II.C.8 Physical Security

Action Summary

Management should implement appropriate preventive, detective, and corrective controls for physical security.

Physical access and damage or destruction to physical components can impair the confidentiality, integrity, and availability of information. Management should implement appropriate preventive, detective, and corrective controls for mitigating the risks inherent to those physical security zones.

A data center houses an institution's most important information system components. When selecting a site for a data center, one major objective should be to limit the risk of exposure from internal and external threats, including, where possible, environmental threats inherent to physical locations (e.g., hurricanes, earthquakes, and blizzards). The selection process should include reviewing the surrounding area to determine whether it is relatively safe from exposure to fire, flood, explosion, or similar environmental hazards. Guards, fences, barriers, surveillance equipment, or other devices can deter intruders. Because access to key information systems' hardware and software should be limited, appropriate physical controls should be in place. Additionally, the location should not be identified or advertised by signage or other indicators.

Detection devices, when applicable, should be used to prevent theft and safeguard the equipment. The devices should provide continuous coverage. Detection devices have two purposes-to send alarms when responses are necessary and to support subsequent forensics. Alarms are useful only when response will occur. Some detection devices include the following:

  • Switches that activate alarms when electrical circuits are broken.
  • Light and laser beams, ultraviolet beams, sound, or vibration detectors that are invisible to intruders, and ultrasonic or radar devices that detect movement.
  • Closed-circuit television (CCTV) that provides visual observation and records intrusions.

A combination of fire suppression, smoke alarms, raised flooring, and heat and moisture sensors should address risks from environmental threats (e.g., fire, flood, and excessive heat). Environmental threat monitoring should be continuous, and responses should occur when alarms activate.

Physical security devices frequently need preventive maintenance to function properly. The institution should be able to provide maintenance logs to demonstrate that physical security devices are regularly maintained. Periodic testing provides assurance that the devices are operating correctly.

The institution should have policies governing the duties and responsibilities of security guards. Employees who access secured areas should have proper identification and authorization to enter the areas. All non-employees should provide identification to a security guard before obtaining access. Security guards should be trained to restrict the removal of technology assets from the premises and to record the identity of anyone attempting to remove those assets. Management should implement a specific and formal authorization process for the removal of hardware and software from the premises.

Access should be restricted to the following equipment or areas:

  • Operations centers (e.g., data center operations, security operations center, and network operations center) or server rooms; uninterruptible power supplies and backup generators.
  • Funds transfer and automated clearinghouse routers.
  • Telecommunications equipment.
  • Media libraries.
  • Equipment removed from the network and awaiting disposal.
  • Spare or backup devices.


Previous Section
II.C.7(e) Training
Next Section
II.C.9 Network Controls