The physical risk to an information system is perhaps the most important to consider. You MUST limit physical access to a system or any technical or administrative controls you implement are meaningless because they can be bypassed easily. With direct physical access ANYONE can boot a server into a Kali Linux Live CD/USB or do a Password Recovery on your Cisco Router PWNAGE!!!! If you can physically touch a system, then you can own it.
Additionally, you should have a contingency plan for the most likely avenue of physical disaster to a system. This limits the potential of intentional and unintentional harm to the system.
To limit the physical risk to an information system the NIST SP 800-53/DIARMF prescribes “Physical and Environmental Protection” Controls:
- PE-1 Physical and Environmental Protection Policy and Procedures
- PE-2 Physical Access Authorizations
- PE-3 Physical Access Control
- PE-4 Access Control for Transmission Medium
- PE-5 Access Control for Output Devices
- PE-6 Monitoring Physical Access
- PE-7 Visitor Control
- PE-8 Access Records
- PE-9 Power Equipment and Power Cabling
- PE-10 Emergency Shutoff
- PE-11 Emergency Power
- PE-12 Emergency Lighting
- PE-13 Fire Protection
- PE-14 Temperature and Humidity Controls
- PE-15 Water Damage Protection
- PE-16 Delivery and Removal
- PE-17 Alternate Work Site
- PE-18 Location of Information System Components
- PE-19 Information Leakage