Para 3.22.36 — MSO (Audit)

MSO (Audit)mso-audit

3.22.36 Physical access controls include the environmental controls which operate across the entire IT environment and affect all underlying computer applications. These controls are designed to protect the computer hardware and software from damage, theft and unauthorised access. Access controls can operate at various levels, for example, from restricting access to the client’s site to installing key locks on individual personal computers. Restricting physical access to the IT systems reduces the risk of unauthorised
persons altering the financial information. The auditor should make a quick assessment of the physical access controls and their adequacy.
- Authorisation Control

What This Means

Physical access controls protect computer hardware and software from damage, theft, and unauthorised access. These are environmental controls that apply across the entire IT environment and affect all applications. They can range from restricting site access to installing key locks on individual PCs. Restricting physical access reduces the risk of unauthorised persons altering financial information. The auditor should quickly assess the adequacy of physical access controls.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1Physical access controls protect hardware and software from damage, theft, and unauthorised access
2These are environmental controls affecting the entire IT environment
3Can operate at various levels: site access, building access, room access, individual PC locks
4Restricting physical access reduces risk of unauthorised changes to financial data
5Auditor should make a quick assessment of physical access controls and their adequacy

Practical Example

Visiting a district treasury's computer room, the auditor finds that the server room door is left open, there is no visitor register, cleaning staff have unsupervised access during night hours, and the UPS and networking equipment are in an unlocked cupboard in the corridor. The auditor notes that anyone — including unauthorised persons — could physically access the treasury payment server and potentially steal data or tamper with records.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

What are examples of physical access controls?▼

Examples include security guards, CCTV cameras, biometric door locks, access cards, visitor registers, locked server rooms, cable locks on PCs, secure storage for backup media, and restricted access zones with different clearance levels.

Why is physical access important even when there are strong passwords?▼

Physical access to a server allows bypassing software security entirely. Someone with physical access could boot from external media, connect a device to copy data, install malware, or simply steal or damage the hardware. Physical security is the first line of defence.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.36 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules