The physical and environmental policy establishes rules that ensure that the building where sensitive data processing occurs is secure from a personnel perspective as well as from a physical plant perspective.

What the physical and environmental policy should address:

• Limiting physical access to information systems, equipment, and the respective operating environments to authorized individuals
• Protecting the physical plant and support infrastructure for information systems
• The development of supporting utilities for information systems
• Protecting information systems against environmental hazards
• Providing appropriate environmental controls in facilities containing information systems
• Escorting visitors and monitoring visitor activity
• Maintaining audit logs of physical access
• Controlling and managing physical access devices
• Enforcing safeguarding measures for information at alternate work sites (for example, telework sites)