Manage facilities. 

There is no awareness of the need to protect the facilities or the investment in computing resources. Environmental factors, including fire protection, dust, power and excessive heat and humidity, are neither monitored nor controlled.

There is a long-term plan for the facilities required to support the organisation's computing environment. Standards are defined for all facilities, covering site selection, construction, guarding, personnel safety, mechanical and electrical systems, fire, lighting and flooding protection. All facilities are inventoried and classified according to the organisation's ongoing risk management process. Access is strictly controlled on a job-need basis, monitored continuously and visitors are escorted at all times. The environment is monitored and controlled through specialised equipment and equipment rooms become 'unmanned'. Preventive maintenance programs enforce a strict adherence to schedules and regular tests are applied to sensitive equipment. The facilities strategy and standards are aligned with IT services availability targets and integrated with business continuity planning and crisis management. Management reviews and optimises the facilities on a continual basis, capitalising on opportunities to improve the business contribution.

The need to maintain a controlled computing environment is fully understood, as evident in the organisational structure and budget allocations. Environmental and physical security requirements are documented and access is strictly controlled and monitored. Responsibility and ownership have been established and communicated. The facilities staff has been fully trained in emergency situations, as well as in health and safety practices. Standardised control mechanisms are in place for restricting access to facilities and addressing environmental and safety factors. Management monitors the effectiveness of controls and the compliance with established standards. The recoverability of computing resources is incorporated into an organisational risk management process. Plans are developed for the entire organisation, regular and integrated testing occurs and lessons learned are incorporated into plan revisions. The integrated information is used to optimise insurance coverage and related costs.

The need to maintain a controlled computing environment is understood and accepted within the organisation. The environmental controls, preventive maintenance and physical security are budget items approved and tracked by management. Access restrictions are applied, with only approved personnel being allowed access to the computing facilities. Visitors are logged and sometimes escorted, depending upon the responsible individual. The physical facilities are low profile and not readily identifiable. Civil authorities monitor compliance with health and safety regulations. The risks are insured, but no effort is made to optimise the insurance costs.

The awareness of the need to protect and control the physical computing environment is recognised and evident in the allocation of budgets and other resources. Environmental controls are implemented and monitored by the operations personnel. Physical security is an informal process, driven by a small group of employees possessing a high-level of concern about securing the physical facilities. The facilities maintenance procedures are not well documented and rely upon the best practices of a few individuals. The physical security goals are not based on any formal standards and management does not ensure that security objectives are achieved.  

The organisation has recognised a business requirement to provide a suitable physical surrounding which protects the resources and personnel against man-made and natural hazards. No standard procedures exist and the management of facilities and equipment is dependent upon the skills and abilities of key individuals. Housekeeping is not reviewed and people move within the facilities without restriction. Management does not monitor the facility environmental controls or the movement of personnel.