Physical and environmental controls are more than gates, guards, generators and HVAC monitoring. Getting physical and environmental controls right is a big step forward in reducing your enterprise’s risk and protecting critical assets in an unpredictable world. So how do you determine that you have the proper controls and governance oversight in place? Understanding, documenting and measuring are three critical steps to ensuring your enterprise has the appropriate governance and is meeting its legal, regulatory and business requirements.
Understanding is Key
Understand your organization’s business objectives, review and understand your existing policies, and review and understand your legal and regulatory responsibilities. Talk to your front-line workers that do the work. Ask them what they think and know about the enterprise’s business objectives and policies. Use this opportunity to educate them and increase their understanding. Also, use this opportunity to have them educate you on how the system currently works and where improvements could be made.
Simple Is Better
Ask yourself, “What is the most straightforward way for my enterprise to document its physical and environmental procedures?” First, your enterprise must have established procedures that align with its business objectives and policies. Second, your enterprise must use these procedures and fine-tune them, ensuring they address realistic scenarios. Finally, you should ask yourself, “What if?” A good example is “what if” the power goes out and all your procedures are on a computer without power backup? One safeguard could be to have a UPS in place for this computer. However, in my experience, written procedures in a binder or tablet are a better approach because they are portable. If your enterprise uses written procedures, ensure your front-line workers use them. If your enterprise uses tablets, ensure it uses them, ensure you have more than one, ensure the tablets work if the internet goes out and ensure that there is a way to charge them if the power goes out. In the real world, the simpler approach is normally better.
Realistic Metrics and Tests
Your enterprise’s business objectives and regulatory requirements should determine what metrics your organization tracks. Also, you should ask yourself what you are trying to manage by measuring a specific action. Ultimately, metrics should be used to identify which controls are working and which controls need to be investigated. Spot-checks, announced and unannounced tests, tabletops, and realistic walkthroughs should all be used to measure and test the effectiveness of your enterprise’s controls. Some good examples from my personal experience are: Do the emergency doors fail open during a fire or power outage event? What are the governing laws, regulations and business policies? If you must have the emergency doors fail open during the event, what is your enterprise’s process to address securing critical assets? Do you have to put guards on each open door? What if you must evacuate the facility? All of these are good questions to ask. Finally, test through a controlled walkthrough. You might be surprised what you find. I was locked in a stairwell that was supposed to fail open during the test. Luckily, I had a radio so that I could call for help.
It Comes Down to Proper Governance
Proper governance of your physical and environmental security controls can identify and improve your overall security maturity and response to a real crisis. You cannot predict what event may affect your organization in the future, but having sound and tested controls in place aids your organization in responding quickly and effectively to any incident or crisis.
Editor’s note: For more resources on this topic, view ISACA’s new Physical and Environmental Security Audit Program.
About the author: Brian is a senior cybersecurity research advisor for ISACA's Content Development and Services Department and a subject matter expert for cybersecurity best practices, governance, controls and standards. He also supports the development and expansion of ISACA's CMMI Cybermaturity Platform (CMMI-CP). Fletcher is a highly accomplished US Navy veteran with 25 years of experience in multidisciplinary security that includes system development, cyberoperations, crisis response and cybersecurity training.
