IT Baseline Protection Manual S 2.14 Key management
S 2.14 Key management
Initiation responsibility: Head of Organisational Section; IT Security Management
Implementation responsibility: Head of Site/Bldg Technical Service
For all keys to the building (of floors, hallways and rooms), a lock-up plan should be drawn up. The manufacture, storage, management and issue of keys must be organised on a centralised basis. Reserve keys are to be provided and have to be stored securely. The same goes for all identification means such as magnetic or smart cards. Attention must be paid to the following:
Where a lock-up facility is available, either specific lock-up groups must be established for sensitive areas, or individual rooms should be removed from the lock-up group and provided with a single lock-up.
Keys not issued to personnel and spare keys must be stored in a way affording protection against unauthorised access.
Issue of keys will be against receipt and must be documented.
Arrangements must be made with regard to the response required in case of loss of individual keys (reporting, replacement, reimbursement of costs, replacement of the lock, alteration of the lock-up group, etc.).
When changes are made to the authorities of staff members, the lock-up rights are to be checked; if and where required, the keys will have to be recovered.
In case of termination of employment, all keys must be retrieved from the persons concerned (inclusion of key management in the inter-office slip (checklist)).
Locks and keys to particularly sensitive areas (for which only a very restricted number of keys should be issued) may be exchanged as required in order to neutralise the function of counterfeited keys.
Additional controls:
What rules have been laid down as regards key management?
