Physical and environmental safety controls are developed and implemented to protect the physical facility housing employees, data, and equipment. An organization's physical and environmental policies should address at least the following topic areas:
>Access Controls. Physical access controls restrict the entry and exit of personnel, equipment, and media from an area. The granularity of access controls should be commensurate with the value of the items located in that area. For example, there should be very limited access to servers and cabling. Anyone exiting an office area carrying equipment or media must provide appropriate approvals. Physical access controls should address not only the area containing system hardware but also locations of cabling used to connect elements of the system, supporting services such as electric power, backup media, and any other elements required for the system's operation. It is important to assess the effectiveness of physical access controls in each area, during normal business hours, and at other times, particularly when an area may be unoccupied or occupied by maintenance employees.
Fire Safety Factors. Fires are a significant threat because of the potential for complete destruction of both hardware and data, the risk to human life, and the pervasiveness of the damage. Smoke, toxic gases, and heat from a fire can destroy lives and critical data and damage systems throughout an entire building or business campus. Consequently, in addition to the annual local fire marshal inspection, it is important to evaluate the fire safety of buildings. It is a solid business practice to have fire safety as part of the company's audit program.
Utilities Failures. Systems and the people who operate them have an expectation of a well-regulated operating environment. Consequently, failures of electric power, heating, and air-conditioning systems; water; sewage; and other utilities usually cause service interruptions damaging hardware and data, making working conditions unbearable. Organizations should take every precaution to ensure that utilities function properly, and in the event of failures, the organization must make certain there are redundant systems available to continue profitable operations. Risk planning will consider the degree of redundant utility systems and how long they should be available.
Building Collapse. Organizations should be aware that a building might be subjected to loads greater than it was designed to support. This results from earthquakes, snowfalls, or explosions that displace or weaken structural members, or a fire that destroys structural supports.
Plumbing Leaks. Water leaks do not occur frequently, but when they happen they can be very disruptive. An organization should know the location of water pipes that might leak or burst, endangering employees and equipment. Businesses should take appropriate steps to reduce risks by relocating pipes and fire extinguishing equipment and clearly identify shut-off valves.
Workplace Safety. Employees must be safe in the workplace. Laws, regulations, and policies demand it. Auditors and managers should frequently assess workplace safety by walking around and looking for cables crossing walk areas, unsafe equipment placement, lack of safety equipment in areas such as loading docks, overloaded electrical connectors, unsafe elevators, etc.
Appropriate and adequate controls will vary depending on the individual system requirements. The following list shows the types of controls for a system in a computer room. It is not intended to be all-inclusive or to imply that all systems should have all the controls listed.
- Card keys for building and work area entrances
- Twenty-four hour guards at all entrances and exits
- Cipher lock on computer room door
- Dedicated heating/ventilation/air conditioning system
- Humidifier, if appropriate
- Emergency lighting
- Fire extinguishers rated for electrical fires
- B/C-rated fire extinguishers
- Smoke, water, and heat detectors
- Emergency power-off switches
- Surge suppressors
- Emergency replacement equipment
- Zoned dry-pipe sprinkler system
- Uninterruptible power supplies for critical equipment
- Power strips and power suppressors for peripherals and computers
- Separate controlled access to server and cabling rooms
- Protection for water-sensitive equipment in the event of fire