IT Essentials — Physical and Environmental Controls

            •  Unauthorized access granted through the proximity card system.
            •  Unauthorized access to environmental control systems or support consoles.
            •  Accidental or intentional insider threats (organizational employee or contractor).
            •  Accidental or intentional third-party insider threat (service provider employee or contractor).
            •  Cyberattack.
            •  Theft.
            •  Vandalism or terrorism.

            Thank you for sharing your list, Sara. It looks fairly comprehensive. During the audit I will be looking
            for evidence that our organization has the appropriate controls in place to mitigate the risks.

            Physical Security Controls

            Physical security controls focus on limiting access to only authorized personnel. Typical physical
            security controls include:
            •  Security guards.
            •  “Beware of the Dog” and/or “No Trespassing” signs.
            •  Security/emergency lighting.
            •  Fences and gates.
            •  Locking mechanisms on doors and windows.
            •  Door/window breach alarms.
            •  Cameras and monitoring equipment.
            •  Motion detectors.
            •  Safety glass in computer rooms.
            •  Proximity cards, readers, and procedures.
            •  Biometric readers.
            •  Entitlement reviews for physical access to parking, buildings, and rooms.
            •  Logical network segmentation, even micro-segmentation of systems used to manage physical
               security from systems containing sensitive or confidential data and information assets.
            •  Least privilege enforced for employees and third parties with access to these systems (all default
               user ID’s and passwords disabled.)
            •  Encryption and monitoring invoked for remote access.

            Environmental Security Controls

            Environmental security controls focus on exception management by monitoring for unacceptable
            conditions. Controls in this regard include, but are not limited to:
            •  Emergency off switches.
            •  Fire, smoke, and carbon monoxide detectors.
            •  Fire extinguishers (rated by fire type) and other fire suppression equipment.
            •  Water detection indicators (especially for computer rooms with raised flooring).
            •  Humidity/electromagnetic sensors (to prevent static electricity).
            •  Chillers and HVAC (for equipment temperature control) monitoring console.
            •  Battery room (to ensure uninterrupted power supply) and diesel generation.

            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.