electronic information when your equipment is not in use.

When ICT equipment can’t be kept in security containers or rooms

You may not be able to secure some electronic equipment in security containers or rooms when not in use. For example, desktop computers, printers, and MFDs.

To find an appropriate solution, first assess the BIL of the equipment and the information it holds.

Remember that the logical access controls described in the New Zealand Information Security Manual don’t constitute sanitisation and reclassification of ICT media. Therefore, the media retains its protective marking for the purposes of reuse, reclassification, declassification, sanitisation, destruction and disposal as specified.

If the following information doesn’t solve your problem, seek advice from the GSCB on additional logical or technological solutions that may be available to lower the risks to electronic information.

Non-volatile media, such as hard drives

In some circumstances, you may be able to fit removable non-volatile media (such as hard drives) that can then be secured in an appropriate security container when not in use.

If the non-volatile media can’t be removed, work out which zone the equipment can be kept in based on the risk of unauthorised people obtaining information and the sensitivity of the information held in the equipment.

Equipment with solid state drives or hybrid hard drives

Solid state drives and hybrid hard drives can’t be made safe through normal wiping processes when switched off.

If you wish to use equipment fitted with solid state drives or hybrid hard drives, seek advice from the GCSB on other methods for securing these types of equipment (for example, encryption).

Information or equipment with BILs of very high, extreme, or catastrophic

If the BIL of the equipment and/or information it holds is very high or extreme, the equipment should be stored in a zone 3 or above area, unless you are able to apply additional logical controls to lower the risks to a level acceptable to your organisation.

If the BIL is catastrophic, the equipment should be stored in a zone 5 area, unless you are able to apply additional logical controls to lower the risks to a level acceptable to the originator.


How to deal with removing ICT equipment from your premises

Your organisation must have a policy on removing ICT equipment from your facilities that prohibits your people from doing so without permission. 

New Zealand Information Security Manual - Working Off-Site and Working Away from the Office has more information.

Keeping ICT equipment secure when it’s offsite

You must apply physical security measures to off-site equipment that address the risks to the equipment and the information it holds. Apply the logical controls detailed in the New Zealand Information Security Manual - Working Off-Site.


How to audit your ICT equipment

For asset control of ICT equipment, record the location and authorised custodian, and audit periodically.

The period between audits should be based on your risk assessment, with higher risk items audited more regularly.

If your risk assessment suggests it is warranted, consider visually inspecting your ICT equipment as part of you asset control audit to ensure non-approved devices have not been installed.

You should have processes that your people can use to report the loss of ICT equipment.

Page last modified: 5/08/2019