Page History

Anchor

	Top
	Top

Physical and environmental security programs define the various measures or controls that protect organizations from loss of connectivity and availability of computer processing caused by theft, fire, flood, intentional destruction, unintentional damage, mechanical equipment failure and power failures. Physical security measures should be sufficient to deal with foreseeable threats and should be tested periodically for their effectiveness and functionality.

Determine which managers are responsible for planning, funding, and operations of physical security of the Data Center.
Review best practices and standards that can assist with evaluating physical security controls, such as ISO/IEC 27002:2013.
Establish a baseline by conducting a physical security controls gap assessment that will include the following as they relate to your campus Data Center:
- Environmental Controls
- Natural Disaster Controls
- Supporting Utilities Controls
- Physical Protection and Access Controls
- System Reliability
- Physical Security Awareness and Training
- Contingency Plans
Determine whether an appropriate investment in physical security equipment (alarms, locks or other physical access controls, identification badges for high security areas, etc.) has been made and if these controls have been tested and function correctly.
Provide responsible managers guidance in handling risks. For example, if the current investment in physical security controls is inadequate, this may allow unauthorized access to servers and network equipment. Inadequate funding for key positions with responsibility for IT physical security may result in poor monitoring, poor compliance with policies and standards, and overall poor physical security.
Maintain a secure repository of physical and environmental security controls and policies and establish timelines for their evaluation, update and modification.
Create a team of physical and environmental security auditors, outside of the management staff, to periodically assess the effectiveness of the measures taken and provide feedback on their usefulness and functionality.

Physical and Environmental Security Top of page

Anchor

	Overview
	Overview

Overview

The term physical and environmental security refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment.

Physical and environmental safeguards are often overlooked but are very important in protecting information. Buildings and rooms that house information and information technology systems must be afforded appropriate protection to avoid damage or unauthorized access to information and systems. In addition, the equipment housing this information (e.g., filing cabinets, data wiring, laptop computers, and portable disk drives) must be physically protected. Equipment theft is of primary concern, but other issues should be considered, such as damage or loss caused by fire, flood, and sensitivity to temperature extremes.

Physical and Environmental Security Top of page

Anchor

	Areas
	Areas

Secure Areas (ISO 11.1)

Panel

bgColor	#FFFFCE

Objective: To ensure the institution appropriately protects buildings and rooms to prevent unauthorized access, damage, or interference to the information systems therein.

...

Physical and Environmental Security Top of page

Anchor

	Equipment
	Equipment

Equipment (ISO 11.2)

Panel

bgColor	#FFFFCE

Objective: To ensure the institution appropriately protects information systems equipment from physical and environmental threats.

...

Physical and Environmental Security Top of page

Anchor

	Resources
	Resources

Resources

Panel

bgColor	#ADD8E6

EDUCAUSE Resources

7 Things You Should Know about Mobile Security
Physical Security
Financial and Door-Access Threats of University ID Cards, 2009 Security Professionals Conference
Mobile Data Paranoia---Three Perspectives on Encryption, 2010 Security Professionals Conference
Copier and Multi-Function Device Security
Guidelines for Information Media Sanitization
Information Security Aspects of Business Continuity Managementand Disaster Recovery
Introduction to Full Disk Encryption (FDE)

Initiatives, Collaborations, & Other Resources

Physical and Environmental Security Top of page

Anchor

	Standards
	Standards

Standards

ISO	NIST	COBIT	PCI DSS	2014 Cybersecurity Framework	HIPAA Security
27002:2013 Information Security Management Chapter 11: Physical and Environmental Security	800-100: Information Security Handbook: A Guide for Managers 800-53: Recommended Security Controls for Federal Information Systems and Organizations 800-12: An Introduction to Computer Security - The NIST Handbook 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems	APO02.02 APO13.01 DSS01.04 DSS04.02 DSS05.02 DSS05.04 DSS05.05 BAI09.03	Req 9 Req 10 Req 11	ID.AM-4 ID.BE-4 ID.BE-5 PR.AC-2 PR.DS-3 PR.IP-5 PR.IP-6 PR.MA-1 PR.MA-2 PR.PT-2	45 CFR 164.310(a)(1) 45 CFR 164.310(b) 45 CFR 164.310(c) 45 cfr 164.310(d)(1)

Physical and Environmental Security Top of page

...

Questions or comments? Contact us.

...

Page tree

Versions Compared

Old Version 24

New Version 25

Key

Table of Contents

Overview

Secure Areas (ISO 11.1)

Equipment (ISO 11.2)

Resources

Standards