Establish and maintain physical security of distributed IT assets

Status: Live

The organization will develop, disseminate, and review: 1) a formal process to establish and maintain physical security of distributed IT assets that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the process. [UCF ID 00718]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 3.2, ¶ .20 § 3.5, ¶ .24 § 3.6, ¶ .29 § 3.5; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj E.2, Exam Tier II Obj E.3; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Exam Tier II Obj 1.3; FFIEC IT Examination Handbook – E-Banking, August 2003, Obj 5.4; FFIEC IT Examination Handbook – Information Security, Pg 47, Pg 48, Exam Tier I Obj 4.1, Exam Tier II Obj E.1, Exam Tier II Obj E.4; FFIEC IT Examination Handbook – Operations, July 2004, Pg 21, Exam Tier II Obj E.1; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier II Obj 3.1; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier I Obj 2.1; Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.310(a)(2)(ii); North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-006-1 R1, CIP-006-1 R1.1; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 9.1.3; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-3.a(4); Protection of Assets Manual, ASIS International, Pg 1-I-A2, Pg 12-II-19, Pg 12-II-45; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 5-313, § 8-308; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.2, § 5.6.17.1, Exhibit 6, § 5.6.17.6; Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002, § 4.6; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, PE-4 thru PE-9; CobiT 4.1, AI3.2, DS13.4; The Standard of Good Practice for Information Security, SM4.5.4(b), SM4.5.4(c), CI2.8.2(a), UE6.4.5(b); The Center for Internet Security Wireless Networking Benchmark version 1.0, v1.0 April 2005, § 2.2 (2.2.025); DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2, § 2.1 (WIR0180); DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3, § 2.1 (WIR0180); DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4, § 2.1 (WIR0180); DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2, § 2 (WIR0180), § 4.2 (WIR0374); ISO 17799:2005 Code of Practice for Information Security Management, § 11.3.3; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.11.3.3; ISO/IEC 27002-2005 Code of practice for information security management, § 11.3.3; Australian Government ICT Security Manual (ACSI 33), § 3.1.7, § 3.1.17, § 3.1.34, § 3.10.50; OMB Circular A-123 Management’s Responsibility for Internal Control, § II.C; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 9.1.3; Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1, § 6.1; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007, Table 8-2 Item 12; Archer Control Table, ATCS-090, ATCS-091, ATCS-108, ATCS-164, ATCS-761, ATCS-773, ATCS-816; Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings, v1.0 August 2006, § 1.1; Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition, Pg 31, Pg 82; DISA Windows Server 2003 Security Checklist Version 6 Release 1.11, Version 6 Release 1.11, § 3.1; DISA Windows XP Security Checklist, Version 6 Release 1.11, § 3.1; DISA Windows VISTA Security Checklist, Version 6 Release 1.11, § 3.1 (1.001); Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 4.6.1.D

Sarbanes Oxley Guidance

Procedures should be in place to restrict physical access to system components. [¶ .17 § 3.2, ¶ .20 § 3.5, ¶ .24 § 3.6, ¶ .29 § 3.5, AICPA Suitable Trust Services Principles and Criteria]

The organization should have controls in place to limit access to all the system's assets. [§ II.C, OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

[Exam Tier II Obj E.2, Exam Tier II Obj E.3, FFIEC IT Examination Handbook – Audit, August 2003]

[Exam Tier II Obj 1.3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

[Obj 5.4, FFIEC IT Examination Handbook – E-Banking, August 2003]

External drives from system consoles and terminals that are not located in a physically secure location should be locked or removed. The operating system should only be accessed from terminals located in a physically secure location. [Pg 47, Pg 48, Exam Tier I Obj 4.1, Exam Tier II Obj E.1, Exam Tier II Obj E.4, FFIEC IT Examination Handbook – Information Security]

All critical and valuable equipment should contain bar codes and labels and be logged in an inventory. [Pg 21, Exam Tier II Obj E.1, FFIEC IT Examination Handbook – Operations, July 2004]

All critical and valuable equipment should contain bar codes and labels and be logged in an inventory. [Exam Tier II Obj 3.1, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier I Obj 2.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Healthcare and Life Science Guidance

The organization should implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. [§ 164.310(a)(2)(ii), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

Energy Guidance

The Responsible Entity shall create and maintain a physical security plan, approved by a senior manager or delegate(s).
The organization shall establish processes to ensure and document that all Cyber Assets within an Electronic Security Perimeter also reside within an identified Physical Security Perimeter. Where a completely enclosed (“six-wall”) border cannot be established, the Responsible Entity shall deploy and document alternative measures to control physical access to the Critical Cyber Assets. [CIP-006-1 R1, CIP-006-1 R1.1, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

Payment Card Guidance

The organization must restrict physical access to gateways and wireless access points.
Verify physical access to wireless access points and gateways is restricted. [§ 9.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The organization must restrict physical access to gateways and wireless access points. [§ 9.1.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

An organization must require that wireless devices be labeled with owner, contact information and purpose. [§ 4.6.1.D, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

US Federal Security Guidance

There should be physical controls in place to prevent unauthorized modification to, destruction of, or disclosure of software, documentation, and data and to prevent unauthorized modification to or destruction of hardware. The protection level should be commensurate with the information sensitivity of the system. [§ 2-3.a(4), Army Regulation 380-19: Information Systems Security, February 27, 1998]

The organization should ensure a program has been implemented to protect all information systems equipment, networks, and the information stored and processed on the equipment. Physical controls must be used to protect the server against unauthorized access. [Pg 1-I-A2, Pg 12-II-19, Pg 12-II-45, Protection of Assets Manual, ASIS International]

The areas where access transactions are displayed and authorization data and personal identification data are stored, displayed, recorded, and/or inputted must be protected. The organization is required to prevent or detect unauthorized modification of hardware or software and the unauthorized access to the information. [§ 5-313, § 8-308, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

US Internal Revenue Guidance

The minimum protection standards for accessing Federal Tax Information (FTI) require going through two barriers under normal security. There are 3 physical protection combinations to choose from: secured perimeter/locked container, locked perimeter/secured interior, and locked perimeter/security container. Fax machines used to send FTI must be located in a secure area. Data warehousing environments should have the same security requirements as a typical networked environment. [§ 4.2, § 5.6.17.1, Exhibit 6, § 5.6.17.6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

If a firewall can be easily accessed by intruders or accidentally damaged, no matter what kind of defense they might provide, they’re highly vulnerable. It is recommended that they be stored behind locked doors, or kept with guards and physical security alarms. [§ 4.6, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002]

Agencies ought to implement physical access controls over systems and devices that allow for the display or transmission of unencrypted information. The standard also calls for agencies to limit access to laptop computers or other portable information systems to authorized individuals. Additionally, the standard requires that agencies control the delivery and removal of information. [PE-4 thru PE-9, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

The wireless security plan should include guidelines for protecting WLAN client devices from theft. [§ 6.1, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1]

Access points should be located away from exterior walls and windows and near the center of rooms to help reduce the coverage area. [Table 8-2 Item 12, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007]

System Configuration Guidance

If the server can be physically accessed, many security precautions can be overridden. The server should be located where the keyboard, mouse, and ports cannot be accessed without proper authorization. [§ 1.1, Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings, v1.0 August 2006]

Physical access to the computer should be protected. Only personnel needing access to the computer should be admitted to the room. If the computer is located in an open area, it should be bolted to a wall or heavy furniture, or it should be locked in a secure container when not in use. Printers should be located in a secure location to prevent printed data from being read by unauthorized users. [Pg 31, Pg 82, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition]

Physical access to the computer should be protected. Servers should be in either locked cabinets or rooms only accessible by authorized personnel. If workstations contain sensitive data, they should be located in an access-controlled area. [§ 3.1, DISA Windows Server 2003 Security Checklist Version 6 Release 1.11, Version 6 Release 1.11]

All equipment and ancillary devices should be protected. Servers should be located in locked cabinets or rooms where only authorized personnel are permitted. If workstations contain sensitive information, they should be located in a controlled-access area. [§ 3.1, DISA Windows XP Security Checklist, Version 6 Release 1.11]

All equipment and ancillary devices should be protected. Servers should be located in locked cabinets or rooms where only authorized personnel are permitted. If workstations contain sensitive information, they should be located in a controlled access area. [§ 3.1 (1.001), DISA Windows VISTA Security Checklist, Version 6 Release 1.11]

Other Configuration Guidance

Wireless network devices should be physically protected to ensure they cannot be tampered with or stolen. [§ 2.2 (2.2.025), The Center for Internet Security Wireless Networking Benchmark version 1.0, v1.0 April 2005]

Wireless PEDs should not be permitted in a SCIF, unless they have been approved in accordance with Director Central Intelligence Directive (DCID) 6/9 or 6/3. [§ 2.1 (WIR0180), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2]

Wireless PEDs should not be permitted in a SCIF unless they have been approved in accordance with Director Central Intelligence Directive (DCID) 6/9 or 6/3. [§ 2.1 (WIR0180), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3]

Wireless PEDs should not be permitted in a SCIF unless they have been approved in accordance with Director Central Intelligence Directive (DCID) 6/9 or 6/3. [§ 2.1 (WIR0180), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4]

Wireless and WWAN devices should not be permitted in a SCIF. Wireless devices that have been approved in accordance with Director Central Intelligence Directive (DCID) 6/9 or 6/3 are allowed.
Verify users are trained on the appropriate security procedures for bringing wireless or WWAN devices into the SCIF, if permitted, and do not bring into the SCIF wireless or WWAN devices, if not permitted.
Interview the Information Assurance Officer (IAO) or the Security Manager (SM) to ensure site SCIF security procedures have been developed to either allow or prevent users from bringing wireless devices into the SCIF. If users are allowed to bring them in, ensure the procedures state what types of devices can be brought in and the condition (on/off) the devices must be in when in the SCIF. [§ 2 (WIR0180), § 4.2 (WIR0374), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2]

ISO Guidance

A policy should be developed for the clearing off of information from desks and computer screens when the user is not present. This will reduce the risk of unauthorized access and the loss of or damage to information. [§ 11.3.3, ISO 17799:2005 Code of Practice for Information Security Management]

A policy should be enforced to ensure that all personnel keep their desks cleared when they are not using them. Their computer screens should be cleared before they leave their desks to ensure unauthorized personnel cannot view the information. [Annex A.11.3.3, ISO 27001:2005, Information Security Management Systems - Requirements]

A policy should be developed for the clearing off of information from desks and computer screens when the user is not present. This will reduce the risk of unauthorized access and the loss of or damage to information. [§ 11.3.3, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

The organization should implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated.
The organization should establish appropriate physical safeguards, accounting practices and inventory management over sensitive IT assets such as special forms, negotiable instruments, special-purpose printers or security tokens. [AI3.2, DS13.4, CobiT 4.1]

Equipment used to print or fax important or sensitive information should be physically secured in a restricted space. [SM4.5.4(b), SM4.5.4(c), CI2.8.2(a), UE6.4.5(b), The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

Measures should be implemented to ensure equipment is protected from theft, damage, and unauthorized access. Servers and communications equipment should be separated from general user areas by a clearly defined perimeter. [§ 3.1.7, § 3.1.17, § 3.1.34, § 3.10.50, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of servers in locations with controlled physical access [UCF Control ID 02067]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.