Implement Site and Facility Security Controls in this all the thought and effort put into ensuring that the operation of your systems protects the confidentiality, integrity, and availability of your data is for naught if the threat actor can simply walk into your data center and walk out with the disk drives. Designing a data center or engaging the services of a third-party data center requires careful consideration of the risks and appropriate controls to mitigate those risks.
Similarly, the physical and environmental controls protecting your place of work are critical to ensure the security of your information.
In this section we will examine a range of vulnerabilities and outline appropriate mitigations to be considered.
Remember, however, as we pointed out in the beginning of this section, a fundamental principle of security architecture is defense in depth. This means that you must not rely just on physical security controls to protect physical assets. We must employ other controls so that, to the extent reasonably possible, a failure of a physical security control by itself does not lead to a failure of confidentiality, integrity, or availability.