Design the Information Technology facility with a low profile.

CONTROL ID
16140

CONTROL TYPE
Physical and Environmental Protection

CLASSIFICATION
Preventive

This Control directly supports the implied Control(s):

Design the Information Technology facility with consideration given to natural disasters and man-made disasters., CC ID: 00712

There are no implementation support Controls.

Buildings that house recovery sites should be planned, designed, and built with security in mind. Non-dedicated buildings should implement and maintain appropriate controls to mitigate any associated security risks. Only relevant authorized personnel should have access to facility maps, telephone di… (§ 6.4.3, § 6.4.12, § 6.12.7, § 6.12.8, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
Offices, rooms, and facilities should have physical security guidelines. No obvious signs should be displayed, inside or outside, identifying the purpose of the building or identifying the presence of information processing activities. The public should not have access to directories or internal pho… (§ 9.1.3, ISO 27002 Code of practice for information security management, 2005)
The organization should not publicize the locations of data centers or make them conspicuous. (Pg C-1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
The computer center should not be identified as a computer center. (Pg 21, FFIEC IT Examination Handbook - Operations, July 2004)