(C) Pixabay

In 1982, Ron Weber, in his book “EDP Auditing: Conceptual Foundations and Practice,” which established the conceptual basis for the control and audit of information systems, emphasized that Physical Controls are measures to control physical access to EDP facilities, equipment, and data resources, and to protect them from environmental hazards. EDP, which stands for ‘Electronic Data Processing,’ refers to information systems that process business operations using computers. As we all well know, the basics are important, and with that meaning in mind, we will once again delve into the textbook.

Physical controls are a core element of General Controls, the enterprise-wide control framework. They go beyond simply installing locks or fences; they are stated to be the fundamental prerequisite for achieving the goals of Integrity, Availability, and Asset Safeguarding. The term 'control' can be viewed as an 'inspection' or 'check.'

Facilities control, which is the object of protection, involves preventing unauthorized access to and protecting the environment of the space where EDP equipment is located, such as buildings and computer rooms. Equipment control is about preventing the theft, damage, or unauthorized manipulation of servers, terminals, communication equipment, and the like. Data and Storage Media protection involves controlling the physical loss and access to data storage media such as backup tapes and disks. Documentation and Records control is about protecting materials containing sensitive information, such as system documentation and output reports. Although this book, written in the 80s, does not mention the latest communication networks, equipment, or cloud systems, its principles can be applied.

The core areas of Physical Controls emphasized by Weber are categorized into Access Control, Environmental and Disaster Control, and Asset Protection and Placement.

Access Control mandates setting up controlled areas across multiple stages—perimeter, building exterior, and building interior (computer room)—and applying differentiated access controls for each area. This is referred to as establishing a multiple defense perimeter. Authentication means such as keys, electronic cards, and biometric devices are used to control access only to authorized personnel, and all entry and exit records must be maintained and reviewed. Visitors must have their identity verified, wear a visible identification badge, and be managed to act only when Escorting (accompanied) by a designated employee.

Environmental and Disaster Control involves managing environmental factors that threaten the availability of EDP facilities and the integrity of data. Along with smoke and fire detection systems, the computer room must be equipped with fire suppression systems, such as gas or other fire extinguishing methods, that do not damage the equipment. Firewalls to prevent the spread of fire are also necessary. Uninterruptible Power Supplies (UPS), emergency generators, constant temperature and humidity control systems, and water leak detection sensors must be installed.

Control measures for Asset Protection and Placement dictate that the computer room must be installed in a location not vulnerable to natural disasters like earthquakes and floods, nor to social disasters like riots. Furthermore, it should be situated away from general entryways to minimize exposure to potential threats. Servers and equipment must be installed in Racks with locking mechanisms to prevent physical impact or theft, and their mobility must be restricted. To prevent sensitive information from being exposed to unauthorized persons, employees must be mandated to tidy up documents and lock their screens when leaving their workstations.

In today's environment, information systems across all fields run on a network of communication lines like capillaries and wireless connections like air. How could we live without a smartphone where AI assists us like a secretary? There are many places vulnerable to intrusion, and countless facilities and equipment could cause problems. Are we prepared for war and terror?

Most information system personnel worry about intrusions such as hacking or viruses, but issues arising from disasters or environmental hazards seem to be handled negligently. Physical controls and disaster recovery plans must be checked frequently. To keep data safe from disaster, it is stored in real-time at a distant location. This is the cloud system and the data center. In case of an emergency, computers at an alternative location (Hot Site) must be able to be activated immediately. The goal is uninterrupted operation. We must save where we should save. The recent incident, which occurred because of a failure to do so, has left the entire nation dumbfounded. It is time to return to the basics.