Physical and environmental protection

Status: Live

The organization will develop, disseminate, and review: 1) a formal physical and environmental protection policy that addresses purpose, scope, RACI info, and compliance; and 2) formal standards and procedures to facilitate implementing the policy. [UCF ID 00709]

Supporting and supported controls

This is a top level control.

This control has the following supporting controls:

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 8.2.3, ID 8.2.4; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj C.1; FFIEC IT Examination Handbook – Operations, July 2004, Pg 21, Exam Tier I Obj 5.1; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 29; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier I Obj 1.2; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 32, Pg 33, Exam Tier I Obj 1.2; System Security Plan (SSP) Procedure, Version 1.0, App A § 3.2; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-006-1 R6; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 1.2, § 9; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 1.2, § 9; Responsible Care Security Code of Management Practices, American Chemistry Council, Pg 4; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-10.a; Protection of Assets Manual, ASIS International, Pg 19-I-4; Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives, PE 11; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Federal Information System Controls Audit Manual (FISCAM), February 2009, AC-3.1; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.2, Exhibit 4 PE-1; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.10; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, PE-1; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-1; The Standard of Good Practice for Information Security, SM4.5.2, CB3.3.2(d), CI2.4.2(d), UE4.1.1(b), UE6.4.1; ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 1, § 6.3.1; ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 17.1; ISO/IEC 15408-3:2008 Common Criteria for Information Technology Security Evaluation Part 3, 2008, § 17.1; ISO 17799:2005 Code of Practice for Information Security Management, § 9.1.4; ISO/IEC 18045:2005 Common Methodology for Information Technology Security Evaluation Part 3, 2005, § 12.8.1, § 13.8.1; ISO/IEC 27002-2005 Code of practice for information security management, § 9.1.4; OECD / World Bank Technology Risk Checklist, Version 7.3, § II.54 thru § II.62; Australian Government ICT Security Manual (ACSI 33), § 3.1.22; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2, § 9; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 9; Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1, § 6.2; Archer Control Table, ATCS-083, ATCS-084, ATCS-486, ATCS-501; NRC Regulations (10 CFR) § 73.54 Protection of digital computer and communication systems and networks, § 73.54(b)(3)

Sarbanes Oxley Guidance

The organization should implement procedures to restrict physical access to personal information and to protect the personal information against natural disasters and environmental hazards. [ID 8.2.3, ID 8.2.4, AICPA/CICA Privacy Framework]

Banking and Finance Guidance

[Exam Tier II Obj C.1, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should have adequate physical security for all operations centers in accordance with the sensitivity and criticality of the information stored or processed at the location. [Pg 21, Exam Tier I Obj 5.1, FFIEC IT Examination Handbook – Operations, July 2004]

The organization should ensure the service provider's physical standards meet or exceed the standards required by the organization. [Pg 29, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

[Exam Tier I Obj 1.2, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

The organization should maintain a physically secure environment for the payment applications. The results of the risk assessment should be used to develop standards for physical security. [Pg 32, Pg 33, Exam Tier I Obj 1.2, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Healthcare and Life Science Guidance

Calls for a description of the physical security controls for the system. In this description, it states that the attributes of the physical protection afforded the areas where process of the system takes place also has to be documented. [App A § 3.2, System Security Plan (SSP) Procedure, Version 1.0]

Energy Guidance

The Responsible Entity shall implement a maintenance and testing program to ensure that all physical security systems under Requirements R2, R3, and R4 function properly. The program must include, at a minimum, the following:
Testing and maintenance of all physical security mechanisms on a cycle no longer than three years.
Retention of testing and maintenance records for the cycle determined by the Responsible Entity in Requirement R6.1.
Retention of outage records regarding access controls, logging, and monitoring for a minimum of one calendar year. [CIP-006-1 R6, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

Licensees must incorporate the cyber security program into the physical protection program. [§ 73.54(b)(3), NRC Regulations (10 CFR) § 73.54 Protection of digital computer and communication systems and networks]

Payment Card Guidance

Restrict physical access to cardholder data. [§ 9, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 1.2]

Restrict physical access to cardholder data. [§ 9, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 1.2]

Restrict physical access to cardholder data. [§ 9, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2]

Restrict physical access to cardholder data. [§ 9, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

The organization should use third-parties to verify that the physical security measures have been implemented and are working correctly. [Pg 4, Responsible Care Security Code of Management Practices, American Chemistry Council]

The organization should develop a physical security program that safeguards personnel; safeguards the system against damage, theft, and sabotage; reduces denial of service and unauthorized data modification exposure; and prevents unauthorized access to facilities, equipment, media, and documents. [§ 2-10.a, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The physical security program should include policies and procedures, barrier descriptions, personnel responsibilities, a list of the equipment being used, and records and logs. [Pg 19-I-4, Protection of Assets Manual, ASIS International]

The organization must protect the physical environment. [PE 11, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives]

Calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

[AC-3.1, Federal Information System Controls Audit Manual (FISCAM), February 2009]

US Internal Revenue Guidance

The organization must develop and document policies and procedures for the implementation of physical and environmental protection controls. These policies and procedures must be disseminated throughout the organization. [§ 4.2, Exhibit 4 PE-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

Physical access controls to restrict the entry and exit of personnel from areas such as office buildings, suites, data centers or rooms containing local area network servers are called for. [§ 3.10, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

There is a need for government agencies to employ physical and environmental controls. The physical and environmental protection policy and procedures should be consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. The physical and environmental protection policy can be included as part of the general information security policy for the organization. Physical and environmental protection procedures can be developed for the security program in general, and for a particular information system, when required. [PE-1, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure the physical and environmental protection policy and procedures are documented, disseminated, reviewed, and updated and specific responsibilities and actions are defined for the implementation of the physical and environmental protection policy and procedures control. Any problems discovered during the implementation of the physical and environmental protection policy and procedures control should be documented and used to improve the controls. The physical and environmental protection policy and procedures should be examined for purpose, scope, and responsibilities and compliance with laws, regulations, and directives and should be consistent with the organization's mission and function.
Interviews should be conducted with personnel involved in reviewing and updating the physical and environmental protection policy and procedures. [PE-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should implement physical security to ensure only authorized individuals can access WLAN equipment. [§ 6.2, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1]

ISO Guidance

Assumptions that should be met by the product's environment to be considered secure should be listed in the security policy. [§ 6.3.1, ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 1]

Development security documentation should exist. This document should describe the physical, procedural, and other security measures, as well as security personnel roles and responsibilities, needed at the development site. The measures should provide enough protection to maintain the confidentiality and integrity of the product. [§ 17.1, ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008]

Development security documentation should exist. This document should describe the physical, procedural, and other security measures, as well as security personnel roles and responsibilities, needed at the development site. The measures should provide enough protection to maintain the confidentiality and integrity of the product. [§ 17.1, ISO/IEC 15408-3:2008 Common Criteria for Information Technology Security Evaluation Part 3, 2008]

Protection against environmental threats, such as fire, flood, and earthquake, should be taken. Procedures for avoiding damage from environmental threats include storing backup media at an offsite facility; having appropriate fire fighting equipment on site; and storing hazardous or combustible material away from secure areas. [§ 9.1.4, ISO 17799:2005 Code of Practice for Information Security Management]

The development security documentation should be examined to ensure physical, procedural, personnel, and other measures required to protect the confidentiality and integrity of the product while in the development environment are included. The confidentiality and integrity policies of the developmental activity should be examined to ensure the security measures that have been implemented are sufficient and meet the standards set forth in the policies. Audit trails or logs produced as a result of following the development security documentation should be examined to ensure the procedures are followed and the security measures are implemented.
Interviews should be conducted with development personnel to ensure they know their responsibilities and are aware of the development security policies and procedures. [§ 12.8.1, § 13.8.1, ISO/IEC 18045:2005 Common Methodology for Information Technology Security Evaluation Part 3, 2005]

Protection against environmental threats, such as fire, flood, and earthquake, should be taken. Procedures for avoiding damage from environmental threats include storing backup media at an offsite facility; having appropriate fire fighting equipment on site; and storing hazardous or combustible material away from secure areas. [§ 9.1.4, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

Procedures should be developed to provide for the physical and environmental protection of buildings, staff, media, papers, storage areas, desktop computers, and laptop computers. [SM4.5.2, CB3.3.2(d), CI2.4.2(d), UE4.1.1(b), UE6.4.1, The Standard of Good Practice for Information Security]

EU Guidance

[§ II.54 thru § II.62, OECD / World Bank Technology Risk Checklist, Version 7.3]

Asia and Pacific Rim Guidance

A Site Standard Operating Procedure should be developed and should include roles and responsibilities of the facility security officer; how to operate and maintain the alarm system; requirements for security awareness training; requirements for employee clearances; procedures for end-of-day checks; key management; and how to report security incidents. [§ 3.1.22, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of critical organizational information assets and functions that have been reviewed from the perspective of physical risks [UCF Control ID 02064]
    Report on the percentage of critical assets that have been reviewed from the perspective of environmental risks [UCF Control ID 02066]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.