The organization will develop, disseminate, and review: 1) a formal process to manage the IT facilities that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the process. [UCF ID 00710]
Supporting and supported controls
This control directly supports:
• Physical and environmental protection [UCF Control ID 00709]
This control has the following supporting controls:
• Physical security of facilities [UCF Control ID 00711]
• Low profile of the IT site [UCF Control ID 00712]
• Visitor controls [UCF Control ID 01329]
Authority documents complied with:
FFIEC IT Examination Handbook – Information Security Pg 45-46; CobiT 4.1 DS12.5; CERT Operationally Critical Threat, Asset & Vulnerability Evaluation (OCTAVE) Pg A-11 OP1.1.1- OP1.1.2; ISO 17799:2000, Code of Practice for Information Security Management § 7.1; OGC ITIL: Security Management 4.2.3.2
Healthcare and Life Science Guidance
HIPAA calls for organizations to implement policies and procedures to limit physical access to facilities housing systems containing electronic protected health information. It also specifically requires that organizations implement controls to authorize and validate access to facilities, including visitor control.
NIST 800-66 § 4.10 addresses § 164.310(a)(1) of the HIPAA Standard. This section talks about facility access controls and how to implement policies and procedures that limit physical access to electronic information systems and the facilities housing them, while still allowing authorized access. The chart describing the tasks to complete in order to achieve good facility access controls is very detailed and worth reading directly.
NIST Guidance
NIST 800-53 requires agencies to authorize and control access to all facilities containing information systems through the use of defined physical controls. It addresses the use of keys, locks, badges, and security guards. It also calls for monitoring of physical entry through surveillance equipment and intrusion detection systems.
International Standards Organization Guidance
ISO 17799 also provides detailed physical security controls for facilities. ISO 17799 requires organizations to implement health and safety practices for all personnel. The ISF Standard suggests that staff be protected from intimidation by malicious third parties by providing duress alarms in susceptible public areas. The standard also calls for organizations to institute a process for responding to emergencies.
European Union Guidance
The OECD Risk Checklist covers physical security pretty thoroughly, though all requirements are, as always, in the form of questions. The ISF Standard provides detailed controls for physically securing facilities, dividing them between sections on security management, computer installations and networks.