T2 Physical and Environmental Security

Physical and environmental security measures shall be implemented to ensure critical or sensitive information systems are physically protected from unauthorized access, damage and interference and equipment is protected from physical and environmental threats

OBJECTIVE:

To maintain a physical and environmental security policy to outline the security requirements of physical areas and equipment

PERFORMANCE INDICATOR:

Extent of physical and environmental security policy deployment and adoption across the entity

AUTOMATION GUIDANCE

Not applicable

RELEVANT THREATS AND VULNERABILITIES

1. Unsuitable environmental security policy
2. Unawareness of environmental security policy among staff
3. Wrong classification of secure areas

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T2.1.1 - P4 - PHYSICAL AND ENVIRONMENTAL SECURITY POLICY

OBJECTIVE:

To prevent unauthorized physical access, damage, and interference to the entity’s premises and information

PERFORMANCE INDICATOR:

Percentage of resolved / closed corrective items identified from periodic physical security site surveys

AUTOMATION GUIDANCE

Automated physical access management applications are available for entities of all sizes and complexity and are deployed along physical access control equipment (such as automated gates and doors). Selection of the appropriate access management application requires an entity to have an understanding of its physical landscape and locations, the risks it faces, and the protection level required.

RELEVANT THREATS AND VULNERABILITIES

1. Under protected secure areas
2. Unauthorized access to secure areas
3. Destruction of equipment of media
4. Interference with security controls

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T2.2.1 - P2 - PHYSICAL SECURITY PERIMETER
• T2.2.2 - P2 - PHYSICAL ENTRY CONTROLS
• T2.2.3 - P2 - SECURING OFFICES, ROOMS AND FACILITIES
• T2.2.4 - P4 - PROCTECTING AGAINST EXTERNAL AND ENVIRONMENTAL THREATS
• T2.2.5 - P3 - WORKING IN SECURE AREAS
• T2.2.6 - P3 - PUBLIC ACCESS, DELIVERY AND LOADING AREAS

OBJECTIVE

To prevent loss, damage, theft or compromise of assets and interruption to the entity’s activities

PERFORMANCE INDICATOR

Percentage of performed checks that revealed unauthorized movement of information assets or other information security related issues

AUTOMATION GUIDANCE

Solutions as physical access control, video surveillance and anti-intrusion systems should be considered.

RELEVANT THREATS AND VULNERABILITIES

1. Equipment failure
2. Tampering with equipment
3. Physical theft of asset

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T2.3.1 - P2 - EQUIPMENT SITING AND PROTECTION
• T2.3.2 - P4 - SUPPORTING UTILITIES
• T2.3.3 - P4 - CABLING SECURITY
• T2.3.4 - P3 - EQUIPMENT MAINTENANCE
• T2.3.5 - P3 - SECURITY OF EQUIPMENT OFF-PREMISES
• T2.3.6 - P3 - SECURE DISPOSAL OR RE-USE OF EQUIPMENT
• T2.3.7 - P3 - REMOVAL OF PROPERTY
• T2.3.8 - P2 - UNATTENDED USER EQUIPMENT
• T2.3.9 - P3 - CLEAR DESK AND CLEAR SCREEN POLICY