Page 25 - CITP Review
P. 25

Hardware and physical access controls

            The CITP would want to perform walk-throughs, observations, and inspections to gain an understanding
            of the physical controls in place related to IT hardware and infrastructure.


            Computer center

            One area where physical controls are essential to infosec is the main computer center. Because the
            computer center usually houses the main servers and other sensitive IT, controlling physical access is a
            high risk. The CITP would check for physical controls such as locked doors, cameras, and monitoring
            incoming traffic. Monitoring traffic could be done electronically, manually, and even by security guards.
            Its purpose is to make it difficult to gain unauthorized entrance to the center, if the risk is high enough to
            warrant it.


            Server room
            In the computer center, the servers that house financial applications and other critical systems or
            applications are generally the items of highest risk. Appropriate physical controls usually involve not only
            physical access to the center, but also a second set of physical controls to the room containing the
            servers.

            In fact, the servers should be in a separate room with separate physical controls. Those controls would
            be of a higher nature than those used to access the center. For example, doors to the center might be
            accessible by an authorized swipe card, but server room access might require both a swipe card and a
            biometric (for example, a fingerprint).

            In addition, it might be useful to have glass walls around the server room so authorized personnel in the
            center could see an unauthorized person in the server room. The main objective is to provide physical
            access controls at the same level as the risk and sensitivity, which would be very high for servers.


            Sensitive hardcopy information
            A similar circumstance exists regarding printed reports and information being generated in the center.

            If printouts are high risk and highly sensitive, physical access to the printer and printouts needs to also be
            of a high nature; if highly sensitive printouts are being generated, appropriate access controls might
            involve a separate print room with separate and more elaborate access controls than the center’s
            access. Data control groups have been used in the past as physical controls to physically handle
            hardcopy printouts. The people in data control would be people with adequate SoD, not involved with
            inputs or processing of data.












            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-17
   20   21   22   23   24   25   26   27   28   29   30