DS12 Facilities Management

DS12: Facilities Management

1. Description

Installation of suitable environmental and physical controls which are regularly reviewed for their proper functioning to provide a suitable physical surrounding which protects the IT equipment and people against man-made and natural hazards.

2. Control Objectives

Physical Security - establish and maintain appropriate physical security and access control measures for information services function facilities in conformance with the general security policy - access should be restricted to individuals who have been authorized to gain such access,
Low Profile Of The Information Technology Site - health and safety practices should be put in place and maintained in conformance with applicable international, national, regional, state and local laws and regulations,
Visitor Escort - Visitor logs
Personnel Health And Safety - Health and safety practice
Protection Against Environmental Factors - assure that sufficient measures are put in place and maintained for protection against environmental factors (e.g. fire, dust, power, excessive heat and humidity). Specialized equipment and devices to monitor and control the environment should be installed,
uninterruptable power supply - regularly assess the need for uninterruptable power supply batteries and generators for critical information technology applications to secure against power failures and fluctuations. When justified, the most appropriate equipment should be installed.

3. Key Goal Indicators

A reduction in the number of facilities and physical security incidents, including theft, damage, disclosure, outage, health and safety problems
A reduction in the amount of downtime due to outage of utilities
A measured adherence to applicable laws and regulation
A measured adherence to insurance policy requirements
A measured improvement in the cost/risk ratio

4. Key Performance Indicators

Complete inventory and maps with identification of single points of failure
Frequency of training of personnel in safety, facilities and security measures
Frequency of testing of fire alarm and evacuation plans
Frequency of physical inspections
Reduced number of unauthorised accesses to restricted equipment rooms
Transparent, regular switching to no-break power
Time lag between recording and closure of physical incidents

5. Critical Success Factors

A strategy and standards are defined for all facilities, covering site selection, construction, guarding, personnel safety, mechanical and electrical systems, fire, lightning and flooding protection
The facilities strategy and standards are aligned with IT services availability targets and information security policies, and integrated with business continuity planning and crisis management
Facilities are regularly monitored using automated systems with clear tolerances and audit logs, CCTV (Close Circuit Television) and intrusion detection systems where necessary, as well as through physical inspections and audits
There is strict adherence to preventive maintenance schedules and strict discipline in the housekeeping of facilities
Physical access is rigourously monitored and based on need-tobe and zoning principles, with identification authorisation and exception procedures where needed
There are good relationships and exchanges of information with law enforcement, fire brigade and other local authorities
Clear, concise and up-to-date detection, inspection and escalation procedures exist, supported by a training programme

6. Service Maturity Variations

0 Non-existent	There is no awareness of the need to protect the facilities or the investment in computing resources. Environmental factors, including fire protection, dust, power and excessive heat and humidity, are neither monitored nor controlled.
1 (Initial/Ad Hoc)	The organisation has recognised a business requirement to provide a suitable physical surrounding which protects the resources and personnel against man-made and natural hazards. No standard procedures exist and the management of facilities and equipment is dependent upon the skills and abilities of key individuals. Housekeeping is not reviewed and people move within the facilities without restriction. Management does not monitor the facility environmental controls or the movement of personnel.
2 (Repeatable but Intuitive)	The awareness of the need to protect and control the physical computing environment is recognised and evident in the allocation of budgets and other resources. Environmental controls are implemented and monitored by the operations personnel. Physical security is an informal process, driven by a small group of employees possessing a high-level of concern about securing the physical facilities. The facilities maintenance procedures are not well documented and rely upon the best practices of a few individuals. The physical security goals are not based on any formal standards and management does not ensure that security objectives are achieved.
3 (Defined Process)	The need to maintain a controlled computing environment is understood and accepted within the organisation. The environmental controls, preventive maintenance and physical security are budget items approved and tracked by management. Access restrictions are applied, with only approved personnel being allowed access to the computing facilities. Visitors are logged and sometimes escorted, depending upon the responsible individual. The physical facilities are low profile and not readily identifiable. Civil authorities monitor compliance with health and safety regulations. The risks are insured, but no effort is made to optimise the insurance costs.
4 (Managed and Measurable)	The need to maintain a controlled computing environment is fully understood, as evident in the organisational structure and budget allocations. Environmental and physical security requirements are documented and access is strictly controlled and monitored. Responsibility and ownership have been established and communicated. The facilities staff has been fully trained in emergency situations, as well as in health and safety practices. Standardised control mechanisms are in place for restricting access to facilities and addressing environmental and safety factors. Management monitors the effectiveness of controls and the compliance with established standards. The recoverability of computing resources is incorporated into an organisational risk management process. Plans are developed for the entire organisation, regular and integrated testing occurs and lessons learned are incorporated into plan revisions. The integrated information is used to optimise insurance coverage and related costs.
5 Optimized	There is a long-term plan for the facilities required to support the organisation’s computing environment. Standards are defined for all facilities, covering site selection, construction, guarding, personnel safety, mechanical and electrical systems, fire, lighting and flooding protection. All facilities are inventoried and classified according to the organisation’s ongoing risk management process. Access is strictly controlled on a job-need basis, monitored continuously and visitors are escorted at all times. The environment is monitored and controlled through specialised equipment and equipment rooms become ‘unmanned’. Preventive maintenance programs enforce a strict adherence to schedules and regular tests are applied to sensitive equipment. The facilities strategy and standards are aligned with IT services availability targets and integrated with business continuity planning and crisis management. Management reviews and optimises the facilities on a continual basis, capitalising on opportunities to improve the business contribution.