The personnel, equipment, records, and data comprising IT operations represent a critical asset. Management should deploy adequate physical security in a layered or zoned approach at every IT operations center commensurate with the value, confidentiality, and criticality of the data stored or accessible and the identified risks. This section summarizes some of the preventive and detective controls for physical security and discusses some minimum physical security requirements. Refer to the IT Handbook's "Information Security Booklet" for additional information.
An institution's main IT operations center should have a limited number of windows and external access points. The data center should preferably not be identified as such. The perimeter should have adequate lighting, and, if conditions warrant, perimeter security should have gates, fences, video surveillance, and alarms. Management should assess whether armed guards are suitable and should ensure they are trained, licensed, subjected to background checks, and follow standard security industry practices.
Management should consider using video surveillance and recording equipment in all or parts of the facility to monitor activity and deter theft. Management should also use inventory labels, bar codes, and logging procedures to control the inventory of critical and valuable equipment.
An institution should implement policies and procedures to prevent the removal of sensitive electronic information and data. These policies should address the use of laptop computers, personal digital assistants, and portable electronic storage devices. The policies and procedures should further address shredding of confidential paper documents and erasing electronic media prior to disposal. In addition, policies and procedures should delineate the circumstances under which employees' personal property may be subject to search.