Protect physical environments through layered physical security and environmental controls that safeguard physical and digital assets from unauthorized access, theft, damage and disruption.
Organizations limit physical access to Technology Assets, Applications, Services and Data (TAASD) and monitor environmental conditions commensurate with risk to prevent unauthorized access and reduce equipment failure, damage or disruption from physical and environmental threats.
Physical access to systems bypasses most logical security controls. An attacker with physical access to a server can extract credentials, install hardware implants, bypass full-disk encryption through cold boot attacks and walk out with drives. The PES domain governs the layered physical security controls that prevent unauthorized physical access to TAAS and the environmental controls that protect against equipment failure from physical and environmental threats.
The SCF's intent for PES covers monitoring environmental conditions proportionate to risk. Fire suppression, temperature control, power protection and water detection aren't separate from security; they are security controls for availability. A datacenter without adequate environmental controls is vulnerable to outages that no amount of logical security can prevent.
PES is frequently treated as a facilities problem rather than a security problem. That separation creates accountability gaps. Security teams that don't own physical security controls often discover, during incidents or audits, that physical access logs don't exist, visitor access isn't tracked, or server room access is controlled by keys that were never inventoried. PES establishes that physical security is a security domain with defined controls and evidence requirements.