9-4 Information Technology Professionals Policy - Section XI: Physical and Environmental Security Policy
Return to Information Technology Professionals Policy Table of Contents
What’s on this Page
Section XI: Physical and Environmental Security Policy
Read next: Section XII: Technical Vulnerability Management Policy
XI. Physical and Environmental Security Policy
This Policy establishes requirements for physical and environmental security controls.
- Facility Controls
Physical and environmental security controls for each facility must be reasonable and commensurate with the nature and degree of criticality of the Local Agency IT resources and data involved.
- Secure Perimeters
Security perimeters must be used to protect areas that contain Local Agency IT resources and data. Security perimeters include, but are not limited to, entry point with proximity card access, locked doors, walls, staffed reception areas or other physical barriers.
- Physical Entry Controls
- Facilities housing Local Agency IT resources and data must be protected by entry controls to ensure only authorized individuals are allowed to access.
- Public areas and other points of entry (e.g., exterior doors, loading docks) that could be used by unauthorized individuals must be controlled; and if possible isolated from data centers to avoid unauthorized access.
- Environmental Controls
Local Agency IT resources and data must be protected against environmental threats. Controls must be applied and provide for:
- Prevention, detection, and suppression of fires;
- Prevention, detection, and minimization of water damage; and
- Protection, detection, and minimization of loss or disruption of business operations due to electrical power fluctuations or failure.
- Control Monitoring
Physical access and environmental controls must be monitored, tested and maintained regularly.
- IT Resource Infrastructure Security
The physical IT resource infrastructure must be protected. Protective controls commensurate to the risk of losing confidentiality, integrity, or availability must be applied to:
- The physical components of the network, including but not limited to data centers, wiring closets, server rooms and storage facilities where Local Agency IT resources are stored; and
- Supporting facilities such as electrical supply and cabling infrastructure.
- IT Resource Maintenance
Local Agency IT resources must be maintained to ensure their continued availability and integrity.
- Off-Site Locations
Off-site refers to locations (e.g., home, leased locations) where Local Agencies do not have the authority to establish physical and environmental controls. To ensure the security of Local Agency IT resources located off-site, controls must be applied reasonable and commensurate with the nature and degree of criticality of the Local Agency IT resources and data involved, including, but not limited to
- Authorization of Local Agency IT resources located off-site;
- Recording of off-site authorizations and inventory of Local Agency IT resources located off site; and
- For Users authorized to take Local Agency IT resources off-site; provide awareness of their responsibilities to protect Local Agency IT resources and data, and of security risks associated with off-site locations.