Physical security policy

Published: 24 August 2016
Freedom of information class: How we manage our resources

Details of physical security policy

Physical Security Policy statement

RoS will endeavour to ensure, as far as is reasonably practical, the personal safety and security of all staff, visitors and contributors at all RoS premises.

Responsibility for security and personal safety rests with all persons who work or who visit RoS premises. All staff, visitors and contractors should assist RoS staff with physical security responsibilities in ensuring the success of the policy.

Providing physical security will require a balancing of what resources are needed and what resources the institution can afford.  RoS will use a security threat and risk analysis process to measure RoS’s vulnerabilities. Vulnerabilities will be prioritised and matched to resources and security improvement plans.

Purpose

The purpose of the Physical Security Policy is to provide a safe and secure environment for all RoS staff and visitors by minimising the impact of security incidents and, where possible, preventing their occurrence.

Scope

All physical assets owned, managed or employed by RoS will be protected as far as this is reasonably practicable. Our primary guidance for physical security will be taken from the Cabinet Office Security Policy Framework.

Objective

The objective of physical security is to facilitate business operations and maintain customer services, RoS’s reputation and revenue while protecting RoS's assets from all relevant threats. At all times the cost effectiveness and fitness for purpose of counter-measures will be considered.

Policy:

It is the policy of RoS to ensure that:

  • Regulatory and legislative requirements will be met.
  • Security training, advice and guidance will be available to all staff.
  • All suspected breaches of security will be reported to and investigated by the Physical Security Officer.
  • Procedures are developed to support the policy.
  • The Physical Security Officer has responsibility for defining and maintaining the policy and associated procedures and for providing advice and guidance on their implementation.
  • The Departmental Security Officer [Corporate Services Director] is accountable for security within RoS.
  • All managers are responsible for implementing the policy within their areas of responsibility.
  • It is the responsibility of every employee whether permanent, temporary or contract to adhere to the policy.
  • Advice and guidelines from Cabinet Office Security Division are adhered to.

Security Levels

Threat levels are designed to give a broad indication of the likelihood of a terrorist attack. They are based on the assessment of a range of factors including current intelligence, recent events and what is known about terrorist intentions and capabilities.

It should be noted that response will be in line with the national threat levels detailed below.

There are 3 levels of response:

Response levelDescription Related threat assetDescription
Normal Routine protective security measures appropriate to the business Low and moderate An attack is unlikely.
Moderate – An attack is possible but not likely.
Heightened Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgements on acceptable risk Substantial and severe Substantial and Severe Substantial – An attack is a strong possibility. Severe - An attack is highly likely
Exceptional Maximum protective security measures to meet specific threats and to minimise vulnerability and risk Critical An attack is expected imminently

Security passes

All RoS staff are issued with a security pass which permits entry to both sites.

Passes operate access controlled doors (MBH), the time and attendance system, speed gates (MBH) and “follow you” printing.

RoS staff must ensure that their security pass is visible at all times and is shown to security guards on entry to the premises. Security guards have been instructed to ask to view your pass on entry, so staff should be respectful of this request at all times.

Use of security pass

The security pass must only be used for the purpose detailed above and is for RoS use only.
Please note that no duplicate pass will be issued to any individual to use for any other purpose and staff should have no more than one pass at any time.

Staff must display their pass at all times when on site and should show this to the on-site security team upon entering the building and upon request.
Remove lanyards and security passes as you leave the building; these can easily identify your place of work and may give your name.

Security pass care

Your pass is an official document and as such it should be treated with care. You should not deface your pass in any way and protection must be given to the photograph and magnetic chip as these are susceptible to damage by scoring.

Security pass resetting

As of 29 February 2016 the MBH security guard (ground floor reception) will be responsible for resetting the RoS staff security pass.

RoS staff, contractors, will present their pass to the security guard at the floor 0 reception and if convenient, i.e. more than one guard present the pass should be reset immediately and handed back to the individual.

If, however, it is not convenient the security guard should take the security pass from the individual and take a note of the individuals contact details and reset the pass at a convenient time, within 1 hour, and then contact the individual to pick up the pass from the reception desk again.

Lost/stolen security pass

If your pass is lost or stolen you must report this fact immediately to your Team Leader and / or HR. If your pass has been forgotten you must report to the security desk upon arrival and be signed in by the guard. You will be issued with a temporary pass and a colleague must be contacted and report to the reception desk to verify your identity with a signature and your permission to access the building.

Upon receipt of an electronic application or printed copy of an application for a replacement pass in HR; a new pass will be printed and can either be picked up in person or if you work in SVP will be sent to you.

Physical security and entry controls

RoS have 24/7 on site security guarding in both its buildings and access to RoS premises is restricted by using an access control system which is operated by the issue of swipe cards. Access to the computer halls in both buildings is again restricted by the issue of authorised swipe cards.

Visitors to either building must report to the security team, will be issued with visitors passes and will be escorted by RoS staff at all times when moving around the building.

Standard access times

MBH and SVP have 24/7 on-site security guarding with general access is permitted at the following times –

MBH

Monday to Friday - 06.30 to 21.15
Saturday and Sunday - 07.45 to 16.00 (when overtime is available)

MBH Speed gates will not operate before 06.00 or after 21.15 on weekdays – no exit will be possible from the London Road door after this time as the security guard locks this door and commences their security check of the building at this time.

Please note that no entry / exit is available through the London Road door at weekends.

SVP

Monday to Friday - 07.30am to 6.30pm

Outwith standard access times

If staff wish to access either MBH or SVP outwith these times they must ring the doorbell and wait for the security guard to answer the door. The security guard may not permit entry to the premises unless there is a valid business reason for staff wishing to enter. If entry is permitted staff must sign in on the entry sheet and provide the reason for their visit.

This information will be passed on to the RoS Physical Security Officer who will monitor any instances of staff gaining access outwith standard access times.

CCTV

CCTV is in operation at both RoS locations.

The CCTV procedures in the policy will:

  • Ensure that those capturing images of individuals comply with the DPA;
  • Mean that the images that are captured are usable; and
  • Reassure those whose images are being captured.

Health & Safety

Protecting individuals against any event that may threaten life, limb or well-being.

Car Parking

Staff should note that parking on RoS premises is done entirely at their own risk and RoS will not be responsible for any damage to vehicles.

Staff may use the car park on the understanding that:

  • The driver holds a current full driving licence, is not banned from driving and has, as a minimum, third party insurance; and
  • The vehicle is taxed in accordance with DVLA regulations and may be legally driven on a public highway.
  • Parking discs must be displayed at all times and should relate to the vehicle being driven.
  • It is the responsibility of drivers to inform the Estates Helpdesk estatesservicedesk@ros.gov.uk of changes to vehicle details.

Asset Protection

Protecting RoS’s assets against loss, damage or unavailability.

IT equipment is placed or protected in a manner that reduces the risk of environmental hazards and opportunities for unauthorised access.

The following checklist is used to identify potential hazards; fire; smoke; water, dust; vibration; chemical effects; electrical supply interference and electromagnetic radiation.

Drinking, eating and smoking is prohibited in computer server and communications rooms.

Equipment siting

Both RoS sites have Computer Halls which house IT servers and access to these areas is restricted by the issue of swipe cards / fobs.

MBH has on occasion the Great Seal of Scotland on site and this is stored in a locked safe in an alarmed locked room within a larger locked room. Access to this area is restricted and must be permitted by the security team who hold the room keys. Security arrangements are in place for transporting the Great Seal between Government departments. All assets will be protected against loss or damage. Availability of resources to carry out business and support will be assured.

Power supplies

MBH and SVP do not have any power bridge installed which will power up if there is any break in power supply.

Cabling and communications equipment

Cabling and communication links to the building is protected by conduit protection and communication links are housed within a secure area within the building with restricted access. Power and telecommunications lines into IT facilities are underground or subject to adequate alternative protection.

Internal power and telecommunication cabling carrying data or supporting IT services is protected from interception or damage. Communication wiring closets are located in secure areas. The route of cables within RoS premises is laid in such a way that they are not easily accessible to office occupants.

Equipment maintenance

Electrical equipment is PAT tested prior to issue and fixed wire testing is carried out on a regular basis.

Equipment is maintained in accordance with the supplier’s recommended service intervals and specifications to ensure their continued availability and integrity. Only authorised maintenance personnel conduct repairs and servicing of equipment. A record of all faults or suspected faults must be maintained.

Off-site equipment

The use of IT equipment, regardless of ownership, used outside RoS premises to support RoS business activities must be subject to management authorisation and must be given the same degree of security protection as that of onsite IT equipment (such as current anti-virus protection).

Portable computers must be provided with an appropriate form of access protection (e.g. passwords or encryption) to prevent unauthorised access to their contents. The form of access control should be based on the classification of the data stored on the equipment.

When travelling, portable computers must be carried as hand luggage, if permitted. Staff must not leave their equipment unattended in public places.

Security risks (e.g., damage, theft, eavesdropping) may vary considerably depending on the situation and should be taken into account in determining the most appropriate security measures. The RoS IT Security Officer should be contacted for assistance in determining the risk.

Secure Disposal or Re-Use of Equipment

All items of equipment containing storage media (e.g., fixed hard disks) must be checked to ensure that any sensitive data and licensed software are removed or overwritten prior to disposal. Damaged storage devices containing very sensitive data may require a risk assessment to determine if the items should be destroyed, repaired, or discarded.

General equipment security

RoS staff are responsible for using RoS equipment e.g. fax machines, computers, laptops in a responsible manner and for business use only.

Hazard Minimisation

Ensuring that there is as little as possible impact if the unforeseen does happen.

The departmental security group supports the physical security policy.