DCS-03: Secure Area Policy and Procedures

Control Family:

Datacenter Security

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following controls from the previous version: DCS-06: Policy, GRM-06: Policy, GRM-09: Policy Reviews.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for maintaining a safe and secure working environment in offices, rooms, and facilities. Review and update the policies and procedures at least annually.

Implementation Guidance

The CSP should identify the manageable parts of the data center and consider operational criteria, such as effectivity, efficiency, compliance, reliability, risk management, functionality, availability, integrity, and confidentiality. Then, the CSP should prepare and maintain policies and procedures for each part. Policies and procedures should include provisions to restrict physical access to the facilities to prevent unauthorized entry. Facility areas that house, store, and transact customer data should be configured to prevent confidential information or activities from being visible and audible from the outside. Electromagnetic shielding should also be considered as appropriate (ISO standard; ISO_IEC_27002_2013 - 11.1.3 (c)). In addition, the facility itself should be designed and positioned to reduce the risk of natural disasters. Systems and infrastructure should be deployed to enhance fire prevention—typically utilizing zoned dry-pipe sprinkler systems. These systems are intended to be deployed throughout the facility and not just within the computer room.

Auditing Guidance

  1. Examine the organization's policy and procedures related to physical areas under the organization's control.
  2. Determine if policy has been approved, communicated, and reviewed.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.