Physical security of facilities

Status: Live

The organization will ensure that access to primary and off site facilities are controlled through the use of access mechanisms, verifying individual access authorizations before granting access to the facilities. [UCF ID 00711]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 8.2.3; AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 3.2, ¶ .20 § 3.5, ¶ .24 § 3.6, ¶ .29 § 3.5; AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls, App ¶ 9.3; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App B § III.C.1.b; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-1, Exam Tier I Obj 10.7 (Testing Strategies), Exam Tier II Obj 1.3; FFIEC IT Examination Handbook – Information Security, Pg 53, Exam Tier I Obj 4.1; FFIEC IT Examination Handbook – Operations, July 2004, Pg 21, Exam Tier II Obj E.1; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier II Obj 7.10; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 9.1; CMS Core Security Requirements (CSR), Draft, § 1.3.15, § 2.2.2, § 2.2.27, § 2.12.1; Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.310(a)(1), § 164.310(a)(2)(ii); Introductory Resource Guide for HIPAA NIST Special Publication 800-66, § 4.10; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-004-1 R4, CIP-006-1 R1.4; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-10.c thru § 2-10.e, § 2-12.e; Protection of Assets Manual, ASIS International, Pg 3-I-2, Pg 3-I-6, Pg 11-II-9, Pg 11-II-16, Pg 19-I-14, Pg 23-VI-9, Pg 36-I-3; Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001, § 106(a); Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27, § 27.230(a)(1), § 27.230(a)(4)(ii), § 27.230(a)(4)(iii); Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria, Fencing, Parking, Building Structure; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 5-306; DOT Physical Security Survey Checklist, Perimeter Barriers; Federal Information Security Management Act of 2002 (FISMA), § 7.1.1; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Federal Information System Controls Audit Manual (FISCAM), February 2009, AC-3.1; Guidance for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks, NIOSH, May 2002, DHHS (NIOSH) Publication No. 2002-139, May 2002, Pg 12; TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001, § 44903(h)(2), § 44914; Transportation Security Administration (TSA) Security Guidelines for General Aviation Airports, Information Publication A-001, May 2004, Version 1.0, § 3.3.1; 49 CFR Part 1542 - Airport Security, § 1542.203; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.3.9; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.10.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, PE-3; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-3; CobiT 4.1, DS12.1, DS12.2; The Standard of Good Practice for Information Security, SM4.5.1, SM4.5.3(a), CI2.8.1(a), CI2.8.1(b), CI2.8.7(a), CI4.1.1, NW3.4.1, UE6.4.2(a), UE6.4.3(a); ISO 17799:2005 Code of Practice for Information Security Management, § 9.1.1; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.9.1.1; ISO/IEC 27002-2005 Code of practice for information security management, § 9.1.1; OGC ITIL: Security Management, § 4.3.2; Archer Control Table, ATCS-082, ATCS-085, ATCS-488, ATCS-489, ATCS-490, ATCS-492, ATCS-773, ATCS-819; Italy Personal Data Protection Code, Annex B.24

Sarbanes Oxley Guidance

The organization should implement procedures to restrict physical access to personal information. [ID 8.2.3, AICPA/CICA Privacy Framework]

Procedures should be in place to restrict physical access to the organizational facilities. [¶ .17 § 3.2, ¶ .20 § 3.5, ¶ .24 § 3.6, ¶ .29 § 3.5, AICPA Suitable Trust Services Principles and Criteria]

[App ¶ 9.3, AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls]

Banking and Finance Guidance

The organization should implement access restrictions to prevent unauthorized individuals from accessing locations containing customer information. [App B § III.C.1.b, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

The organization should use locked doors, guards, motion detectors, and other controls to restrict physical access to the facility. [Pg C-1, Exam Tier I Obj 10.7 (Testing Strategies), Exam Tier II Obj 1.3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The doors and windows to the facility should be secured. The data center should be located in an environment safe from flood, fire, or other threats. Guards, fences, surveillance equipment, and other devices should be used to protect the facility. [Pg 53, Exam Tier I Obj 4.1, FFIEC IT Examination Handbook – Information Security]

The facility should have limited windows and access points; adequate lighting around the perimeter; perimeter video surveillance and alarms, if necessary; and trained guards, if necessary. [Pg 21, Exam Tier II Obj E.1, FFIEC IT Examination Handbook – Operations, July 2004]

[Exam Tier II Obj 7.10, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier II Obj 9.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Healthcare and Life Science Guidance

[§ 1.3.15, § 2.2.2, § 2.2.27, § 2.12.1, CMS Core Security Requirements (CSR), Draft]

[§ 164.310(a)(1), § 164.310(a)(2)(ii), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

[§ 4.10, Introductory Resource Guide for HIPAA NIST Special Publication 800-66]

Energy Guidance

The Responsible Entity shall maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and physical access rights to Critical Cyber Assets.
The organization shall establish procedures for the appropriate use of physical access controls as described in Requirement R3 including visitor pass management, response to loss, and prohibition of inappropriate use of physical access controls. [CIP-004-1 R4, CIP-006-1 R1.4, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

US Federal Security Guidance

Facilities that house information systems may be designated as restricted areas. Facilities designated as restricted areas must have all entrances protected by a minimum of 2 independent barriers or security systems, such as a second access door or a chain-link fence outside the facility that can be securely locked. Facilities that house SCI material should follow the requirements of DIAM 50-3. [§ 2-10.c thru § 2-10.e, § 2-12.e, Army Regulation 380-19: Information Systems Security, February 27, 1998]

An effective physical protection plan should include a series of barriers, not just a single barrier. Each barrier should be designed to delay entry as long as possible and should have a method to notify the organization when a penetration has occurred. The building's surfaces should be evaluated for their effectiveness as structural barriers. This evaluation should consist of a physical inspection and an inspection of the architectural drawings (some construction details are not apparent from a physical inspection). Inspectors must remember that all areas have 6 sides that need to be protected. Openings should be protected against penetration by ensuring they are not less than 18 feet above the ground or have an opening area of greater than 96 square inches. A successful physical security facility plan has several basic elements: making the guard force accountable to the organization; ensuring guards have a sufficient salary to be dedicated; using guards at each entry and exit; ensuring the guards are properly trained; and requiring the guards to monitor the facility through key-operated stations 24-hours a day. Storage yards should be protected by a high fence with barbed wire, lights, and guard tours. The physical security of the facility should be planned out for projects in foreign countries to ensure workers are protected at an appropriate level of protection. Aircraft facilities should be protected by perimeter fencing to prevent unauthorized access. All utilities should be physically protected by locating them in a security-controlled-area or special safeguards should be installed around any utilities that cannot be located in the security-controlled-area. [Pg 3-I-2, Pg 3-I-6, Pg 11-II-9, Pg 11-II-16, Pg 19-I-14, Pg 23-VI-9, Pg 36-I-3, Protection of Assets Manual, ASIS International]

The physical security needs of the facility must be used to determine where law enforcement officials are deployed. [§ 106(a), Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001]

Facilities covered by the Chemical Facility Anti-Terrorism Standards (CFATS) must secure and monitor the facilities' perimeter and restricted areas within the facility. Attacks on the facility must be deterred using visible and professional security measures and systems and that must detect attacks through barriers and countersurveillance. [§ 27.230(a)(1), § 27.230(a)(4)(ii), § 27.230(a)(4)(iii), Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27]

The areas around the cargo handling and storage facilities should be enclosed by a perimeter fence. The fencing must be inspected regularly. Private vehicles should be prohibited from parking near storage and cargo handling areas. Buildings must be inspected regularly to ensure their integrity, and repairs should be made, as necessary. [Fencing, Parking, Building Structure, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria]

Contractors must ensure the closed area between raised floors and false ceilings are structurally secure. [§ 5-306, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

The transit facility should have a perimeter barrier that is under continuous surveillance. If the perimeter barrier is a chain link fence, it should be #11 gauge or heavier, have mesh openings no more than 2-inches square, have barbed wire, and have the bottom extended into the ground. If the perimeter barrier is a masonry wall, it should be at least 7-feet high with barbed wire or at least 8-feet high with broken glass. [Perimeter Barriers, DOT Physical Security Survey Checklist]

[§ 7.1.1, Federal Information Security Management Act of 2002 (FISMA)]

Calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

[AC-3.1, Federal Information System Controls Audit Manual (FISCAM), February 2009]

Public access to the roof should be restricted to authorized personnel. Access should be controlled by keyed locks, keycards, or another similar measure. [Pg 12, Guidance for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks, NIOSH, May 2002, DHHS (NIOSH) Publication No. 2002-139, May 2002]

The physical security needs of the facility will be used to decide where to deploy law enforcement officials. The Under Secretary of Transportation for Security must develop guidelines to achieve maximum security for the design and construction of new airports. [§ 44903(h)(2), § 44914, TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001]

All hangar and personnel doors should be locked when unattended. Hangars should have security signs and not have keys that are easily copied or obtained. The keys should be rekeyed whenever a new tenant takes over the hangar. [§ 3.3.1, Transportation Security Administration (TSA) Security Guidelines for General Aviation Airports, Information Publication A-001, May 2004, Version 1.0]

The airport operator must post warning signs on access points and perimeters to secured areas. [§ 1542.203, 49 CFR Part 1542 - Airport Security]

US Internal Revenue Guidance

Buildings, rooms, facilities, and containers that contain sensitive or vulnerable information should be locked when not in use. [§ 4.3.9, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.10.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The organization should use physical access devices (e.g., keys, locks, combinations, card readers) and/or guards to control entry to facilities containing information systems. The organization should secure keys, combinations, and other access devices and inventory those devices regularly. The organization should change combinations and keys:
1. periodically; and
2. when keys are lost, combinations are compromised, or individuals are transferred or terminated.
After an emergency-related event, the organization needs to restrict reentry to facilities to authorized individuals only. Workstations and associated peripherals connected to (and part of) an organizational information system may be located in areas designated as publicly accessible with access to such devices being appropriately controlled. [PE-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents and the facility should be examined to ensure all entry and exit points are controlled; access authorization is verified prior to being granted access publicly available areas are controlled according to the risk assessment; physical access devices are functioning correctly and properly maintained; keys and combinations are secured and changed when necessary; the access control system meets the requirements of FIPS 201, NIST Special Publications 800-73, 800-76, and 800-78; and specific responsibilities and actions are defined for the implementation of the physical access control. Any problems discovered during the implementation process of the physical access control should be documented and used to improve the controls.
Interviews should be conducted with personnel involved in the physical security of the facility. [PE-3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

A security perimeter should be used to protect areas containing information processing facilities. The strength of the perimeter depends on the classification of the information being protected. [§ 9.1.1, ISO 17799:2005 Code of Practice for Information Security Management]

Information processing facilities and areas that contain sensitive information should be protected by physical security perimeters. Examples of security perimeters are fences, manned reception desks, or card controlled entry gates. [Annex A.9.1.1, ISO 27001:2005, Information Security Management Systems - Requirements]

A security perimeter should be used to protect areas containing information processing facilities. The strength of the perimeter depends on the classification of the information being protected. [§ 9.1.1, ISO/IEC 27002-2005 Code of practice for information security management]

ITIL Guidance

[§ 4.3.2, OGC ITIL: Security Management]

General Guidance

The organization should define and select the physical sites for IT equipment to support the technology strategy linked to the business strategy. The selection and design of the layout of a site should take into account the risk associated with natural and man-made disasters, while considering relevant laws and regulations, such as occupational health and safety regulations.
The organization should define and implement physical security measures in line with business requirements. Measures should include, but are not limited to, the layout of the security perimeter, security zones, location of critical equipment, and shipping and receiving areas. In particular, keep a low profile about the presence of critical IT operations. Responsibilities for monitoring and procedures for reporting and resolving physical security incidents need to be established. [DS12.1, DS12.2, CobiT 4.1]

Physical protection procedures should be developed for all facilities that process critical information. Locks and bolts should be installed on all vulnerable doors and windows to protect against unauthorized access. [SM4.5.1, SM4.5.3(a), CI2.8.1(a), CI2.8.1(b), CI2.8.7(a), CI4.1.1, NW3.4.1, UE6.4.2(a), UE6.4.3(a), The Standard of Good Practice for Information Security]

Other European and African Guidance

Data about genetic identity must be processed only in protected premises that may be accessed only by persons in charge of processing and entities that have been specifically authorized to access them. [Annex B.24, Italy Personal Data Protection Code]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of servers in locations with controlled physical access [UCF Control ID 02067]
    Report on the percentage of physical security incidents allowing unauthorized entry into facility containing information systems [UCF Control ID 04564]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.