A11 Physical and Environmental Security

00:02

Listen 11.7

00:04

11

00:06

physical and environmental security

00:11

In this lesson, we will cover control set 11

00:16

in relation to your ice amis,

00:18

as well as what evidence can be used to support these controls when you are going through your eyes, so ordered

00:30

control said. 8 11. Physical environmental security is made up of two control areas.

00:37

The first control area

00:39

is a 11.1 point one secure areas.

00:45

This is made up of six controls.

00:48

Thes controls are as follows.

00:52

A 11.1 point one

00:55

The physical security perimeter,

00:59

a 11.1 point two

01:03

physical entry controls

01:07

a 11.1 point three

01:10

securing officers rooms and facilities,

01:15

a 11.1 point four

01:19

protecting against external and environmental threats,

01:25

a 11.1 point five

01:27

working insecure areas

01:30

and a 11.1 point six

01:34

delivery and loading areas.

01:41

The second control area

01:42

is a 11.2

01:46

equipment,

01:47

and this is made up of nine controls.

01:51

These controls are as follows.

01:53

A 11.2 point one

01:57

equipment citing and protection,

02:01

a 11.2 point two

02:06

supporting utilities,

02:08

a 11.2 point three

02:13

cabling security,

02:15

a 11.2 point four

02:20

equipment maintenance.

02:23

A 11.2 point five.

02:27

Removal of assets.

02:30

A 11.2 point six.

02:34

Security of equipment and assets off premises.

02:38

A 11.2 point seven.

02:43

Secure disposal or reuse of equipment.

02:47

A 11.2 point eight

02:52

unattended user equipment.

02:55

A 11.2 point nine

03:00

clear and desk and clear screen policy.

03:07

So some of the evidence here that you can use

03:09

during an audit, whether it be for your ice 0 27,001 certification into an audit

03:16

as well as any general I T controls ordered that you go through.

03:23

So most of the evidence for this control area is either plain to see

03:28

or it is conspicuous by its absence.

03:32

Controls and vulnerabilities can be identified through a physical site inspection or a walk through.

03:39

Even if physical penetration test for your networks,

03:44

your auditor would want to take a site, walk through

03:49

and examine fences, signs, barriers,

03:53

what your reception area looks like and how

03:55

energy and exit is controlled,

03:59

as well as if your company has any loading bays,

04:02

all warehouses attached to it.

04:08

The order to may also want to have discussions with your site or security guards and facility facilities management teams.

04:19

If your organization regularly inspects its physical security arrangements,

04:26

then there would be reports generated from those reviews diary entries. Any incident reports, off control breakdowns, detected

04:34

maintenance logs and so forth

04:36

that can all serve as evidence

04:41

and especially evidence off your company proactively reviewing and maintaining its physical security.

04:49

If your security God control is outsourced

04:54

projects as well as any security procedures that you have in place with the company can serve as evidence.

05:01

It is important that these clarify the expected controls

05:06

in terms of patrol logs, shift changes, the requirements of the security guards. And so

05:16

it is important that you, if you have

05:19

visitors books

05:21

where people enter their personal information,

05:26

that these controls are also complained with privacy requirements

05:30

and this and that. This information is appropriately classified, protected,

05:34

and once it has reached its end of life or has exceeded its retention period,

05:41

that is it. It is securely disposed off.

05:49

There would also be policies, procedures or notices concerning access to your secure zones.

05:58

For example, visitors must be accompanied at all times.

06:08

Site maps and physical inspections should confirm that I t equipment storage media,

06:15

computer facilities, your paper or filing cabinets. Any archives or storerooms. Videoconferencing facilities

06:25

are perfectly cited.

06:27

Well bar coded

06:28

installed in adequately secure areas.

06:32

If you have a clean desk and policy in place,

06:35

your order to would want to take a walk through various office areas

06:40

and determined through inspection that this is actually in place.

06:49

Your order to would also want to view your environmental controls

06:55

such as UPS and generated devices,

06:59

air conditioning,

07:00

fire suppression and alarms, and so

07:10

to confirm maintenance activities.

07:13

Evidence such as policies, procedures,

07:15

guidelines and records

07:17

such as your installation inspections, maintenance logs, test reports and fire certificates will help to confirm that maintenance activities are in place

07:29

and are being conducted periodically

07:35

with regards to the removal of I T equipment and storage media

07:40

from storage or from your organization site.

07:44

There should be sufficient policies, procedures and guidelines as well as records

07:48

to ensure that this is conducted in a secure way and as per your policy,

08:01

you would most likely also have policies, procedures or guidelines

08:07

which specify the protection of information on smartphones, laptops, tablets, USB sticks, portable hard drives, valuable papers,

08:18

knowledgeable workers, etcetera.

08:22

This little start.

08:24

Provide information about working off site and maintaining security,

08:30

such a security in your home in vehicles

08:33

and when you are traveling abroad.

08:46

Lastly, any policies, procedures or guidelines for the Secure IHR Asia Off storage media or the use of strong encryption with appropriate key management

08:56

may include secure archival prior to disposal or reuse.

09:09

In this lesson, we looked at the to control areas that make up controls it a 11 physical and environmental security.

09:18

We discussed the six

09:20

and nine controls in each control area,

09:26

and we also discussed what types off documentation can be used as evidence during orders