S 2.97 Correct procedure for code locks

Initiation responsibility: IT Security Management

Implementation responsibility: IT-user

If protective cabinets with mechanical or electronic code locks are used, the code for these locks must be changed:

• after purchase,

• when there is a change of user,

• after opening in the absence of the user,

• if it is suspected that the code was made known to an unauthorised person and

• at least once every twelve months.

The code cannot consist of numbers which are easy to determine (e.g. personal data, arithmetical sequences).

Each valid code of a code lock must be recorded and escrowed in a secure place (see S 2.22 Depositing of passwords in a similar application). It should be noted that escrowing of the code in the associated protective cabinet is pointless.

If the protective cabinet has a further lock in addition to a code lock, a judgement should be made as to whether the code and the key are deposited together, which would allow quicker access in an emergency, or separately, so that it is more difficult for an 'attacker' to gain access.

Additional controls:

• Is the lock code changed following the occurrences outlined above?

• When was the last time the lock code was changed?

• Is the code for the code locks escrowed safely?

• Where and how is it escrowed?

• Where are any existing spare keys to the cabinet kept?