S 2.212 Organisational requirements regarding cleaning contractors

Initiation responsibility: Management

Implementation responsibility: On-site technical services

Normally cleaning services are provided by external contractors who require access to the building. In areas with higher security requirements, such as computer centres, server rooms, plant rooms or control rooms this can pose problems and therefore require additional security measures.

When calling for tenders and drawing up the contract, the special handling of sensitive areas should be specifically included. For example, in a computer centre the contract could specify that random checks of handbags or of goods being transported should be made in the entry or access areas.

As the cleaners cannot be assumed to know much about IT, they should be immediately instructed in all areas that contain business-critical IT systems as to what activities can damage IT facilities or cause problems in IT operations. Examples of such problem areas are:

• While cleaning keyboards it is possible for accidental inputs to be sent to servers or other central components with the result that IT operations are impaired.

• IT systems can be switched off by mistake.

• Power supply or communications cables can be damaged by vacuum cleaners or torn out of the end points.

• Short-circuits can be induced in hardware components by water or cleaning fluid.

If the cleaning company can be trusted, access of the cleaning staff should be controlled via the existing access control mechanisms and/or closing system. However, these can only be effective security measures if, for example, passes or keys are issued against signature and only to named or known employees of the cleaning company for a fixed period of time. Where an agreement is made as to the use of permanent staff, the identification system can serve as an effective control/check on adherence to the contract.

The contractor should nominate a person responsible for co-ordination and also for any problems that might occur, who can be contacted at any time. The person must have decision-making power over the staff to be used (and especially about staff who should no longer be used as this is not desirable).

Areas with higher security requirements such as a machine room or data media archive should only be cleaned in the presence of responsible persons from the customer organisation or in some cases also in the presence of a trusted person from the contractor, e.g. applying the two-person rule.

Additional controls:

• Are checks carried out as to whether the employees of the contracted cleaning company use the keys/passes that have been issued in accordance with the terms of the contract?

• Are the cleaners properly briefed as to how to handle IT equipment?

• Are the cleaners supervised when working in particularly sensitive areas?