Physical security


Secure your ICT system equipment

Protect your information lifelines.

Which ICT system equipment needs physical security

As well as the ICT equipment mentioned in Secure your ICT equipment, you need to have physical security in place for:

  • servers, including dedicated devices and laptops used as servers
  • other communication network devices — for example, PABX
  • supporting network infrastructure — for example, cabling and patch panels
  • gateway devices — for example, routers, and network access devices.

Where to locate servers and network devices

Servers and network devices must be located in security rooms, or in containers that are in security rooms and protected in line with their Business Impact Level (BIL).

It’s best to keep servers and communication network devices in dedicated ICT facilities. If any of your servers and network devices not held in dedicated ICT facilities, apply the controls identified in Security zones.

For more information, refer to:

Protecting network infrastructure

Your organisation can lose control of their information when it is communicated over an unsecured public network infrastructure or over infrastructure in unsecured areas. 

Protect network infrastructure using a mixture of physical security measures and encryption.

If you apply GCSB-approved encryption, the physical security requirements can be lowered.

You must use Security zones suitable for the highest BIL of the information being communicated over the network infrastructure.

As it may not be possible to secure all network infrastructure in security containers or rooms, you should also meet any system encryption requirements in the NZISM.

Protecting ICT system equipment with containers

Work out the level of container required for patch panels, fibre distribution panels, and structured wiring enclosures based on:

  • the business impact of the information passing over the connections
  • any other controls in place to protect the information.

Panels should, at a minimum, be in locked containers and/or rooms to prevent tampering.

Applying encryption standards

When the BIL of the information transmitted over public network infrastructure is high or above, your organisation must use the encryption standards identified in the NZISM.

The encryption will give enough protection to allow the information to be transmitted on an unclassified network. Encryption is normally applied at your gateway.

In unsecured areas, you must apply the encryption standards identified in the NZISM to protect information on your network infrastructure.

Keeping cabling secure

To keep cabling secure, apply the cabling security controls in the NZISM - Infrastructure.

Maintaining equipment

To ensure the availability and integrity of your information, maintain equipment in line with the manufacturer’s directions.

Protecting deployable ICT systems

It can be difficult to apply suitable physical security measures when you use deployable ICT systems, particularly if they’re deployed into high-risk environments.

You should seek advice from the GCSB or Department of Internal Affairs (DIA) on suitable logical controls to help mitigate any risks you identify.

DIA should be consulted for items classified as restricted or below. GCSB should be consulted for items classified as confidential and above.

Protecting ICT system gateway devices

In addition to the logical controls required in the NZISM, you must use physical security measures for your ICT system gateway devices to mitigate the higher business impact from:

  • the loss of the devices
  • the compromise of the aggregated information arising from physical access to the devices.

If you’re using shared gateways, you must apply controls to the gateway appropriate to the highest level of information passing through the gateway.

You must prevent unauthorised access to gateway devices. It’s best to locate these devices in dedicated ICT facilities.

Protecting equipment from power disruptions

Protect ICT equipment from power failures and other disruptions. Aim to achieve an uninterrupted power supply to ICT systems, particularly servers, so your organisation can continue operating. If that’s not achievable, aim for enough power to at least close down systems.

Page last modified: 5/08/2019