Back

Establish, implement, and maintain a physical environment metrics program.


CONTROL ID
02063
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a metrics policy., CC ID: 01654

This Control has the following implementation support Control(s):
  • Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective., CC ID: 02064
  • Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented., CC ID: 02065
  • Report on the percentage of critical assets that have been reviewed from the environmental risk perspective., CC ID: 02066
  • Report on the percentage of servers located in controlled access areas., CC ID: 02067


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Conducting a vulnerability assessment for each vulnerability and calculating the probability that it will be exploited. Evaluating policies, procedures, standards, training, physical security, quality control and technical security in this regard (Critical components of information security 2) 3) Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization must measure and report on the Physical Environment. (ISPE15, CISWG Information Security Program Elements, 10-Jan-05)
  • The organization should conduct physical security risk assessments for the moderate to high-risk critical DIB assets based on the prevailing threat environment. These should measure the impact or consequence of critical DIB facility loss to the DoD mission(s) supported, the known or perceived threat… (§ 6.1.1 Table 6-2 Goal 3, Defense Industrial Base Information Assurance Standard)
  • Bank information system security controls should include clearly defined security measures with measurable performance standards. Responsible personnel should be assigned to ensure a comprehensive security program. Bank management should take necessary steps to protect mission-critical systems from … (¶ 34, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)