Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
Explanation
Physical security vulnerabilities can compromise even the most robust digital security measures.
This assessment should identify potential physical access weaknesses, environmental threats (fire, flood, power issues), and evaluate the effectiveness of existing physical controls such as access cards, biometrics, security cameras, and guards.
The assessment should also evaluate resilience factors like backup power systems, cooling redundancies, and disaster recovery capabilities.
Evidence could include a formal physical security assessment report conducted by qualified personnel (internal or external), which documents identified vulnerabilities, risk ratings, and recommended remediation actions with implementation timelines.
Implementation Example
Assess facilities that house critical computing assets for physical vulnerabilities and resilience issues
ID: ID.RA-01.150
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Vulnerabilities in assets are identified, validated, and recorded
Related questions
- Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
- Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
- Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
- Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
- Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?
- Has your organization configured cybersecurity tools to automatically ingest and operationalize threat intelligence feeds?

