Physical security of data-containing items within the facility

[ADDED 4/4/2023]   Q.  Do all data security requirements apply to the entire facility?

The R2 Facility is required to maintain a security program to control access to the facility and equipment. In some cases, the security controls may be implemented equally across the entire facility, in other cases, specific parts of the facility may require additional security controls depending on the types of equipment handled and the level of data security required.

In addition to the physical security controls, the facility must also establish security authorizations and manage access to data devices and any secured areas, as well as train all workers in the data security policies and procedures.

[ADDED 4/4/2023]   Q.  Are metal detectors required for all R2 Facilities?

While metal detectors can be a useful tool in certain circumstances and as part of a broader security program, they are not specifically required under the R2 Standard and may not be necessary for many facilities.

Q.   In order to secure and control data containing items under requirement 6.(d)(2), is additional security and separation required within the facility?

Each R2 Facility will need to determine the best means to secure and control access to data containing equipment for its operations. This may depend on several factors such as the type of electronic equipment handled, sensitivity of data on storage devices, and the needs of the suppliers served.  The R2 Facility may choose to secure the entire building or specific areas within it, but it must clearly identify and maintain appropriate authorizations for accessing any secured areas in accordance with Core Requirement 7, Data Security.

[ADDED 11/19/2021]   Q.   Our entire facility as a whole has controlled access and is managed as a secured area.   We are concerned that putting signage on the exterior of our building identifying it as a data secured area could make it a target for theft.   Does Core 7(b)(3) require signage on the exterior of the building?

R2 does not define the specifics for what the labelling or signage requires other than to “warn against unauthorized access.”  Generic signage using terminology such as “Secured Area… No Admittance… Authorized Personnel Only” could be used to satisfy signage requirements without disclosing details of the activities or value of items inside the facility.

Alternately, changes could be made to the facility layout to limit and separate specific areas for additional security controls from other general areas.  Each facility has the flexibility to make these security determinations as best suits their specific operations.