Physical and environmental security programs define the various measures or controls that protect organizations from loss of connectivity and availability of computer processing caused by theft, fire, flood, intentional destruction, unintentional damage, mechanical equipment failure and power failures. Physical security measures should be sufficient to deal with foreseeable threats and should be tested periodically for their effectiveness and functionality. - Determine which managers are responsible for planning, funding, and operations of physical security of the Data Center.
- Review best practices and standards that can assist with evaluating physical security controls, such as ISO/IEC 27002:2013 or NIST 800-53.
- Establish a baseline by conducting a physical security controls gap assessment that will include the following as they relate to your campus Data Center:
Environmental Controls Natural Disaster Controls Supporting Utilities Controls Physical Protection and Access Controls System Reliability Physical Security Awareness and Training Contingency Plans
- Determine whether an appropriate investment in physical security equipment (alarms, locks or other physical access controls, identification badges for high security areas, etc.) has been made and if these controls have been tested and function correctly.
- Provide responsible managers guidance in handling risks. For example, if the current investment in physical security controls is inadequate, this may allow unauthorized access to servers and network equipment. Inadequate funding for key positions with responsibility for IT physical security may result in poor monitoring, poor compliance with policies and standards, and overall poor physical security.
- Maintain a secure repository of physical and environmental security controls and policies and establish timelines for their evaluation, update and modification.
- Create a team of physical and environmental security auditors, outside of the management staff, to periodically assess the effectiveness of the measures taken and provide feedback on their usefulness and functionality.
|