Is your data center seeking to become SAS 70 Type I or SAS 70 Type II compliant?
If so, then be aware that physical security is a vital component of any SAS 70
audit done on today’s data centers and collocations entities. 

Users of your SAS 70 audit report will likely spend a considerable amount of
time reading up on the data center physical security best practices that you
implement on a daily basis, and that are represented in the report. Listed
below is what I consider to be key components of a data center physical
security best practices to do list. That’s not to say all of these items have
to be in place, as some data centers may not be able to meet these
requirements. In essence, take what you can from this list as a general
guideline.

• Built and Constructed
  for Ensuring Physical Protection
  Exterior perimeter walls, doors, and windows should be constructed of
  materials that provide Underwriters Laboratories Inc. (UL) rated ballistic
  protection.
• Protection of the
  Physical Grounds
  Data center should have in place physical elements that serve as battering
  rams and physical protection barriers that protect the facility from
  intruders.
• Bullet Resistant
  Glass
  Some areas within the data center, such as the lobby area and other
  entrance mechanisms, should be protected by bullet proof or bullet
  resistant glass.
• Maintenance of
  Vegetation
  Items such as flowers, plants, trees and other forms of vegetation should
  be appropriately maintained for purposes of not allowing these elements to
  conceal or hide an intruder.
• Security Systems and
  24x7 Backup Power
  The data center's security systems should be functioning at all times,
  complete with uninterruptible power supply (UPS) for ensuring its
  continuous operation.
• Cages, Cabinets and
  Vaults
  The physical structures which house equipment must be properly installed
  with no loose or moving components, ultimately ensuring their overall
  strength and rigidity.
• Man Trap
  Most, if not all data centers should have a man trap that allows for
  secure access to the data center "floor".
• Electronic Access
  Control Systems (ACS)
  Access to all entry points into and within the data center should be
  protected by electronic access control mechanisms which allow only
  authorized individuals to enter the facility. Included within the
  framework of electronic access control should also be biometric
  safeguards, such as palm readers, iris recognition, and fingerprint
  readers.
• Provisioning Process
  Individuals requesting access to the data center should be enrolled in a
  structured and documented provisioning process for ensuring the integrity
  of the person entering the facility.
• Off-boarding Process
  Personnel working for the data center or clients utilizing the facility
  services must be immediately removed from systems that have allowed access
  to the facility itself. This includes all electronic access control
  mechanism along with removal of all systems, databases, Web portals, or
  any other type of sign-in mechanism that requires authentication and
  authorization activities.
• Visitors
  All visitors must be properly identified with a current, valid form of
  identification and must be given a temporary facility badge allowing
  access to certain areas within the data center. This process must be
  documented in a ticketing system also.
• Alarms
  All exterior doors and sensitive areas within the facility must be hard
  wired with alarms.
• Cameras
  The facility should have a mixture of security cameras in place throughout
  all critical areas, both inside and out, of the data center. This should
  include the following cameras: Fixed and pan, tilt, and zoom (PTZ)
  cameras.
• "Threat
  Conditions Policy"
  Consistent with the rating scale of the Department of Homeland Security,
  the facility should have a "threat conditions policy" in place
  whereby employees and customers are made aware of changes in the threat.
• Badge and Equipment
  Checks
  Periodic checks should be done on employees and customers regarding badge
  access and equipment ownership.
• Local Law Enforcement
  Agencies
  Management should have documented contact information for all local law
  enforcement officials in the case of an emergency.
• Paper Shredding
  A third-party contractor should be utilized for shredding documents
  on-site, then removing them from the facility, all in a documented
  fashion, complete with sign-off each time shredding is done.
• Data Center Security
  Staff
  These individuals should perform a host of duties on a daily basis, such
  as monitor intrusion security alarm systems; dispatch mobile security
  officers to emergencies; monitoring to prevent unauthorized access, such
  as tailgating; assist all individuals who have authorized access to enter
  the data center; controlling access to the data center by confirming
  identity; issue and retrieve access badges; respond to telephone and radio
  communications.
• Additionally, they
  should also conduct the following activities:
  Response and resolution to security alarms; customer assistance for cage
  lockouts and escorts; scheduled and unscheduled security inspections;
  enforcement of no food or drinks on the raised floor area; Enforcement of
  no unauthorized photography policy; fire and safety patrol inspections.

If you want to learn more about SAS 70 audit, you can
receive SAS 70 sample reports by visiting the SAS 70 Resource Guide for more
information.