Eight Facility Zones to Consider While Auditing for Information, Physical, and Environmental Security Compliance

It has become imperative for organizations to reevaluate the security posture of their facilities as threats are becoming more prevalent. These threats may be accidental, deliberate, or environmental, such as sabotage, unauthorized facility entry, remote spying, eavesdropping, fire, flood, and equipment failure. For example, In June 2024, various facilities were engulfed in flames, including churches, refineries, and banks in Nigeria as reported by Media houses such as Arise News¹ and the Africa report²; Insider attacks, sabotage, and robberies have increased in the financial and health sectors³; and the author has even observed security guards selectively scanning individuals upon entry rather than subjecting all entrants to a comprehensive system check. Access to critical facilities should be controlled and such controls should be reviewed regularly for suitability, adequacy, and effectiveness, whether these controls are preventive, corrective, deterrent, or detective in nature.

Auditing a facility for compliance is an important task that requires knowledge and insight regarding the areas or zones within the site that matter. While conducting audits across different regions, it became evident that some zones are not duly considered and, as a result, organizations risk compromising their security postures. From reports of risk assessments and threat studies, it was observed that detected or perceived vulnerabilities around these zones significantly account for failure or compromise of enterprise security. Unfortunately, these zones have not been prioritized in many security audits.

Access to critical facilities should be controlled and such controls should be reviewed regularly for suitability, adequacy, and effectiveness, whether these controls are preventive, corrective, deterrent, or detective in nature.

The author has classified facility audits into 8 zones for this article. This approach ensures comprehensive consideration of all aspects of the facility. These eight-zone classifications derive from the extensive experience of auditors who have assessed numerous facilities, meticulously reviewed risk reports, and gained deep insights into client pain points, business imperatives, and other essential requirements. The discussion will center on effective facility assessment for sustained compliance.

The Eight Zones

Before conducting the audit, ensure that all protocols are observed, from signing the visitor/contractor register, scanning, image capturing, issuance of tags, provision and use of suitable personal protective equipment, and assignment of a tour guide. A site orientation program should also be conducted, and a site map issued for the tour of the facility. The site map is necessary to provide a diagrammatic overview or layout of the facility on paper or electronic media.

When these steps are completed, the auditor can conduct the facility audit by focusing on 8 zones:

1. Entry and exit points—These points are access routes into and out of the facility. This zone involves surveying the physical security perimeters of the facility. Determine whether there is any risk of intrusion, theft, or sabotage. Check for proper fencing and lighting, consider the type and quality of walls, and review the deployment of surveillance systems. Look for any vulnerabilities around fences that can be exploited by an intruder to gain unauthorized access. Are entry and exit points easily identifiable and approved? There may be unapproved routes created for convenience without due security consideration. Approved routes will be indicated on the site map, evacuation plan, or physical security procedure. Check for emergency exits and signage. Do all emergency exits have the proper controls in place (such as alarms)? Identify the persons responsible for the maintenance of the entry and exit points. Be sure to review all entry and exit logs, and vehicle and visitor management systems. Deployment of biometric or card scanners is also important for effective screening at the point of entry. It is also important to verify if documented agreements exist with third parties who provide maintenance or support services at this zone.
2. Delivery and loading areas—These areas are designated for receiving or stocking items. Verify the location of these areas. Are these areas isolated from areas where critical tasks are carried out? Are identification tags issued to vendors, visitors, and other parties needing access to that area? Verify who is responsible for the security of that area. Review registers, logs, and forms for the movement of items, people, and services. Confirm access control is in place. Security controls should be observed in this area as materials or items may be issued or received by the wrong persons, leading to potential theft or damaged assets. The area is to be assessed to ensure that the preservation of materials is assured. Since this area accepts visitors, there is a risk of spying and eavesdropping which should also be assessed and mitigated. Deployment of surveillance control systems should be checked in this area.
3. Data centers—Houses critical data and information from operational activities. Verify access controls (biometric, card, etc). Conduct a thorough review of access registers, logs, and visitor management systems. Ensure that only authorized staff receive access permissions and regularly review this process. Additionally, be cautious to avoid any signage that reveals the location of restricted areas. It is important to confirm the part of the facility where the data center is located—preferably the middle floor, instead of the ground or topmost floor in a building, especially in areas susceptible to flooding, heavy rainfall, or very high humidity. Check for wall and floor insulation (padding), the distance between racks and walls, and possible wall or ceiling openings/holes. Walls that absorb and retain moisture could affect the environmental condition of the center. Verify the environmental monitoring system and ensure that temperature and humidity logs are visible. Check asset maintenance records to verify that assets are well maintained and duly deployed. Ensure robust cable management by addressing proper insulation, trunking, and separating power cables from telecom cables. Effective cable management is crucial to prevent interference, disruptions, or confusion regarding cable origins, purposes, and destinations. Additionally, verify power backup arrangements and the availability and maintenance of fire safety equipment.
4. Control room—This room is designed for monitoring and protecting surveillance systems. Review the level of access control in this area. Verify who is responsible for surveillance system management. Assess the CCTV monitor, by checking for possible blind spots, including significant aspects of the facility not captured and confirm the number of CCTV cameras, active channels, and their scope across the facility. Confirm the retention period of footage and check for previous footage using samples of log information from entry log records to different parts of the facility to corroborate. Verify that the time on the CCTV monitor is accurate (clock synchronization with an approved time source). Ensure deployment and maintenance of emergency lighting and perimeter alarm systems.
5. Power distribution and control area—This zone is the pathway or hub through which electric power gets into a building using cables for distribution. Devices deployed in this zone are transformers, control panels, switches and fuses, surge arresters, inverters, circuit breakers, etc. This area must be isolated and properly ventilated to prevent overheating and dielectric breakdown of insulation, which could lead to a fire outbreak. Additionally, verify the insulation of electrical components, ensure appropriate signage, check the availability of fire equipment, adhere to maintenance schedules, and implement other power protection measures.
6. Security posts—These are posts within the premises manned by guards. Are there existing agreements with the security service provider? Review the contents of these agreements to include a clear scope of service, service level requirements, confidentiality and non-disclosure clauses, signatures of both parties, and termination clauses. How many guards are on duty? Review duty rosters, the appearance of guards, asset inventory, incident logs, handover register, and overall responsibility for security. Interview guards to ascertain enterprise expectations and their understanding of policies.
7. General office or workspaces—Visit office spaces frequently to ensure that facilities are in working order. Are these spaces well illuminated, partitioned, and access controls deployed and maintained? Are walkways free from obstructions? Are emergency contact numbers displayed? There should be signs to indicate where restrooms, meeting rooms, exits, etc. are located. Verify which teams are responsible for handling incidents and review records of previous incidents. Verify the location of fire equipment and devices, ventilation, heating, and air conditioning systems.
8. Muster point— The muster point is also known as the assembly point. In the case of fire or related incidents, there should be a gathering point for all staff and visitors within the facility, after which there will be a headcount to confirm whether all persons have evacuated the building in the event of a disaster. The muster point should be isolated, clearly indicated, and accessible. Sufficient space should be made available to hold the required number of people. As part of the assessment, review fire drill reports, paying close attention to those involving assembly at the designated muster point. Additionally, verify the presence of trained fire wardens who can assist with evacuation coordination. This thorough review will help identify any potential limitations related to space availability and location.

Conclusion

Mastering an effective approach to conducting facility audits for security compliance is paramount. This article outlines eight facility zones to be considered during a security audit. Each zone has associated vulnerabilities, necessitating the deployment of controls for effective management. However, failure to assess these controls—whether they are primary or compensating—may lead to system failures or significant losses for the organization.

Auditors can consider auditing these zones as a worthy endeavor, as it has been tested and has continued to deliver value to organizations. This information can be applied to many types of facilities, of which audits could be conducted physically or remotely. These reviews will help safeguard facilities from well-known threats.

Endnotes

¹ Kalu, C.; “Dangote Refinery Contains Fire at Treatment Plant, No Injuries Recorded,” Arise News, 26 June 2024
² Akinkuotu, E.; “Fire at Dangote’s $20bn Refinery; no Casualties Says Official,” The Africa Report, 26 June 2024
³ Obewo-Isawode, L.; “Three Dead As Military, Police Foil 15-Man Bank Robbery Operation in Abuja,” Channels, 14 June 2024

Innocent Atasie

Innocent Atasie has led over 100 third-party IT audit engagements in 10 countries. He is an astute auditor, trainer, writer, and consultant. Atasie holds 4 ISACA credentials and over 10 ISO certifications, specializing in IT assurance and audit services.