For many types of computer equipment, strict environmental conditions must be maintained. Manufacturer's specifications should be observed for temperature, humidity, and electrical power requirements.
The media upon which information is stored should be carefully controlled. Transportable media such as tapes and cartridges should be kept in secure locations, and accurate records kept of the location and disposition of each. In addition, media from an external source should be subject to a check-in process to ensure it is from an authorized source.
Each area should be surveyed for potential physical hazards. Fire and water are two of the most damaging forces with regard to computer systems. Opportunities for loss should be minimized by an effective fire detection and suppression mechanism, and planning reduces the danger of leaks or flooding. Other physical controls include reducing the visibility of the equipment and strictly limiting access to the area or equipment.
Although risks can be minimized, they cannot be eliminated. When reliance upon a computer facility or application is substantial, some type of contingency plan should be devised to allow critical systems to be recovered following a major disaster, such as a fire. There are a number of alternative approaches that should be evaluated to most cost-effectively meet the company's need for continuity of service.
Risk can be introduced through unofficial and unauthorized hardware or
software. Another key component of information resource management is
ensuring only authorized hardware and software are being utilized.
There are several control issues to be addressed.
Records of hardware/software inventories, configurations, and locations should be maintained and kept up-to-date.
Especially with microcomputer software, illegal copying and other uses in conflict with licensing agreements are concerns. The use of software subject to licensing agreements must be monitored to ensure it is used according to the terms of the agreement.
The recent occurrences of destructive computer ``viruses'' point to the need to ensure that companies do not allow unauthorized software to be introduced to their computer environments. Unauthorized hardware can also contain hidden vulnerabilities. Management should adopt a strong policy against unauthorized hardware/software, inform personnel about the risks and consequences of unauthorized additions to computer systems, and develop a monitoring process to detect violations of the policy.