Control 7.8 : Equipment Siting and Protection

Summary

Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. This covers everything from power placement to the physical positioning of monitors to prevent interference or data exposure.

Applicability

In-Scope: Mandatory for protecting physical hardware assets, such as servers, switches, and workstations, from environmental damage and accidental or intentional interference.

Out-of-Scope: Only reducible for fully remote organizations with no physical office hardware.

Implementation Guidance

Microsoft 365 / Entra ID

• Asset Tracking: Use Microsoft Intune to track the physical location and health status of all managed hardware assets.

• Monitor Siting: Advise employees via SharePoint on how to position screens to prevent shoulder surfing from windows or hallways.

• Redundancy: Leverage Azure Site Recovery to ensure that if local hardware is physically damaged, the business can fail over to a secure cloud environment.

Evidence Checklist

• Equipment Inventory: A list showing the physical location and protection level of all critical hardware.

• Environmental Risk Assessment: Evidence that risks like heat, water, and power surges were considered when placing equipment.

• Maintenance Logs: Records showing that cooling systems and power supplies for equipment sites are regularly serviced.

Practical Audit Advice

Here are some questions the auditor might ask:

• How is critical equipment protected from potential water damage, such as being raised off the floor?

• Is there adequate ventilation and temperature control for the room where your network equipment is stored?

• How do you prevent unauthorized persons from accessing the rear of server racks or cabling panels?

• What controls are in place to prevent the accidental unplugging of power or network cables in common areas?