Professional Documents
Culture Documents
http://www.knowledgeleader.com/iafreewebsite.nsf/content/TechnologyAuditPhysicalSec
urityAuditChecklist!OpenDocument
Q: Are employees required to attend any type of training class for fire emergencies and/or
bomb threats?
All employees should be required to attend a training session explaining the procedures
in the case of a fire or bomb threat and all employees should be required to sign an
agreement stating that they have attended the training.
Q. Is there a process for issuing keys, codes, and/or cards that requires proper
authorization and background checks.
Q. Are keys and codes changed on a regular basis to prevent unauthorized persons from
obtaining access.
Windows are more than 18 feet from the ground and are not easily accessible from the
building exterior. Windows do not have openings greater than 96 square inches, and
windows have gaps less than 8 inches vertically by 15 inches horizontally. Windows are
more than 40 inches from a locking device.
Q: Are fences and/or walls in place and do they adequately protect the property?
All entranceways should having lighting similar to that during daylight hours.
Locked gates should have lighting similar to that of fully active entranceways.
Parking lots inside the property lines should have standard street lighting. Additional
security and lighting should be implemented for parking lots outside the facility.
Employees should have an guard available to escort them to their car if necessary.
Specific Risk: Cables and wiring are damaged causing a loss in network connectivity.
Q: Does the cabling come up the middle of the building or on the sides?
Cabling should be heavily protected between floors.
Cabling should travel from floor to floor through the center of the building. The outer
parts of the building are more susceptible to weather damage.
Q: Do the cables make any tight turns, bends, twists, or are they squeezed through any
tight holes?
Cables are laid out in a manner that does not make the susceptible to physical strains.
Q: Manual or Automatic?
As the number of computers goes up, the amount of risk goes up. Excess computers
allow for more access points for intruders.
Q: Is the programming area in a room by itself or combined with other work areas?
The programming area should be restricted to authorized personnel, separate from normal
work areas.
Q: How does the room restrict access (key, code, electronic card)?
Q: How long can visitors/guests stay in the room at any given time?
All guests should be escorted at all times.
If visitors are not required to be escorted, a time restraint should be placed on visitation
rights.
Q: Is there any hardware in the room besides the programming computers (servers, hubs,
etc.)?
All hardware other than that necessary for programming, should be in the computer
room, data center, or communication closets. The only hardware that should be in the
programming room is the hardware necessary to perform their day-to-day business
functions.
Windows are the easiest access points to a secured area by brute force. Also, windows
can be easily broken during natural disasters or storms.
The computer room floor should be elevated at least 18 inches. The water table of the
location should be taken into consideration.
Specific Risk: If any of the potential threats become a reality without the proper
detection, prevention, and monitoring systems in place, significant damage to hardware
could occur resulting in loss of operational capability.
Q. Is there policy to protect against any and all known environmental factors and risks?
Q. Are detection and monitoring devices tested on a regular basis, except for the fire
suppression system?
Q: Are there smoke detectors below the raised floor and on the ceiling?
Q: Is there an emergency power-off switch inside and outside the computer room?
Q: Are there redundant power lines that feed into the facility?
Redundant power sources should be available to all mission critical facilities.
Specific Risk: Hardware failure can easily occur without proper cooling, therefore
backup cooling sources will greatly decrease the chance of a failure in the event of an air-
conditioning problem.
Q: Do visitors were badges, and are they different than regular employees?
All visitors should wear some form of identification (i.e., name tag) so that they are
distinguishable from regular employees.
Security cameras should be in place to help monitor important areas of the building and
facility.
If maintenance personnel are contracted, the company should have adequate insurance to
cover employee fraud or theft.
Q: Have all employees been properly trained on how to care for all computer equipment
and accessories?
All employees should be required to attend a short training on computer care and should
be required to sign an agreement attesting that they understand how to properly care for
all equipment.
Q: Who orders new PC's, who receives them, and who delivers them?
A formal procedure should exist for ordering, and receiving new hardware. Segregation
of duties should be apparent.
Specific Risk: Telephone resources may be used for inappropriate purposes, disclose
sensitive communications, or be unavailable when needed.
Specific Risk: Portable devices may be stolen or may disclose sensitive information
Q: What is the process for someone to mail confidential or sensitive company and/or
client information?
Q: How are confidential documents handled and how are they stored?
Sensitive data should be stored in a controlled area according to its classification. Proper
control measures should be in place to ensure that access to one classification of
documents does not enable access to another. (i.e. Company Top Secret and Company
Secret documents should not be stored together in the same vault.)
A comprehensive tracking system should be in place for checking out documents to track
who has what documents. Access to documents should be restricted to the appropriate
personnel on a business need basis.