Control over the IT process of Manage the Physical Environment that satisfies the business requirement for IT of
- protecting computer assets and business data and minimizing the risk of business disruption
- providing and maintaining a suitable physical environment to protect IT assets from access, damage or theft
- Implementing physical security measures
- Selecting and managing facilities
- Amount of downtime arising from physical environment incidents
- Number of incidents due to physical security breaches or failures
- Frequency of physical risk assessment and reviews
1 Non-existent
2 Initial/Ad Hoc
3 Repeatable but Intuitive
4 Defined
5 Managed and Measurable
6 Optimized
Benchmarks/Guidelines for Scoring
1 Non-existent when
There is no awareness of the need to protect the facilities or the investment in computing resources. Environmental factors, including fire protection, dust, power, and excessive heat and humidity, are neither monitored nor controlled.
2 Initial/Ad Hoc when
The organization recognizes a business requirement to provide a suitable physical environment that protects the resources and personnel against man-made and natural hazards. The management of facilities and equipment is dependent upon the skills and abilities of key individuals. Personnel can move within the facilities without restriction. Management does not monitor the facility environmental controls or the movement of personnel.
3 Repeatable but Intuitive when
Environmental controls are implemented and monitored by the operations personnel. Physical security is an informal process, driven by a small group of employees possessing a high level of concern about securing the physical facilities. The facilities maintenance procedures are not well documented and rely upon good practices of a few individuals. The physical security goals are not based on any formal standards, and management does not ensure that security objectives are achieved.
4 Defined when
The need to maintain a controlled computing environment is understood and accepted within the organization. Environmental controls, preventive maintenance and physical security are budget items approved and tracked by management. Access restrictions are applied, with only approved personnel allowed access to the computing facilities. Visitors are logged and escorted, depending on the individual. The physical facilities are low-profile and not readily identifiable. Civil authorities monitor compliance with health and safety regulations. The risks are insured with minimal effort to optimize the insurance costs.
5 Managed and Measurable when
The need to maintain a controlled computing environment is fully understood, as evident in the organizational structure and budget allocations. Environmental and physical security requirements are documented, and access is strictly controlled and monitored. Responsibility and ownership are established and communicated. The facilities staff members are fully trained in emergency situations, as well as in health and safety practices. standardized control mechanisms are in place for restricting access to facilities and addressing environmental and safety factors. Management monitors the effectiveness of controls and compliance with established standards. Management has established goals and metrics for measuring management of the computing environment. The recoverability of computing resources is incorporated into an organizational risk management process. The integrated information is used to optimize insurance coverage and related costs.
6 Optimized when
There is an agreed-upon, long-term plan for the facilities required to support the organization’s computing environment. Standards are defined for all facilities, covering site selection, construction, guarding, personnel safety, mechanical and electrical systems, and protection against environmental factors (e.g., fire, lighting, flooding). All facilities are inventoried and classified according to the organization’s ongoing risk management process. Access is strictly controlled on a job-need basis and monitored continuously, and all visitors are escorted at all times. The environment is monitored and controlled through specialized equipment, and equipment rooms have become ‘unmanned’. Goals are consistently measured and evaluated. Preventive maintenance programs enforce a strict adherence to schedules, and regular tests are applied to sensitive equipment. The facilities strategy and standards are aligned with IT services availability targets and integrated with business continuity planning and crisis management. Management reviews and optimizes the facilities using goals and metrics on a continual basis, capitalizing on opportunities to improve the business contribution.