CHAPTER TWENTY-NINE

Physical and Environmental Security

IN THIS CHAPTER, we will examine physical security with respect to Information Technology (IT), which refers to the safeguarding of the hardware, buildings, and media containing the data and programs, as well as the infrastructure used to support the processing of data. Physical security encompasses control measures to mitigate the risks of natural events (e.g., flood, earthquake, severe weather conditions) as well as man-made problems (e.g., fire, destruction, theft, civil unrest). Environmental security encompasses the support structures that are the foundations of the physical environment including power, air conditioning, heating, and lighting.

Controls must be appropriate to the threats faced and therefore physical security becomes dictated by the risks in the environment. These can be broadly categorized into:

  • Physical damage and destruction. This type of damage could be temporary or permanent and may require repair or replacement of the system components affected. As in any control environment, a combination of preventative, detective, and corrective controls will be required to adequately offset the impact of physical damage and destruction. Damage could be accidental as a result of a natural event and could range from minor (such as physical damage to a data medium where a backup is available) to catastrophic (such as physical damage to the whole installation and its personnel with no hope of an immediate recovery). ...

Get Auditor's Guide to IT Auditing, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.