Page 68 - Courses
P. 68
IT Essentials — Physical and Environmental Controls
Cyber-event related headlines over the last decade have placed environmental systems on the radar
of regulators and boards alike, and for good reason.
In 2013, Target experienced a massive data breach after a bad actor gained access to financial data
via the heating, ventilation, and air conditioning (HVAC) system console. Recently, in February 2021,
the Bruce T. Haddock Water Treatment Plant in Oldsmar, Florida was attacked by a bad actor who
gained access to the administrator’s console, and altered chemical configurations. From these
events, we see that environmental controls have been, and continue to be exploited by bad actors
for financial gain, publicity, and to cause physical harm.
Environmental Security and the Three Lines Model
Environmental security is both a first-line and second-line responsibility in most organizations. The
IIA’s Three Lines Model helps organizations identify structures and processes that best assist in the
achievement of objectives, and facilitate strong governance and risk management. The Three Lines
Model also aids organizations in determining the responsibilities and relationships across the
organization’s governing body, management, and internal audit activity.
Source: The Institute of Internal Auditors. 2020.
Responsibilities
The facilities and/or maintenance business unit is typically responsible for establishing and
maintaining the vendor relationships for environmental controls, as well as the systems dedicated to
physical security.
• IT network architects, server engineers, and access administrators assign these systems to
the appropriate network segment, establish firewall rules, access control list entries, and
router configurations. Depending on the vendors’ requirements, internal IT personnel may or
may not manage access to the devices.
Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
