physical and environmental security
In this lesson, we will cover control set 11
in relation to your ice amis,
as well as what evidence can be used to support these controls when you are going through your eyes, so ordered
control said. 8 11. Physical environmental security is made up of two control areas.
The first control area
is a 11.1 point one secure areas.
This is made up of six controls.
Thes controls are as follows.
The physical security perimeter,
physical entry controls
securing officers rooms and facilities,
protecting against external and environmental threats,
working insecure areas
and a 11.1 point six
delivery and loading areas.
The second control area
and this is made up of nine controls.
These controls are as follows.
equipment citing and protection,
Security of equipment and assets off premises.
Secure disposal or reuse of equipment.
unattended user equipment.
clear and desk and clear screen policy.
So some of the evidence here that you can use
during an audit, whether it be for your ice 0 27,001 certification into an audit
as well as any general I T controls ordered that you go through.
So most of the evidence for this control area is either plain to see
or it is conspicuous by its absence.
Controls and vulnerabilities can be identified through a physical site inspection or a walk through.
Even if physical penetration test for your networks,
your auditor would want to take a site, walk through
and examine fences, signs, barriers,
what your reception area looks like and how
energy and exit is controlled,
as well as if your company has any loading bays,
all warehouses attached to it.
The order to may also want to have discussions with your site or security guards and facility facilities management teams.
If your organization regularly inspects its physical security arrangements,
then there would be reports generated from those reviews diary entries. Any incident reports, off control breakdowns, detected
maintenance logs and so forth
that can all serve as evidence
and especially evidence off your company proactively reviewing and maintaining its physical security.
If your security God control is outsourced
projects as well as any security procedures that you have in place with the company can serve as evidence.
It is important that these clarify the expected controls
in terms of patrol logs, shift changes, the requirements of the security guards. And so
it is important that you, if you have
where people enter their personal information,
that these controls are also complained with privacy requirements
and this and that. This information is appropriately classified, protected,
and once it has reached its end of life or has exceeded its retention period,
that is it. It is securely disposed off.
There would also be policies, procedures or notices concerning access to your secure zones.
For example, visitors must be accompanied at all times.
Site maps and physical inspections should confirm that I t equipment storage media,
computer facilities, your paper or filing cabinets. Any archives or storerooms. Videoconferencing facilities
are perfectly cited.
installed in adequately secure areas.
If you have a clean desk and policy in place,
your order to would want to take a walk through various office areas
and determined through inspection that this is actually in place.
Your order to would also want to view your environmental controls
such as UPS and generated devices,
fire suppression and alarms, and so
to confirm maintenance activities.
Evidence such as policies, procedures,
guidelines and records
such as your installation inspections, maintenance logs, test reports and fire certificates will help to confirm that maintenance activities are in place
and are being conducted periodically
with regards to the removal of I T equipment and storage media
from storage or from your organization site.
There should be sufficient policies, procedures and guidelines as well as records
to ensure that this is conducted in a secure way and as per your policy,
you would most likely also have policies, procedures or guidelines
which specify the protection of information on smartphones, laptops, tablets, USB sticks, portable hard drives, valuable papers,
knowledgeable workers, etcetera.
Provide information about working off site and maintaining security,
such a security in your home in vehicles
and when you are traveling abroad.
Lastly, any policies, procedures or guidelines for the Secure IHR Asia Off storage media or the use of strong encryption with appropriate key management
may include secure archival prior to disposal or reuse.
In this lesson, we looked at the to control areas that make up controls it a 11 physical and environmental security.
We discussed the six
and nine controls in each control area,
and we also discussed what types off documentation can be used as evidence during orders
to demonstrate the auditors that these controls are in place and have been operating during your order period under review.