Traceable-Answer Reference / Datacenter Security
DCS-04 — Secure Media Transportation Policy and Procedures
Maintain policies and procedures for the secure transportation of physical media.
Every framework that asks this
Answer DCS-04 once and it typically satisfies the equivalent control elsewhere. Altitude and confidence vary — a domain-level anchor is a starting point to verify, not an audited equivalence.
| Framework | Equivalent control(s) | Confidence |
|---|---|---|
| ISO 27001 | A.7.10 | high |
| NIST CSF 2.0 | PR.AA-06, PR.IR-02 (domain-level) | high |
| NIST 800-53 | PE-2, PE-3, PE-6, PE-13, PE-14 (domain-level) | high |
| SIG | Physical and Environmental Security (domain-level) | high |
Full provenance and NIST 800-53 mappings: the framework crosswalk.
What the reviewer is really checking
The reviewer is establishing where physical security actually comes from and whether you understand which parts remain yours. Behind 'Describe your datacenter physical security' are: Do you operate your own facilities, or do you host on a cloud provider whose datacenters carry their own physical attestations? If the latter, can you name the provider and point to their independent physical-security reports rather than describing controls you do not run? What is the shared-responsibility split: the provider secures the building, power, cooling, and hardware disposal, but you retain responsibility for the logical layer, tenant isolation, key management, and access to your own consoles and management planes. If you do operate any facility (an office, a colo cage, on-prem hardware), what physical controls protect it: perimeter, badge and multi-factor entry, visitor logging, monitoring, and environmental protections like fire suppression and redundant power? The reviewer is specifically watching for vendors who copy a cloud provider's datacenter controls into their own answer as if they operate them. Claiming physical controls you inherit rather than run is a credibility failure, because a follow-up question exposes that you cannot produce the evidence.
What a truthful, defensible answer contains
A defensible answer states the hosting model first, then draws the responsibility boundary cleanly. If you host on a major cloud provider, name it and cite the provider's independent physical-security attestations (for example their SOC 2 / ISO 27001 / and datacenter-specific reports) as the basis for the physical layer, and say plainly that you inherit those controls rather than operate them. Then state what remains yours: logical access to the environment, tenant and workload isolation, key management, secure configuration, and media handling for anything you control. If you operate any physical space of your own, describe its actual controls: perimeter and entry controls with badge plus multi-factor, visitor escort and logging, camera or monitoring coverage, and environmental controls such as fire suppression, redundant power, and cooling, along with secure media disposal. The detail that survives review is a correct boundary: what the provider proves, what you prove, and no overlap where you claim the provider's controls as your own. If you have residual on-prem hardware or an office with access to sensitive systems, disclose it rather than presenting a purely cloud story.
Make it traceable
Anchor the physical layer to the provider's evidence and your layer to yours. Point at the cloud provider's compliance reports and their published shared-responsibility documentation for the inherited controls, and make clear in your trust materials which controls are inherited. For anything you operate, point at your own facility access policy, badge-system and visitor logs, and any physical-security section of your own SOC 2. The Promise-to-Proof line is that 'physical security is provided by [named provider], see their attestations' resolves to the provider's report a reviewer can obtain, while 'we retain logical access and isolation control' resolves to your access policy and audit, so the boundary itself is evidenced rather than blurred.
Answer patterns that hold up
- State the hosting model first, then draw the shared-responsibility boundary between provider and you.
- For inherited controls, name the provider and cite their independent physical-security attestations rather than describing controls you do not run.
- State explicitly which controls remain yours: logical access, tenant isolation, key management, and media handling.
- For any facility you operate, describe perimeter, badge plus multi-factor entry, visitor logging, and monitoring.
- For any facility you operate, describe environmental controls: fire suppression, redundant power and cooling, and secure media disposal.
Evidence that backs the answer
Red flags reviewers catch
- Describing datacenter physical controls you inherit as if you operate them.
- No named cloud provider and no citation of their physical attestations.
- No statement of the shared-responsibility boundary that remains yours.
- Copying a provider's datacenter controls into your answer without evidence you could produce.
- Omitting an office or on-prem hardware that actually has access to sensitive systems.