Physical and environmental protection

IT Impact Zone
IT Impact Zone


This is a top level control.

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a physical and environmental protection policy., CC ID: 14030
  • Establish and maintain a physical security program., CC ID: 11757
  • Establish and maintain an environmental control program., CC ID: 00724


  • Hardware must be installed in an environment that allows the organization to properly deal with risks and that is resilient to potential risks, such as failure, natural hazards, and misconduct. This is a control item that constitutes a greater risk to financial information. This is an IT general con… (App 2-1 Item Number IV.7(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • A Site Standard Operating Procedure should be developed and should include roles and responsibilities of the facility security officer; how to operate and maintain the alarm system; requirements for security awareness training; requirements for employee clearances; procedures for end-of-day checks; … (§ 3.1.22, Australian Government ICT Security Manual (ACSI 33))
  • Civil licensed nuclear sites and nuclear material carriers are required to protect material and sites against terrorism in accordance with plans and transport security statements that have been approved by the Office for Civil Nuclear Security (OCNS). These regulations do not extend to persons who h… (¶ 3, Nuclear Industries Security Regulations, Version 2.0, May 2010)
  • (§ II.54 thru § II.62, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • IT equipment must be protected from deliberate or accidental damage or loss, including the servers and workstations that allow staff access to the applications. Some physical and environmental controls include putting servers in locked rooms with restricted access; restricting access to servers to s… (§ 5.3.4, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Client organizations must ensure that the infrastructure, systems, and documents of a service provider are secured properly. Organizations are demanding higher security levels in outsourcing facilities, especially when the outsourced activity is critical to the organization's operations. Key physica… (§ 5.2 (Physical Security and Environmental Controls), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The physical security program should include policies and procedures, barrier descriptions, personnel responsibilities, a list of the equipment being used, and records and logs. (Pg 19-I-4, Protection of Assets Manual, ASIS International)
  • Physical access to information assets and functions by users and support personnel shall be restricted. (FS-02, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Assumptions that should be met by the product's environment to be considered secure should be listed in the security policy. (§ 6.3.1, ISO 15408-1 Common Criteria for Information Technology Security Evaluation Part 1, 2005)
  • Development security documentation should exist. This document should describe the physical, procedural, and other security measures, as well as security personnel roles and responsibilities, needed at the development site. The measures should provide enough protection to maintain the confidentialit… (§ 17.1, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • Development security documentation should exist. This document should describe the physical, procedural, and other security measures, as well as security personnel roles and responsibilities, needed at the development site. The measures should provide enough protection to maintain the confidentialit… (§ 17.1, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • The development security documentation should be examined to ensure physical, procedural, personnel, and other measures required to protect the confidentiality and integrity of the product while in the development environment are included. The confidentiality and integrity policies of the developmen… (§ 12.8.1, § 13.8.1, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • All physical security protection procedures should be integrated to provide a unified protection concept and should form the underlying basis for all physical security. The protection concept should be one of the following: multi-layered (dividing the premises into multiple layers from the outer per… (§ 6.4.2, § 6.4.15, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Protection against environmental threats, such as fire, flood, and earthquake, should be taken. Procedures for avoiding damage from environmental threats include storing backup media at an offsite facility; having appropriate fire fighting equipment on site; and storing hazardous or combustible mate… (§ 9.1.4, ISO 27002 Code of practice for information security management, 2005)
  • The organization should use third-parties to verify that the physical security measures have been implemented and are working correctly. (Pg 4, Responsible Care Security Code of Management Practices, American Chemistry Council)
  • The organization should implement procedures to restrict physical access to personal information and to protect the personal information against natural disasters and environmental hazards. (ID 8.2.3, ID 8.2.4, AICPA/CICA Privacy Framework)
  • The organization must protect the physical environment. (PE 11, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • The organization should develop a physical security program that safeguards personnel; safeguards the system against damage, theft, and sabotage; reduces denial of service and unauthorized data modification exposure; and prevents unauthorized access to facilities, equipment, media, and documents. (§ 2-10.a, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • Determine whether audit procedures for operations consider ▪ The adequacy of security policies, procedures, and practices in all units and at all levels of the financial institution and service providers. ▪ The adequacy of data controls over preparation, input, processing, and output. ▪ The ad… (Exam Tier II Obj C.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should have adequate physical security for all operations centers in accordance with the sensitivity and criticality of the information stored or processed at the location. (Pg 21, Exam Tier I Obj 5.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization should ensure the service provider's physical standards meet or exceed the standards required by the organization. (Pg 29, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Determine whether new retail payment products and emerging technologies pose increased risk due to the lack of maturity of the respective control environments. Consider: • New retail payment products and services that have been introduced within the past year. • Whether the institution introduce… (Exam Tier I Obj 1.2, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The organization should maintain a physically secure environment for the payment applications. The results of the risk assessment should be used to develop standards for physical security. (Pg 32, Pg 33, Exam Tier I Obj 1.2, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • (AC-3.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The organization must develop and document policies and procedures for the implementation of physical and environmental protection controls. These policies and procedures must be disseminated throughout the organization. (§ 4.2, Exhibit 4 PE-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provid… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Physical access controls to restrict the entry and exit of personnel from areas such as office buildings, suites, data centers or rooms containing local area network servers are called for. (§ 3.10, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure the physical and environmental protection policy and procedures are documented, disseminated, reviewed, and updated and specific responsibilities and actions are defined for the implementation of the physical and environmental protect… (PE-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization should implement physical security to ensure only authorized individuals can access WLAN equipment. Physical security combines such measures as access controls, personnel identification, and external boundary protection. For example, photo identification, card badge readers, or biom… (§ 6.2 Par 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
  • Licensees must incorporate the cyber security program into the physical protection program. (§ 73.54(b)(3), 10 CFR Part 73.54, Protection of digital computer and communication systems and networks)