After determining physical security needs, work to ensure you are meeting the minimum information security requirements for physical security, requirements in Physical Security (DS-17), and any additional regulatory compliance requirements or contractual obligations.
To assess the physical environment's risks, look at it from the perspective of an attacker. Think about the areas that house sensitive university data as you would think about areas storing other valuables, such as cash or art. Ask questions including, but not limited to, these:
- What are the ways that someone could get into the environment?
- Are there physical barriers in place, such as door locks or fencing, to stop unauthorized visitors? Are there alarms or cameras in place as needed?
- Is there a process to allow visitors access to the environment?
- What would a visitor be able to physically access after entering the environment?
- What devices or equipment could be physically accessed/stolen? Could you quickly determine if something was missing?
- Which data could be accessed or stolen by someone with physical access?
- Are data-protection controls in place? If a device was stolen or lost, would its data still be protected?
- How would an issue in the environment such as fire, flooding, or power loss affect the security of the equipment/data?
- Are all faculty and/or staff properly trained in physical security requirements for the environment?
- Is there another location available, with the same or similar resources, in case the primary location becomes inaccessible or unavailable? (Also see Disaster Recovery Management.)
After completing the assessment of physical risks, continue to Step 3: Secure the physical IT environment.