Ensure all facilities are physically secured.

UCF ID: 00711
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 8.2.3; AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 3.2, ¶ .20 § 3.5, ¶ .24 § 3.6, ¶ .29 § 3.5; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App B § III.C.1.b; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-1, Exam Tier I Obj 10.7 (Testing Strategies), Exam Tier II Obj 1.3; FFIEC IT Examination Handbook – Information Security, Pg 53, Exam Tier I Obj 4.1; FFIEC IT Examination Handbook – Operations, July 2004, Pg 21, Exam Tier II Obj E.1; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier II Obj 7.10; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 9.1; CMS Core Security Requirements (CSR), Draft, § 1.3.15, § 2.2.2, § 2.2.27, § 2.12.1; Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.310(a)(1), § 164.310(a)(2)(ii); Introductory Resource Guide for HIPAA NIST SP 800-66, § 4.10; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-004-1 R4, CIP-006-1 R1.4; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-10.c thru § 2-10.e, § 2-12.e; Protection of Assets Manual, ASIS International, Pg 3-I-2, Pg 3-I-6, Pg 11-II-9, Pg 11-II-16, Pg 19-I-14, Pg 23-VI-9, Pg 36-I-3; Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001, § 106(a); Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27, § 27.230(a)(1), § 27.230(a)(4)(ii), § 27.230(a)(4)(iii); Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria, Fencing, Parking, Building Structure; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 5-306; DOT Physical Security Survey Checklist, Perimeter Barriers; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Federal Information System Controls Audit Manual (FISCAM), February 2009, AC-3.1; Guidance for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks, NIOSH, May 2002, DHHS (NIOSH) Publication No. 2002-139, May 2002, Pg 12; TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001, § 44903(h)(2), § 44914; Transportation Security Administration (TSA) Security Guidelines for General Aviation Airports, Information Publication A-001, May 2004, Version 1.0, § 3.3.1; 49 CFR Part 1542 - Airport Security, § 1542.203; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.3.9; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.10.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § PE-3; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-3; CobiT, Version 4.1, DS12.1, DS12.2; The Standard of Good Practice for Information Security, SM4.5.1, SM4.5.3(a), CI2.8.1(a), CI2.8.1(b), CI2.8.7(a), CI4.1.1, NW3.4.1, UE6.4.2(a), UE6.4.3(a); ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 9.1.1; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.9.1.1; ISO/IEC 27002 Code of practice for information security management, 2005, § 9.1.1; OGC ITIL: Security Management, § 4.3.2; Italy Personal Data Protection Code, Annex B.24; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 5.7.3, § 6.3.1, § 6.4.3.1, § 6.4.3.2; Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3, ¶ 34; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.7(1)(5), ¶ 10.2.9, ¶ 10.4.19

Banking and Finance Guidance

The organization should implement access restrictions to prevent unauthorized individuals from accessing locations containing customer information. [App B § III.C.1.b, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

The organization should use locked doors, guards, motion detectors, and other controls to restrict physical access to the facility. [Pg C-1, Exam Tier I Obj 10.7 (Testing Strategies), Exam Tier II Obj 1.3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The doors and windows to the facility should be secured. The data center should be located in an environment safe from flood, fire, or other threats. Guards, fences, surveillance equipment, and other devices should be used to protect the facility. [Pg 53, Exam Tier I Obj 4.1, FFIEC IT Examination Handbook – Information Security]

The facility should have limited windows and access points; adequate lighting around the perimeter; perimeter video surveillance and alarms, if necessary; and trained guards, if necessary. [Pg 21, Exam Tier II Obj E.1, FFIEC IT Examination Handbook – Operations, July 2004]

[Exam Tier II Obj 7.10, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier II Obj 9.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Healthcare and Life Science Guidance

[§ 1.3.15, § 2.2.2, § 2.2.27, § 2.12.1, CMS Core Security Requirements (CSR), Draft]

[§ 164.310(a)(1), § 164.310(a)(2)(ii), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

[§ 4.10, Introductory Resource Guide for HIPAA NIST SP 800-66]

Energy Guidance

The Responsible Entity shall maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and physical access rights to Critical Cyber Assets.
The organization shall establish procedures for the appropriate use of physical access controls as described in Requirement R3 including visitor pass management, response to loss, and prohibition of inappropriate use of physical access controls. [CIP-004-1 R4, CIP-006-1 R1.4, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

US Federal Security Guidance

Facilities that house information systems may be designated as restricted areas. Facilities designated as restricted areas must have all entrances protected by a minimum of 2 independent barriers or security systems, such as a second access door or a chain-link fence outside the facility that can be securely locked. Facilities that house SCI material should follow the requirements of DIAM 50-3. [§ 2-10.c thru § 2-10.e, § 2-12.e, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The physical security needs of the facility must be used to determine where law enforcement officials are deployed. [§ 106(a), Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001]

Facilities covered by the Chemical Facility Anti-Terrorism Standards (CFATS) must secure and monitor the facilities' perimeter and restricted areas within the facility. Attacks on the facility must be deterred using visible and professional security measures and systems and that must detect attacks through barriers and countersurveillance. [§ 27.230(a)(1), § 27.230(a)(4)(ii), § 27.230(a)(4)(iii), Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27]

The areas around the cargo handling and storage facilities should be enclosed by a perimeter fence. The fencing must be inspected regularly. Private vehicles should be prohibited from parking near storage and cargo handling areas. Buildings must be inspected regularly to ensure their integrity, and repairs should be made, as necessary. [Fencing, Parking, Building Structure, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria]

Contractors must ensure the closed area between raised floors and false ceilings are structurally secure. [§ 5-306, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

The transit facility should have a perimeter barrier that is under continuous surveillance. If the perimeter barrier is a chain link fence, it should be #11 gauge or heavier, have mesh openings no more than 2-inches square, have barbed wire, and have the bottom extended into the ground. If the perimeter barrier is a masonry wall, it should be at least 7-feet high with barbed wire or at least 8-feet high with broken glass. [Perimeter Barriers, DOT Physical Security Survey Checklist]

Calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

[AC-3.1, Federal Information System Controls Audit Manual (FISCAM), February 2009]

Public access to the roof should be restricted to authorized personnel. Access should be controlled by keyed locks, keycards, or another similar measure. [Pg 12, Guidance for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks, NIOSH, May 2002, DHHS (NIOSH) Publication No. 2002-139, May 2002]

The physical security needs of the facility will be used to decide where to deploy law enforcement officials. The Under Secretary of Transportation for Security must develop guidelines to achieve maximum security for the design and construction of new airports. [§ 44903(h)(2), § 44914, TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001]

All hangar and personnel doors should be locked when unattended. Hangars should have security signs and not have keys that are easily copied or obtained. The keys should be rekeyed whenever a new tenant takes over the hangar. [§ 3.3.1, Transportation Security Administration (TSA) Security Guidelines for General Aviation Airports, Information Publication A-001, May 2004, Version 1.0]

The airport operator must post warning signs on access points and perimeters to secured areas. [§ 1542.203, 49 CFR Part 1542 - Airport Security]

Bank information system security controls should include clearly defined security measures with measurable performance standards. Responsible personnel should be assigned to ensure a comprehensive security program. Bank management should take necessary steps to protect mission-critical systems from unauthorized intrusions. Systems should be safeguarded, to the extent possible, against risks associated with fraud, negligence, and physical destruction of bank property. Control points should include facilities, personnel, policies and procedures, network controls, system controls, and vendors. These may include security access restrictions, background checks on employees, separation of duties, and audit trails to protect system security within the bank and with vendors. As technologies and systems change or mature, security controls should be reevaluated periodically. [¶ 34, Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3]

US Internal Revenue Guidance

Buildings, rooms, facilities, and containers that contain sensitive or vulnerable information should be locked when not in use. [§ 4.3.9, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.10.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The organization must establish and maintain physical and environmental protection policies and procedures to enforce physical access authorization at all non-public access points; verify authorization before permitting entry; control access to the facility using physical access devices and/or guards; control access to public areas in accordance with risk assessment; secure keys and other physical access devices; scheduled inventories of physical access devices; and schedule changing combinations and keys when they are lost, compromised, or individuals are transferred or terminated. [App F § PE-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents and the facility should be examined to ensure all entry and exit points are controlled; access authorization is verified prior to being granted access publicly available areas are controlled according to the risk assessment; physical access devices are functioning correctly and properly maintained; keys and combinations are secured and changed when necessary; the access control system meets the requirements of FIPS 201, NIST Special Publications 800-73, 800-76, and 800-78; and specific responsibilities and actions are defined for the implementation of the physical access control. Any problems discovered during the implementation process of the physical access control should be documented and used to improve the controls.
Interviews should be conducted with personnel involved in the physical security of the facility. [PE-3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

A security perimeter should be used to protect areas containing information processing facilities. The strength of the perimeter depends on the classification of the information being protected. [§ 9.1.1, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

Information processing facilities and areas that contain sensitive information should be protected by physical security perimeters. Examples of security perimeters are fences, manned reception desks, or card controlled entry gates. [Annex A.9.1.1, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

A security perimeter should be used to protect areas containing information processing facilities. The strength of the perimeter depends on the classification of the information being protected. [§ 9.1.1, ISO/IEC 27002 Code of practice for information security management, 2005]

The service provider should establish a way to segregate and identify personnel located at the recovery facilities from accessing the ICT systems and information without a need by placing restrictions on the physical access to facilities that house ICT systems and work areas that are being used by service provider, organization, and vendor personnel are planned and designed with information confidentiality and privacy as one of the prime considerations. Physical access control facilities, procedures, and policies should be developed, documented, and implemented, in accordance with the assessed risks and services that are being provided to organizations, for controlling and monitoring physical access in, out, and within the premises. Perimeters and exteriors should be physically secured against vandalism and break-ins. These controls should include using solid construction for external walls and protecting all doors and relevant windows against unauthorized access. Also, buildings should be protected against lightning and induced electrical surges that could damage the building and/or cause temporary or permanent malfunctions of electrical and electronic equipment. Physical barriers for restricted facilities should include true floor to ceiling walls to prevent unauthorized entry and environmental contamination. Other barriers should be implemented if this is not possible. [§ 5.7.3, § 6.3.1, § 6.4.3.1, § 6.4.3.2, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

¶ 8.1.7(1)(5) Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building is considered. Safeguards in this area are listed below.
1. Material Protection
Physical safeguards to protect a building may include fences, physical access control, strong walls, doors, and windows. Secure areas within a building should be protected from unauthorized access by physical access controls, guards, etc. Secure areas might be necessary for IT equipment, such as servers, and associated software and data, supporting important business activities. Access to such secure areas should be limited to the minimum number of personnel necessary, and details recorded in a log. All diagnostic and control equipment should be securely stored and the use should be strictly controlled.
5. Protection against Theft
To achieve stock control, all items of equipment should be uniquely identifiable and an inventory maintained. Security guards/receptionists should be encouraged to check for equipment or media leaving rooms/areas or the building without authorization. Sensitive information and proprietary software held on portable media (e.g. floppy discs) should be protected appropriately.
¶ 10.2.9 Unauthorized access to storage media. An organization should implement safeguards to prevent the unauthorized access and use of storage media, which can endanger confidentiality if any confidential material is stored on that media. Safeguards to protect confidentiality are listed below.
• Operational issues: Media controls can be applied to provide, for example, physical protection and accountability for the media and assured storage deletion guarantees that nobody can obtain confidential material from a previously deleted medium. Special care should be taken to protect easily removable media, such as floppy discs, back-up tapes and paper.
• Physical security: The appropriate protection of rooms (strong walls and windows as well as physical access control) and security furniture can protect against unauthorized access.
• Data confidentiality protection: Additional protection for sensitive material on storage media can be achieved by encrypting the material. A key management system should be implemented to apply encryption.
¶ 10.4.19 Unauthorized access to storage media. An organization should implement safeguards that prevent the unauthorized access and use of storage media, which can endanger availability since it could result in unauthorized destruction of the information stored on these media. Safeguards to protect availability are listed below.
• Operational issues: Media controls can be applied to provide, for example, physical protection and accountability for the media to avoid unauthorized access to the information stored on the media. Special care should be taken for easily removable media, such as floppy discs, back-up tapes and paper.
• Physical security: The appropriate protection of rooms (strong walls and windows as well as physical access control) and security furniture protect against unauthorized access. [¶ 8.1.7(1)(5), ¶ 10.2.9, ¶ 10.4.19, ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

ITIL Guidance

[§ 4.3.2, OGC ITIL: Security Management]

General Guidance

The organization should implement procedures to restrict physical access to personal information. [ID 8.2.3, AICPA/CICA Privacy Framework]

Procedures should be in place to restrict physical access to the organizational facilities. [¶ .17 § 3.2, ¶ .20 § 3.5, ¶ .24 § 3.6, ¶ .29 § 3.5, AICPA Suitable Trust Services Principles and Criteria]

An effective physical protection plan should include a series of barriers, not just a single barrier. Each barrier should be designed to delay entry as long as possible and should have a method to notify the organization when a penetration has occurred. The building's surfaces should be evaluated for their effectiveness as structural barriers. This evaluation should consist of a physical inspection and an inspection of the architectural drawings (some construction details are not apparent from a physical inspection). Inspectors must remember that all areas have 6 sides that need to be protected. Openings should be protected against penetration by ensuring they are not less than 18 feet above the ground or have an opening area of greater than 96 square inches. A successful physical security facility plan has several basic elements: making the guard force accountable to the organization; ensuring guards have a sufficient salary to be dedicated; using guards at each entry and exit; ensuring the guards are properly trained; and requiring the guards to monitor the facility through key-operated stations 24-hours a day. Storage yards should be protected by a high fence with barbed wire, lights, and guard tours. The physical security of the facility should be planned out for projects in foreign countries to ensure workers are protected at an appropriate level of protection. Aircraft facilities should be protected by perimeter fencing to prevent unauthorized access. All utilities should be physically protected by locating them in a security-controlled-area or special safeguards should be installed around any utilities that cannot be located in the security-controlled-area. [Pg 3-I-2, Pg 3-I-6, Pg 11-II-9, Pg 11-II-16, Pg 19-I-14, Pg 23-VI-9, Pg 36-I-3, Protection of Assets Manual, ASIS International]

The organization should define and select the physical sites for IT equipment to support the technology strategy linked to the business strategy. The selection and design of the layout of a site should take into account the risk associated with natural and man-made disasters, while considering relevant laws and regulations, such as occupational health and safety regulations.
The organization should define and implement physical security measures in line with business requirements. Measures should include, but are not limited to, the layout of the security perimeter, security zones, location of critical equipment, and shipping and receiving areas. In particular, keep a low profile about the presence of critical IT operations. Responsibilities for monitoring and procedures for reporting and resolving physical security incidents need to be established. [DS12.1, DS12.2, CobiT, Version 4.1]

Physical protection procedures should be developed for all facilities that process critical information. Locks and bolts should be installed on all vulnerable doors and windows to protect against unauthorized access. [SM4.5.1, SM4.5.3(a), CI2.8.1(a), CI2.8.1(b), CI2.8.7(a), CI4.1.1, NW3.4.1, UE6.4.2(a), UE6.4.3(a), The Standard of Good Practice for Information Security]

Other European and African Guidance

Data about genetic identity must be processed only in protected premises that may be accessed only by persons in charge of processing and entities that have been specifically authorized to access them. [Annex B.24, Italy Personal Data Protection Code]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of servers in locations with controlled physical access. [UCF Control ID 02067]
    Report on the percentage of physical security incidents that involved unauthorized entry into a facility containing information systems. [UCF Control ID 04564]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.