Site Operations
This set of activities spans small office network closets all the way through data center operations. BCSF encourages the adoption of all activities at all times, with a proportionate amount of depth to business need. The objective here is to think about the physical environment and what malicious actors could do if they were able to access mission critical hardware, but also to think about supporting that hardware in the event of environmental failures.
| Category | Sub-Category | Name | Activity |
|---|---|---|---|---|
Site Operations | Physical Security | Secured Facility | Physical access to restricted areas of the facility is protected by walls with non-partitioned ceilings, secured entry points, and/or manned reception desks. | |
Site Operations | Physical Security | Physical Protection and Positioning of | [The organization] power and telecommunication lines are protected from interference, interception, and damage. | |
Site Operations | Physical Access Account Lifecycle | Provisioning Physical Access | Physical access provisioning to a [the organization] datacenter requires management approval and documented specification of: | |
Site Operations | Physical Access Account Lifecycle | De-provisioning Physical Access | Physical access that is no longer required in the event of a termination or role change is revoked. If applicable, temporary badges are returned prior to exiting facility. | |
Site Operations | Physical Access Account Lifecycle | Periodic Review of Physical Access | [The organization] performs physical access account reviews [in accordance with the organization-defined frequency]; corrective action is taken where applicable. | |
Site Operations | Physical Access Account Lifecycle | Physical Access Role Permission Authorization | Initial permission definitions, and changes to permissions, associated with physical access roles are approved by authorized personnel. | |
Site Operations | Physical Access Account Lifecycle | Monitoring Physical Access | Intrusion detection and video surveillance are installed at [the organization] datacenter locations; confirmed incidents are documented and tracked to resolution. | |
Site Operations | Physical Access Account Lifecycle | Surveillance Feed Retention | Surveillance feed data is retained for [the organization- defined duration]. | |
Site Operations | Physical Access Account Lifecycle | Visitor Access | Physical access for visitors is managed through monitoring, maintaining records, escorting, and reviewing access [in accordance with the organization-defined frequency]. Visitor access records to the facilities are kept for [the organization-defined duration]. | |
Site Operations | Physical Access Account Lifecycle | Physical Access Devices | Physical access devices (i.e., keys, combinations, access cards, etc.) are maintained through an inventory and restricted to authorized individuals. Appropriate devices are rotated when compromised or upon employee termination or transfer. | |
Site Operations | Environmental Security | Temperature and Humidity Control | Temperature and humidity levels of datacenter environments are monitored and maintained at appropriate levels. | |
Site Operations | Environmental Security | Fire Suppression Systems | Emergency responders are automatically contacted when fire detection systems are activated; the design and function of fire detection and suppression systems are maintained [in accordance with the organization-defined frequency]. | |
Site Operations | Environmental Security | Power Failure Protection | [The organization] employs uninterruptible power supplies (UPS) and generators to support critical systems in the event of a power disruption or failure. The design and function of relevant equipment is certified [in accordance with the organization-defined frequency]. | |
Site Operations | Environmental Security | Emergency Lighting | [The organization] employs emergency lighting in the event of a power disruption or failure. The design and function of relevant equipment is certified [in accordance with the organization-defined frequency]. |