S 1.23 Locked doors

Initiation responsibility: Head of Site Technical Services, Head of IT Section

Implementation responsibility: Site Technical Services, staff

The doors of unoccupied rooms should be locked. This will prevent unauthorised persons from obtaining access to documents and IT equipment in the given room. It is particularly important to lock individual offices where these are located in areas accessible by the public or where access cannot be controlled by any other means.

It is not necessary to lock doors which have a dummy knob on the corridor side. However, this requires that the staff allowed to enter these rooms carry their keys with them at all times.

In some cases, e.g. in open-plan offices, it is not possible to lock the office. As an alternative, all employees should lock away their documents ("clear-desk policy") and secure their personal work area: desk, cabinet and PC (lock for floppy disk drive, keyboard lock), telephone. It is not necessary to lock the doors if no objects requiring protection, such as documents or data media, are out in the open and unauthorised access to the IT systems in the room (and the IT systems network with them) is not possible.

If the computer is in operation, it is not necessary to lock the doors provided that a safeguarding feature has been installed which allows continued use of the computer only if a password is entered (password-assisted screen saver), the display is cleared and input of a password is required following reboot.

When the computer is switched off, the office need not be locked provided that booting of the computer can be effected only with entry of a password. The same function is fulfilled by access mechanisms that are based on tokens or smart cards.

Additional controls:

• Are sporadic checks made as to whether offices are locked when their occupants leave them?

• Are staff instructed to lock their offices during their absence?