Establish, implement, and maintain a physical environment metrics program.
CONTROL ID 02063
CONTROL TYPE Business Processes
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a metrics policy., CC ID: 01654
This Control has the following implementation support Control(s):
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective., CC ID: 02064
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented., CC ID: 02065
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective., CC ID: 02066
Report on the percentage of servers located in controlled access areas., CC ID: 02067
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Conducting a vulnerability assessment for each vulnerability and calculating the probability that it will be exploited. Evaluating policies, procedures, standards, training, physical security, quality control and technical security in this regard (Critical components of information security 2) 3) Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
The organization must measure and report on the Physical Environment. (ISPE15, CISWG Information Security Program Elements, 10-Jan-05)
The organization should conduct physical security risk assessments for the moderate to high-risk critical DIB assets based on the prevailing threat environment. These should measure the impact or consequence of critical DIB facility loss to the DoD mission(s) supported, the known or perceived threat… (§ 6.1.1 Table 6-2 Goal 3, Defense Industrial Base Information Assurance Standard)
Bank information system security controls should include clearly defined security measures with measurable performance standards. Responsible personnel should be assigned to ensure a comprehensive security program. Bank management should take necessary steps to protect mission-critical systems from … (¶ 34, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)