S 1.23 Locked doors
Initiation responsibility: Building Services Manager
Implementation responsibility: Employee, Building Services
The doors of unused rooms should always be locked. This prevents unauthorised access to the documents and IT equipment located in these rooms. It is particularly important to lock the doors of an office when the office is located in areas accessible to the general public or when access to the room is not monitored by any other safeguards.
The doors do not have to be locked if the side facing the hallway has a dummy knob. However, the employees authorised to enter such rooms must always have their keys with them in this case.
In some cases, in open plan offices for example, the offices cannot be locked. As an alternative in this case, every employee should lock up their documents (clean desk policy) and their personal workspace: desk, cabinet, PC (using a lock for floppy disk drives, keyboard locks), and telephone.
The doors do not have to be locked if there are no objects requiring protection (such as documents or data media) left lying in the open and it is impossible to gain unauthorised access to the IT systems in the room (and therefore impossible to access the networked IT systems).
When there are computers running, the doors do not need to be locked if the computers can only be accessed after successful authentication, for example when a screen saver with password support is enabled. When all computers are switched off, the doors do not need to be locked if a password needs to be entered to boot a computer. Access mechanisms based on tokens or smart cards fulfil the same function.
It makes sense to have the gatekeepers or employees in building services check sporadically if the doors have been locked after everyone has left the rooms.
Review questions:
- Does someone check every once in a while if the offices were locked after everyone has left the offices?
- Are employees instructed to lock their offices or lock up their work documents when out of their offices?