Welcome » IT Booklets » Information Security » II Information Security Program Management » II.C Risk Mitigation » II.C.8 Physical Security
Management should implement
appropriate preventive, detective, and corrective controls for
Physical access and damage or destruction to physical components
can impair the confidentiality, integrity, and availability of
information. Management should implement appropriate preventive,
detective, and corrective controls for mitigating the risks
inherent to those physical security zones.
A data center houses an institution's most important information
system components. When selecting a site for a data center, one
major objective should be to limit the risk of exposure from
internal and external threats, including, where possible,
environmental threats inherent to physical locations (e.g.,
hurricanes, earthquakes, and blizzards). The selection process
should include reviewing the surrounding area to determine whether
it is relatively safe from exposure to fire, flood, explosion, or
similar environmental hazards. Guards, fences, barriers,
surveillance equipment, or other devices can deter intruders.
Because access to key information systems' hardware and software
should be limited, appropriate physical controls should be in
place. Additionally, the location should not be identified or
advertised by signage or other indicators.
Detection devices, when applicable, should be used to prevent
theft and safeguard the equipment. The devices should provide
continuous coverage. Detection devices have two purposes-to send
alarms when responses are necessary and to support subsequent
forensics. Alarms are useful only when response will occur. Some
detection devices include the following:
A combination of fire suppression, smoke alarms, raised
flooring, and heat and moisture sensors should address risks from
environmental threats (e.g., fire, flood, and excessive heat).
Environmental threat monitoring should be continuous, and responses
should occur when alarms activate.
Physical security devices frequently need preventive maintenance
to function properly. The institution should be able to provide
maintenance logs to demonstrate that physical security devices are
regularly maintained. Periodic testing provides assurance that the
devices are operating correctly.
The institution should have policies governing the duties and
responsibilities of security guards. Employees who access secured
areas should have proper identification and authorization to enter
the areas. All non-employees should provide identification to a
security guard before obtaining access. Security guards should be
trained to restrict the removal of technology assets from the
premises and to record the identity of anyone attempting to remove
those assets. Management should implement a specific and formal
authorization process for the removal of hardware and software from
Access should be restricted to the following equipment or