INFORMATION & COMMUNICATIONS TECHNOLOGY

(ICT) PHYSICAL & ENVIRONMENTAL SECURITY

POLICY
1.

PURPOSE
In respect to this policy the term physical and environmental security refers to
controls taken to protect information systems, buildings, and related supporting
infrastructure against threats associated with their physical environment.
The purpose of this policy is to:

increase awareness among WA Health ICT staff of their responsibilities in

relation to ICT physical and environmental security;.

ensure that good security principles are reinforced within WA Health ICT;

manage the way in which WA Health complies with Australian Standards.

2.

SCOPE
The scope of this policy will follow the Australian Standard AS/NZS ISO/IEC
17799:2006 Information technology Security techniques Code of Practice for
Information Security Management which has 2 major categories under Physical and
Environmental Security:
1. Secure Areas
Objective: To prevent unauthorized physical access, damage, and interference to
the organisations premises and information. The physical facility is usually the
building, other structure, or environment housing the system and network
components.
2. Equipment Security
Objective: To prevent loss, damage, theft or compromise of assets and interruption
to the oganisations activities. Are those services (both technical and human) that
support the operation of the system. The system's operation usually depends on
supporting facilities such as electric power, heating and air conditioning, and
telecommunications. The failure or unsatisfactory performance of these facilities may
interrupt operation of the system and may cause physical damage to system
hardware or stored data.
The facility's geographic location relates to natural threats. These include
earthquakes and flooding; man-made threats such as burglary, civil disorders, or
interception of transmissions and emanations; and damaging nearby activities,
including toxic chemical spills, explosions, fires, and electromagnetic interference
from emitters, such as radars. These location decisions are generally beyond the
control of ICT personal and is only mentioned for completeness.

ICT PHYSICAL & ENVIRONMENTAL SECURITY POLICY

This policy applies to all personnel of WA Health (employees, contractors, students,

volunteers and agency personnel) incorporating the following entities:
Department of Health;
Metropolitan Health Services;
WA Country Health Service.
This policy also applies to external organisations and their personnel who have been
granted access to WA Health Information and Communications Technology (ICT)
infrastructure and services.
This policy must be read in conjunction with the Acceptable Use Policy Computing
and Communication Facilities, which governs the use of ICT by WA Health
personnel. This and other policies and standards are available at the HIN Intranet
Site.

3.

POLICY
3.1 Appropriate physical and environmental security controls will be
implemented at all WA Health Information Communication Technology (ICT)
facilities to protect people, property and other information system resources.
3.2 WA Health will adopt a risk management approach when identifying
physical and environment controls for ICT systems facilities.

4.

POLICY DETAILS

Five major areas of physical and environmental security controls are:

1.
2.
3.
4.
5.

Physical access controls,

Fire safety,
Supporting utilities,
Interception of data, and
Mobile and portable systems.

4.1 Physical Access Controls

Physical access controls restrict the entry and exit of personnel, equipment and media
from an area, such as an office building, suite, data centre, or room containing a LAN
server.
The objectives of physical access controls may be in conflict with those of life safety. Life
safety focuses on providing easy exit from a facility, particularly in an emergency, while
physical security strives to control entry. In general, life safety must be given first
consideration, but it is usually possible to achieve an effective balance between the two
goals.
Physical access controls, include badges, memory cards, guards, keys, true-floor-to-trueceiling wall construction, fences, and locks.
Printed Copies are Not Controlled

2/7

ICT PHYSICAL & ENVIRONMENTAL SECURITY POLICY

4.2 Fire Safety Factors

Building fires are an important security threat because of the potential for complete
destruction of both hardware and data, the risk to human life, and the pervasiveness
of the damage.
4.3 Failure of Supporting Utilities
Information systems and the people who operate them need to have a reasonably
well-controlled operating environment. Consequently, failures of heating and airconditioning systems will usually cause a service interruption and may damage
hardware and possibly even a loss of information. These utilities are composed of
many elements, each of which must function properly.
4.4 Interception of Data
Depending on the type of data a system processes, there may be a significant risk if
the data is intercepted. There are three routes of data interception: direct
observation, interception of data transmission, and electromagnetic interception.
Direct Observation. System terminal and workstation display screens may be
observed by unauthorized persons.
Interception of Data Transmissions. If an interceptor can gain access to data
transmission lines, it may be feasible to tap into the lines and read the data
being transmitted. Interceptors could also transmit spurious data on tapped
lines, either for purposes of disruption or for fraud.
Electromagnetic Interception. Systems routinely radiate electromagnetic
energy that can be detected with special-purpose radio receivers. The trend
toward wireless (i.e., deliberate radiation) LAN/WAN connections may
increase the likelihood of successful interception.
4.5 Mobile and Portable Systems
The analysis and management of risk usually has to be modified if a system is
portable, such as a laptop computer. Encryption of data files on mobile and portable
equipment may be a cost-effective precaution against disclosure of confidential
information if a laptop computer is lost or stolen.
Portable and mobile devices share an increased risk of theft and physical damage as
well as the risk of being "misplaced" or left unattended. Secure storage of laptop
computers is often required when they are not in use.

5.

IMPLEMENTATION
As with other security measures, physical and environmental security controls need
to undergo a cost/benefit analysis. Indicative general approaches to justify the
selection of controls are:
1 They are required by law or regulation. There are no option but to
implement all statutory security measures.
2 The cost is insignificant, but the benefit is material. Once a significant
benefit/minimal cost security measure has been identified, no further
analysis is required to justify its implementation.

Printed Copies are Not Controlled

3/7

ICT PHYSICAL & ENVIRONMENTAL SECURITY POLICY

3 The security measure addresses a potentially "fatal" security exposure

but has a reasonable cost. Backing up system software and data is an
example of this justification .
4 The cost of a potential security measure is significant, and it cannot be
justified by any of the first three reasons listed above, then its cost (both
implementation and ongoing operation) and its benefit (reduction in future
expected losses) need to be analysed to determine if it is cost-beneficial. In
this context, cost-beneficial means that the reduction in expected loss is
significantly greater than the cost of implementing the security measure.
Justification requires a detailed risk and cost benefit analysis. Simple rules
of thumb do not apply.

6.

BACKGROUND
All WA Health ICT facilities supporting critical or sensitive business activities should
be housed in secure areas. These facilities should be physically protected from
unauthorised access, damage and interference. They should be located in secure
areas, protected by a defined security perimeter, with appropriate entry controls and
where appropriate security barriers..
As information accessibility is essential to business WA Health is committed to
providing effective ICT facilities physical environment conditions and security to
safeguard equipment and information from unauthorised intrusion and damage and,
to provide optimum equipment operating performance.
The planning and implementation of ICT equipment environments, security
safeguards and controls, procedural, access control, architectural, electrical and
structural requirements is essential.

7.

RELEVANT LEGISLATION AND GOVERNMENT POLICIES

(WA Acts are available at the State Law Publisher website; Commonwealth Acts are
available at the Australian Government ComLaw website)

8.

ASSOCIATED DEPARTMENT OF HEALTH POLICIES, STANDARDS

AND GUIDELINES
WA Health ICT policies are available on the HIN Intranet Site.
Information Security Policy.
ICT Risk Management Policy.

Printed Copies are Not Controlled

4/7

ICT PHYSICAL & ENVIRONMENTAL SECURITY POLICY

9.

INTERNATIONAL STANDARDS / SPECIFICATIONS

AS 2834-1995

Computer Accommodation Sets out

recommended requirements for the accommodation
of computer systems in buildings for which special
provisions are necessary or desirable. It excludes
provisions for personal or home computers and
those installed in an uncontrolled environment.

AS/NZS ISO 31000:

Risk Management Principles and Guidelines

AS/NZS ISO/IEC 27001:

Information Technology Security Techniques

Information Security Management Systems
Requirements.

AS/NZS ISO/IEC 27002:

Information Technology - Code of Practice for

Information Security Management.

AS/NZ ISO/IEC 27799:

Information Security Management in Health

Using ISO/IEC 27002.

HB 167:

Security Risk Management.

HB 327:

Communicating and Consulting about Risk.

ISO/IEC 27005:

Information Technology - Security Techniques Information Security Risk Management.

10. REFERENCES

11. DEFINITIONS
Term
Access

Australian Government
Information Security
Manual (ISM)

Business continuity
planning (BCP)
Printed Copies are Not Controlled

Definition
Obtaining knowledge or possession of information (including
verbal, electronic and hard-copy information) or other
resources, or obtaining admittance to an area.
The Defence Signals Directorates document suite that
details controls and principles for information security on ICT
systems, as well as relevant rationale. The ISM (previously
known as ASCI 33) comprises an Executive Companion,
Principles document and Controls Manual.
The development, implementation and maintenance of
policies, frameworks and programs to assist agencies
manage a business disruption, as well as build agency
5/7

ICT PHYSICAL & ENVIRONMENTAL SECURITY POLICY

ICT Asset

Information

Information Asset

Information Systems

Secure Area

Printed Copies are Not Controlled

resilience. It is the capability that assists in preventing,

preparing for, responding to, managing and recovering from
the impacts of a disruptive event.
All applications and technologies that are owned, procured
and/or managed by WA Health. These include desktop and
productivity tools, application environments, hardware
devices and systems software, network and computer
accommodation, and management and control tools.
Any collection of data that is processed, analysed,
interpreted, organised, classified or communicated in order
to serve a useful purpose, present facts or represent
knowledge in any medium or form. This includes
presentation in electronic (digital), print, audio, video, image,
graphical, cartographic, physical sample, textual or
numerical form.
An identifiable collection of data stored on ICT Assets and
recognised as having value for the purpose of enabling WA
Health to perform its business functions, thereby satisfying a
recognised requirement.
The organised collections of hardware, software, equipment,
policies, procedures and people that store, process, control
and provide access to information.
Provides the highest integrity of access to, and audit of,
information assets to ensure restricted distribution and to
assist in subsequent investigation if there is unauthorised
disclosure or loss of information assets. The essential
physical security features of a Secure Area include:
appropriately secured points of entry and other
openings
tamper-evident barriers, highly resistant to covert
entry
an effective means of providing access control during
both operational and nonoperational hours
all persons to wear passes
all visitors escorted at all times
during non-operational hours a monitored security
alarm system, providing coverage for all areas where
Security Classified information assets are stored
an approved means of limiting entry to authorised
persons.

6/7

ICT PHYSICAL & ENVIRONMENTAL SECURITY POLICY

12. VERSION CONTROL

Current
Version

Effective Date:

Operational
Directive No:

SHEF ICT Approved

Date:

Next Review Date:

3.0

02 Feb 2014

OD: 0506/14

16 December 2013

January 2016

Responsible Group:

Enquiries Contact

Health Information Network (HIN) - Strategy

Manager, HIN Information Policy

Version Notes
2006 Original Development
2007 General maintenance.
2013 General Maintenance and reformatting.

Printed Copies are Not Controlled

7/7