Welcome » IT Booklets » Operations » Risk Mitigation and Control Implementation » Security » Physical Security
The personnel, equipment, records, and data comprising IT
operations represent a critical asset. Management should deploy
adequate physical security in a layered or zoned approach at every
IT operations center commensurate with the value, confidentiality,
and criticality of the data stored or accessible and the identified
risks. This section summarizes some of the preventive and detective
controls for physical security and discusses some minimum physical
security requirements. Refer to the IT Handbook's "Information
Security Booklet" for additional information.
An institution's main IT operations center should have a limited
number of windows and external access points. The data center
should preferably not be identified as such. The perimeter should
have adequate lighting, and, if conditions warrant, perimeter
security should have gates, fences, video surveillance, and alarms.
Management should assess whether armed guards are suitable and
should ensure they are trained, licensed, subjected to background
checks, and follow standard security industry practices.
Management should consider using video surveillance and recording
equipment in all or parts of the facility to monitor activity and
deter theft. Management should also use inventory labels, bar
codes, and logging procedures to control the inventory of critical
and valuable equipment.
An institution should implement policies and procedures to
prevent the removal of sensitive electronic information and data.
These policies should address the use of laptop computers, personal
digital assistants, and portable electronic storage devices. The
policies and procedures should further address shredding of
confidential paper documents and erasing electronic media prior to
disposal. In addition, policies and procedures should delineate the
circumstances under which employees' personal property may be
subject to search.