Overview

At this point you should have identified the areas for which you need to develop physical IT security policies and procedures (as discussed in Chapter 4). The areas for which you may need procedures include: data centers, wiring and cabling, remote computing devices, desktop computers, department-based servers, telecom and datacom equipment, manufacturing control equipment, and surveillance and alarm systems. You also should have determined how responsibilities for physical IT security will be spread across the various departments in your organization.

The physical IT working group should have developed a tentative list of procedures that need to be developed for each of the areas you identified as needing physical security procedures. The action steps in Chapter 3 called for evaluations of existing risk exposure: cyber security, disaster recovery, and business continuity plans; legal and regulatory requirements; and insurance requirements and opportunities to reduce insurance premium cost. The results of these evaluations will help the working group develop the list of needed procedures.

In addition, you should have determined how administrative support will be provided to the working group in their efforts to create the documents that communicate what the procedures are and who has responsibility for those procedures.

If you have performed all of the recommended action steps and assembled all of this material you are now ready to develop and document procedures. Table 5.1 shows the various lists of procedures the working group should have compiled.