PHYSICAL SECURITY AUDIT OBJECTIVE

Obtain an understanding of significant processes and practices employed in maintaining and monitoring physical security for IT resources.  Specifically addressing the following components:

  1. Management philosophy, operating style, and risk assessment practices including:
    1. Awareness and compliance with applicable laws, regulation and polices
    2. Planning and management of data center physical security financial resources
    3. Efficiency and Effectiveness Programs
  2. Organizational structure, and delegations of authority and responsibility for IT physical security standards, policies, and monitoring
  3. Positions of accountability for financial and programmatic results related to IT physical security
  4. Process strengths (best practices), weaknesses, and mitigating controls
  5. Financial Considerations
  6. Compliance with applicable laws, regulations, policies, and procedures.
  7. Scope
  1. Environmental Controls
  2. Natural Disaster Controls
  3. Supporting Utilities Controls
  4. Physical Protection and Access Controls
  5. System Reliability
  6. Physical Security Awareness and Training
  7. Contingency Plans

AREAS OF RISK

  1. The IT physical security risk assessment processes may not identify key areas of risk including:
    1. Natural disaster such as fire, earthquake, flooding, etc.
    2. Environmental controls such as temperature and humidity controls
    3. Theft or malicious destruction
    4. Unintentional destruction of hardware or data by untrained employees.
    5. Mechanical failure of hardware
    6. Power interruptions
  2. IT Management may not monitor physical security outside of the centralized computing center, particularly if the campus has a distributed computing environment administered by multiple divisions and departments.
  • Delegations of authority may be inappropriate or non existent for IT physical security.
  • IT physical security related duties may not be included in performance evaluations
  • Management may not have defined physical security standards and/or local policies
  • Management may not have committed sufficient financial resources to IT physical security
IT security may not be in compliance with applicable laws, regulations, policies, and