Physical and Environmental Security Audit Checklist

Name of Building Aaykar Bhawan, Vaishali, Ghaziabad, U.P. O/o CIT(e-verification and BISO)
Date 09.07.2024 to 12.07.2024
Audit by O/o Pr. CIT Audit-01, Drum Shape Building

Secure areas

Audit Objective To check that physical controls are used properly and effectively to protect the Department’s assets
 Physical and Environmental Security
Ref- Control Detailed Audit Checklist Observations
er- Name Control
ence
#
Physical Security peri- 1. Is there a designated se- On perusal of security perimeters of the building following observations have been
security meters shall curity perimeter for sensit- found:-
perimeter be defined ive or critical information 1. At the entrance of main building premises, one reception is there at the ground floor
and used to and information pro- to provide gate pass and access card for all visitors. The access card is necessary to
protect areas cessing facilities? enter inside the building. One display is also installed at the Ground Floor for visitors
that contain which show instruction as how to obtain get pass and access card from reception to
either sensit- enter inside the building.
ive or critical
information 2. The sensitive or critical information and information processing facilities are there in
and informa- this building at floor Nos. 2,3,4,5 and 6 which have their own security perimeter.
tion pro-
cessing facil- 3. Floor Nos. 2,3 and 4 are occupied by Infosys company team and they are working on
ities the project of CPC TDS. There are reception counter at each floor i.e. 2, 3 & 4 and all
the visitors have to mandatory enter their name in the visitor register maintained at the
reception. Thereafter, access card is provided to the visitors to enter into the working
area on each floor. At floor No. 2, 3 & 4 guidelines/rules are affixed in a template at the
reception counter for visitors for co-operation in security check up and security require-
ment to enter into the working areas of the office.

4. Similarly, Floor No. 5 & 6 is occupied by LTIMindtree employees and they are
working on project Insight. At these floors also separate security perimeter are main-
tained by the office to enter inside the working area.All the visitors have to enter their
name in the visitor register and have to obtain access card to enter inside the working
area.

5. Aayakar Bhawan, Vaishali is having 11 (B+G+11) floor and except the abovemen-
tioned floor at point No. 2. The other floors i.e. 1, 7, 8, 9, 10 & 11 have no sensitive or
critical information and information processing facilities.To access these floors, visitors
have to obtain the gate pass and access card from Ground Floor reception and no further
access card required to visit these floors.

2
 Physical and Environmental Security
Ref- Control Detailed Audit Checklist Observations
er- Name Control
ence
#
Physical Secure areas 1. Do secure areas have Yes, all the secure areas are being protected by separate layers of security perimeters.
entry con- shall be pro- suitable entry control sys- The sensitive or critical information areas have separate security parameter. The em-
trols tected by ap- tems to ensure only au- ployees are allowed to access the secure areas as per their work profile, it means they
propriate thorised personnel have are allowed access the areas which are required to perform their duties. Further all the
entry controls access? floors of this building are under CCTV Surveillance.
to ensure that
only author- Yes, all the sensitive or critical information area are segregated and appropriately con -
ized person- 2. Are sensitive or critical trolled through additional layers of access controls as stated above. It is also stated that
nel are al- information areas segreg- the work over the data/information done by employees working in LTIMindtree at floor
lowed access ated and appropriately nos. 5 & 6 and employees working in CPC TDS (Infosys) at floor nos. 2, 3 & 4 are on
controlled through addi- company server (residing outside building) and works done by their employees are not
tional layers of access stored on their computer/laptop. Further, all the sensitive areas are under CCTV Surveil-
controls? lance.
Securing Physical se- 1. Have offices, rooms Yes, the areas where sensitive or critical and information processing facilities main-
offices, curity for of- and facilities been de- tained are designed and configured keeping security or personnel and material in mind
rooms fices, rooms signed and configured as per the sensitivity of information maintained.
and facil- and facilities keeping security of per-
ities shall be de- sonnel and material in
signed and mind as per the sensitivity
applied of information handled
within?

Yes, as per the information provided it has been learnt that every year one Quiz is or-
2. Do processes for main- ganized on security by the Infosys team including the issue of locking up and clear desk
taining the security (e.g.- policy whereas in other floors the policy of do’s and don’t governs. Template of do’s
Locking up, clear desks and don’t are affixed in the building at every floor in the working areas of officers /offi-
etc.) exist? cials and contractual staff. Infosys offices at floor nos. 2, 3 & 4 have also obtained the
ISO Certification of security standard and norms.

3
 Physical and Environmental Security
Ref- Control Detailed Audit Checklist Observations
er- Name Control
ence
#
Protect- Physical pro- 1. Have physical protec- On perusal of the records available in this office, it has been observed that the critical
ing tection tion measures to prevent assets are being regularly checked up on a regular interval i.e. quarterly basis, half
against against nat- injuries to personnel and yearly basis and on yearly basis. Fire drill has been conducted by this office on half
external ural disasters, minimise or prevent dam- yearly basis to aware and to provide training on safe evacuation in case of fire. Further,
and en- malicious at- age to critical assets dur- templates with regard to safe evacuation in case of fire are affixed at each floor. At floor
viron- tack or acci- ing natural disasters, mali- No. 6, template with regard to safe evacuation in the case of earthquake is also affixed
mental dents shall be cious attack or accidents in the working area. Two lightning rods/conductors are installed at the roof of the build-
threats designed and been factored in? ing to avoid any damage in case of lightning. These templates of evacuation during the
applied earthquake need to be displayed in all the floor of the buildings.

2. Are emergency drills

known to employees and
rehearsed on a regular Fire drill is organised by this office on a regular interval to prove training to employees
basis? on safe evacuation in case of fire disaster. Earthquake drill has not been done in this of -
fice till date.
3. Are the premises ad-
equately protected against
lightning strikes and As stated above, there are two rods/conductors installed at the roof of building to safe-
earthquakes? guard the building in case of lightning.

Structural audit of this building has been conducted to ascertain the building sustainab-
ility in case of earthquake. In respect of seismic/earthquake reliabilities recommenda-
tion has been given by HOD, Dept of Civil Engineering NSUT, Govt of NCT of Delhi
vide letter no. F8(165)/NSUT(WC)/Civil/2022/1510 dated 21.03.2024 stating that the
tower (B+ G+11) is found short of strength/stiffness to satisfy the latest seismic design.
To make the tower satisfies IS 1893:2016 provisions retrofitting are required to be done
as per structural drawings.

4
 Physical and Environmental Security
Ref- Control Detailed Audit Checklist Observations
er- Name Control
ence
#
Working Procedures 1. Do secure areas exist? Yes, one assembly point has been designated in the building in case of any emergency.
in secure for working If yes, then do these have Security checks are there and have mechanism of alarms in case of fire and fire exit
areas in secure inherent safety checks and points are marked on each floor. Smoke sensors and fire sensors have been installed on
areas shall be have mechanisms of all the floor. Two exit points are there in case of fire.
designed and alarms, regulated exit in
applied case of emergencies?

2. Are the secure work

area processes enforced Yes
and monitored?

3. Are all employees

aware of safe evacuation Yes, the employees have been given training of safe evacuation in case of fire. Though
process? efforts have been made to aware of safe evacuation process but still there is need of dis -
playing of templates for safe evacuation at each floor of the Building.
Delivery Access points 1. Are there separate de- No, as no heavy vehicle comes inside the office area for loading and unloading. Only
and load- such as deliv- livery /loading areas stationary and electronic devices are being loaded and unloaded from this office and no
ing areas ery and load- where information pro- separate areas are designated for the purpose of loading and unloading.
ing areas and cessing facilities are
other points present?
where unau-
thorized per- 2. Is access to these areas
sons could controlled? CCTV surveillance installed.
enter the
premises 3. Is access from loading
shall be con- areas isolated from in-
trolled and, if formation processing fa- Yes
possible, isol- cilities?
ated from in-
formation
processing
facilities to
avoid unau-
thorized ac-
cess

5
 Physical and Environmental Security

6
 Physical and Environmental Security

Equipment

Audit Objective To check the safety measures against loss, damage, theft or compromise of assets and interruption to the depart-
ment’s operations.

Reference Control Detailed Control Audit Checklist Observations

# Name

Equipment Equipment shall be sited 1. Are environmental hazards iden- Yes

siting and and protected to reduce the
protection risks from environmental
threats and hazards, and op-
portunities for unauthorized
access
tified and considered when loca-
tions of electronic equipments are
selected?
2. Are the risks from unauthorised Yes
access / passers-by considered when
siting electronic equipment?

Supporting Equipment shall be protec- 1. Is there a UPS system or backup Yes

utilities ted from power failures and generator?
other disruptions caused by
failures in supporting utilit- 2. Have these been tested within an Yes, as per information provided by BISO
ies appropriate timescale? office.

3. Is the HVAC (Heating, ventila- Yes

tion, and air conditioning) system
fully functional?

7
 Physical and Environmental Security

Reference Control Detailed Control Audit Checklist Observations

# Name

Cabling Se- Power and telecommunica- 1. Are power and communication Power and communication cables seem to be
curity tions cabling carrying data or cables physically isolated? isolated but on perusal of physical verification
supporting information ser- of each floor of the building, it is observed that
vices shall be protected from the electricity wires are lying above the fall
interception, interference or ceiling. Further, at some points of floor nos. 1,
damage 7, 8, 9 and 10 wire are hanging below the fall
ceiling particularly at the reception floor and
also fall ceiling at reception floor is being dam-
aged at various points and wires are hanging.
Therefore, possibility of being damaged of wire
by rodent and subsequently short circuit of
electricity and breakout of fire can’t be rule
out.

2. Are they located to protect from in-

terference, interception or damage? Yes

3. Are all the data cables and closets

fully secure and under technical sur- Data cables and closets seem to be secured and
veillance? are under technical surveillance.

4. Are the cables protected against in-

duction due to lightning and surges? Yes

5. Have adequate measures been taken

to protect the cables against damage by At floor nos. 2,3,4,5 & 6, some measures have
rodents? been taken to safeguard the cable against dam-
age by rodents.

Equipment Equipment shall be cor- 1. Is there a rigorous equipment Yes, critical assets have the policy of regu-
maintenance rectly maintained to ensure maintenance schedule? lar maintenance at a regular interval of
its continued availability time.
and integrity

8
 Physical and Environmental Security

Reference Control Detailed Control Audit Checklist Observations

# Name

Removal of Equipment, information or
assets software shall not be taken
off-site without prior au-
thorization
1. Is the process for controlling how Yes, process is being followed up.
assets are removed from site clearly
communicated to all the employ-
ees?
Asset disposal register have been main-
2. Are the registers duly updated tained at floor nos. 2,3,4,5,6 whereas, in
prior to removing the assets from other floors authority letter have been main-
site? tained to removing the hardware asset from
site but asset register is not maintained.

Security of Security shall be applied to 1. Are adequate measures taken as Yes

equipment off-site assets taking into per the risk profile to secure the off-
and assets account the different risks site assets?
off-premises of working outside the or-
ganization’s premises

Secure dis- All items of equipment con-
posal or re- taining storage media shall
use of equip- be verified to ensure that
ment any sensitive data and li-
censed software has been
removed or securely over-
written prior to disposal or
re-use
1. Is the policy covering how in- At floor no. 2,3,4,5 & 6 the office main-
formation assets may be reused tained for LITMindtree and CPC TDS have
clearly communicated to all the em- their own policy for reuse of assets whereas
ployees? in other floors the do’s and don’ts policy
governs with regard to reuse of assets.
2. Where data is wiped, is this prop- At floor no. 2,3,4,5 & 6 it is documented
erly verified before reuse/disposal? whereas at other floor, it is not documented.
Is it documented?

Unattended Users shall ensure that unat- 1. Are the users/employees aware of Yes, users/employees may be aware as As-
user equip- tended equipment has ap- their responsibility regarding unat- sets Usage Policy (AUP) have been affixed
ment propriate protection tended equipment? at working places of the users/employees.

9
 Physical and Environmental Security

Reference Control Detailed Control Audit Checklist Observations

# Name

Clear desk A clear desk policy for pa- 1. Are the employees aware of clear Yes, they may be aware as Assets Usage
and clear pers and removable storage desk/clear screen policy? Policy (AUP) have been affixed at working
screen policy media and a clear screen places of the users/employees.
policy for information pro-
cessing facilities shall be
adopted

10