Phase 2: Physical Controls allows the addition of multiple locations in the S2Org risk assessment. To add additional locations, they must first be added in the Organization Profile.
Choose Settings → Organization Profile
To the right of the Locations box, choose "Add Location."
Add the name and address.
Set the Location Type in the dialog box.
There are five possible types to choose:
Headquarters: This is the default and primary location for doing business. If there are no other locations it is assumed that all sensitive information is stored here.
Primary Datacenter (or similar): This location is assumed to be separate from Headquarters. This is the main location where your data (internal and client) is stored and backed up.
Secondary Datacenter (or similar): This is a site for mirrored/redundant data or passive storage. Still contains a significant amount of sensitive info.
Primarily Client Systems: The location where your client's sensitive information is stored, but not necessarily internal company info.
No Significant Information Resources: This is a location for conducting business but comparatively little information is stored here.
Location Type affects the weight applied to the location when calculating the S2Score for Phase 2 controls. However it only affects scoring if there is more than one location assessed. If there is more than one location in Phase 2, a Datacenter (either Primary or Secondary) are weighted higher than a location set as "Primarily Client Systems."
Click "Save."
Return to the Assessment → Open Phase 2: Physical Controls
To the right, click "+ Add" above the Responses button.
Choose the Location from the list and click "Add."