Appropriately limiting physical access to, and effectively managing environmental controls over sensitive computing resources is critical to ensuring all other IT controls can be relied upon. Additionally, these controls help ensure the availability and effectiveness of the unit’s information technology infrastructure.

To evaluate the capabilities of physical and environmental controls in place, we may examine areas including the following:

  • Has a risk assessment been performed and documented?
  • Are adequate backup power systems in place, providing resources to enable appropriate shutdown capability, should the primary power source/s be lost?
  • Are effective practices in place regarding the distribution and management of keys and swipe cards, enabling controlled access to resources/environments?
  • Are critical hardware/communication junctions(wiring/telephone closets) properly secured?
  • Have risks inherent to the environment/physical Structure been introduced/addressed? (drop ceilings, limited fields of view, etc)
  • Are adequate heating, ventilation, and air conditioning (HVAC) systems in place?
  • Are documented provisions for alternate site operations adequate and reasonable?
  • Are adequate and reasonable controls in place surrounding fire and flood threats?