The organization will develop, disseminate, and review: 1) a formal process to establish and maintain physical security of distributed IT assets that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the process. [UCF ID 00718]
Supporting and supported controls
This control directly supports:
• Physical and environmental protection [UCF Common Control ID 00709]
This control has the following supporting controls:
• Maintain cabinet and vault security [UCF Common Control ID 00717]
• Desktop and notebook security [UCF Common Control ID 00719]
• Physical information and media security [UCF Common Control ID 00720]
• Physical LAN cabling access [UCF Common Control ID 00723]
• Physically separate systems that store sensitive data from those that don't [UCF Common Control ID 00722]
• Access controls for displays [UCF Common Control ID 01437]
• Delivery and removal of assets will be properly controlled through entry and exit areas [UCF Common Control ID 01441]
• Physically protect managed network hardware in locked rooms or cabinets [UCF Common Control ID 01873]
• Ensure the proper return of assets [UCF Common Control ID 04537]
• Establish off site physical and logical controls for all distributed assets [UCF Common Control ID 04539]
• All IT assets being removed from the facility must have proper authorization [UCF Common Control ID 04540]
• The physical use of mobile e-mail devices near classified data will be disallowed unless expressly authorized [UCF Common Control ID 04597]
• The physical use of mobile communications devices with camera capability will be disallowed near classified data unless expressly authorized [UCF Common Control ID 04598]
Authority documents complied with:
Australian Government ICT Security Manual (ACSI 33) § 3.1.7, 3.1.17, 3.1.34, 3.10.50; FFIEC IT Examination Handbook – Information Security Pg 47-48, Exam Tier I Obj 4.1, Exam Tier II Obj E.1, Exam Tier II Obj E.4; FFIEC IT Examination Handbook – Business Continuity Planning Exam Tier II Obj 1.3; FFIEC IT Examination Handbook – Audit Exam Tier II Obj E.2, Exam Tier II Obj E.3; FFIEC IT Examination Handbook – Operations Pg 21, Exam Tier II Obj E.1; FFIEC IT Examination Handbook – Wholesale Payment Systems Exam Tier I Obj 2.1; FFIEC IT Examination Handbook – Retail Payment Systems Exam Tier II Obj 3.1; FFIEC IT Examination Handbook – E-Banking Obj 5.4; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-006-1 R1, R1.1; CobiT 4.1 AI3.2, DS13.4; CERT Operationally Critical Threat, Asset & Vulnerability Evaluation (OCTAVE) Pg A-11 OP1.1.5, Pg A-14 OP2.1.1; The Standard of Good Practice for Information Security SM4.5.4(b), SM4.5.4(c ), CI2.8.2(a), UE6.4.5(b); HIPAA (Health Insurance Portability and Accountability Act) § 164.310(a)(2)(ii) ; ISO 17799:2000, Code of Practice for Information Security Management § 7.2, § 7.3.2; ISO 17799:2005 Code of Practice for Information Security Management § 11.3.3; ISO 27001:2005, Information Security Management Systems - Requirements § A.11.3.3; ISO/IEC 27002-2005 Code of practice for information security management § 11.3.3; Guidelines on Firewalls and Firewall Policy, NIST SP 800-41 4.6; Recommended Security Controls for Federal Information Systems, NIST SP 800-53 PE-4 thru 9; Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST Special Publication 800-48 Revision 1 § 6.1; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97 Table 8-2 Item 12; Guidelines on Cell Phone and PDA Security, NIST Special Publication 800-124 ?; DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2 2 (WIR0180), 4.2 (WIR0374); The Center for Internet Security Wireless Networking Benchmark version 1.0 § 2.2 (2.2.025); DISA Wireless STIG Windows Mobile Messaging Checklist Version 5,Release 2.3 2.1 (WIR0180); DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.1 ?; DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.1 ?; Payment Card Industry Self-Assessment Questionnaire D 9.1.2; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 § 9.1.3; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 § 9.1.3; AICPA Suitable Trust Services Criteria ¶ .17 § 3.2, ¶ .20 § 3.5, ¶ .24 § 3.6, ¶ .29 § 3.5; Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings § 1.11; Mac OS X Security Configuration for version 10.4 or later, second edition Pg 31, 82; DISA Windows Server 2003 Security Checklist Version 6 § 3.1; DISA Windows XP Security Checklist Version 6 § 3.1; DISA Windows VISTA Security Checklist Version 6 § 3.1 (1.001); FIPS 200, Minimum Security Requirements for Federal Information and Information Systems § 3; Army Regulation 380-19: Information Systems Security § 2-3.a(4); IRS Internal Revenue Code Section 501(c)(3) § 4.2, § 5.6.17.1, Exhibit 6, § 5.6.17.6; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information Q1 09
Sarbanes Oxley Guidance
¶ .17 § 3.2, ¶ .20 § 3.5, ¶ .24 § 3.6, ¶ .29 § 3.5 of AICPA Suitable Trust Services Criteria states that procedures should be in place to restrict physical access to system components.
§ II.C of OMB Circular A-123 Management’s Responsibility for Internal Control states that the organization should have controls in place to limit access to all the system's assets.
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Operations Pg 21, Exam Tier II Obj E.1 states that all critical and valuable equipment should contain bar codes and labels and be logged in an inventory.
Healthcare and Life Science Guidance
HIPAA § 164.310(a)(2)(ii) indicates that the organization should implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Energy Guidance
The North American Electric Reliability Corporation's, CIP-006-1 R1 states that the Responsible Entity shall create and maintain a physical security plan, approved by a senior manager or delegate(s).
R1.1 states that the organization establish processes to ensure and document that all Cyber Assets within an Electronic Security Perimeter also reside within an identified Physical Security Perimeter. Where a completely enclosed (“six-wall”) border cannot be established, the Responsible Entity shall deploy and document alternative measures to control physical access to the Critical Cyber Assets.
Credit Card Guidance
The Payment Card Industry Self-Assessment Questionnaire D § 9.1.2 states that the ability to access publicly accessible network jacks should be restricted.
§ 9.1.3 of Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 states that the organization must restrict physical access to gateways and wireless access points.
§ 9.1.3 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that the organization must restrict physical access to gateways and wireless access points.
US Federal Security Guidance
FIPS Publication 191 2.1.5 lists inadequate physical protection of LAN devices as a potential vulnerability to an organization’s network.
FIPS Publication 200, § 3 Specifications for Minimum Security Requirements calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
§ 2-3.a(4) of Army Regulation 380-19: Information Systems Security states that there should be physical controls in place to prevent unauthorized modification to, destruction of, or disclosure of software, documentation, and data and to prevent unauthorized modification to or destruction of hardware. The protection level should be commensurate with the information sensitivity of the system.
US Internal Revenue Service Guidance
§ 4.2, § 5.6.17.1, Exhibit 6, § 5.6.17.6 of IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information states that the minimum protection standards for accessing Federal Tax Information (FTI) require going through two barriers under normal security. There are 3 physical protection combinations to choose from: secured perimeter/locked container, locked perimeter/secured interior, and locked perimeter/security container. Fax machines used to send FTI must be located in a secure area. Data warehousing environments should have the same security requirements as a typical networked environment.
NIST Guidance
NIST 800-14 requires that all portable systems should be secured when not in use and the information stored on them, when cost-effective, should be encrypted.
NIST 800-41 § 4.6 describes the physical security of a firewall. If they can be easily accessed by intruders or accidentally damaged, no matter what kind of defense they might provide, they’re highly vulnerable. It is recommended that they be stored behind locked doors, or kept with guards and physical security alarms.
NIST 800-53 calls for agencies to implement physical access controls over systems and devices that allow for the display or transmission of unencrypted information. The standard also calls for agencies to limit access to laptop computers or other portable information systems to authorized individuals. Additionally, the standard requires that agencies control the delivery and removal of informat
Table 8-2 Item 12 of Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97 states that access points should be located away from exterior walls and windows and near the center of rooms to help reduce the coverage area.ion systems and generate records of such activity.
PE-6 states that the organization should review physical access logs periodically, investigates apparent security violations or suspicious physical access activities, and takes remedial actions.
For moderate and high risk systems, PE-6(1) suggests the organization monitor real-time intrusion alarms and surveillance equipment.
For high risk systems, PE-6(2) suggests the organization employ automated mechanisms to ensure potential intrusions are recognized and appropriate response actions initiated.
NIST 800-66 § 4.11-4.12 address § 164.310(b) and § 164.310(c) of the HIPAA Standard. Both sections cover workstations and how to implement policies and procedures for proper use and security of each employee workstation. Detailed lists of tasks to carry out in order to achieve proper use and security are provided. These lists contain so much information that it is best to read from the document directly.
4.13 matches up with § 164.310(d)(1) of the HIPAA Standard. The goal of this section is to provide detailed steps for implementing policies and procedures for the safe receipt and removal of hardware and electronic media containing electronic protected health information into and out of a facility. This goal is accomplished through the use of an elaborate activities chart describing the process by which an organization may implement appropriate policies and procedures. Due to the high volume of information, it is best to read this section directly.
§ 6.1 of Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST Special Publication 800-48 Revision 1 states that the wireless security plan should include guidelines for protecting WLAN client devices from theft.
Systems security checklist guidance
The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings § 1.11 states that if the server can be physically accessed, many security precautions can be overridden. The server should be located where the keyboard, mouse, and ports cannot be accessed without proper authorization.
Apple’s Mac OS X Security Configuration For Version 10.4 or Later Second Edition Pg 31, 82 states that physical access to the computer should be protected. Only personnel needing access to the computer should be admitted to the room. If the computer is located in an open area, it should be bolted to a wall or heavy furniture, or it should be locked in a secure container when not in use. Printers should be located in a secure location to prevent printed data from being read by unauthorized users.
The DISA Windows Server 2003 Security Checklist Version 6 § 3.1 states that physical access to the computer should be protected. Servers should be in either locked cabinets or rooms only accessible by authorized personnel. If workstations contain sensitive data, they should be located in an access-controlled area.
The DISA Windows XP Security Checklist Version 6 § 3.1 states that all equipment and ancillary devices should be protected. Servers should be located in locked cabinets or rooms where only authorized personnel are permitted. If workstations contain sensitive information, they should be located in a controlled-access area.
The DISA Windows VISTA Security Checklist Version 6 § 3.1 (1.001) states that all equipment and ancillary devices should be protected. Servers should be located in locked cabinets or rooms where only authorized personnel are permitted. If workstations contain sensitive information, they should be located in a controlled access area.
General security checklist guidance
2 (WIR0180), 4.2 (WIR0374) of DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2 states that wireless and WWAN devices should not be permitted in a SCIF. Wireless devices that have been approved in accordance with Director Central Intelligence Directive (DCID) 6/9 or 6/3 are allowed.
§ 2.2 (2.2.025) of The Center for Internet Security Wireless Networking Benchmark version 1.0 states that wireless network devices should be physically protected to ensure they cannot be tampered with or stolen.
2.1 (WIR0180) of DISA Wireless STIG Windows Mobile Messaging Checklist Version 5,Release 2.3 states that wireless PEDs should not be permitted in a SCIF unless they have been approved in accordance with Director Central Intelligence Directive (DCID) 6/9 or 6/3.
2.1 (WIR0180) of DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.1 states that wireless PEDs should not be permitted in a SCIF unless they have been approved in accordance with Director Central Intelligence Directive (DCID) 6/9 or 6/3.
2.1 (WIR0180) of DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.1 states that wireless PEDs should not be permitted in a SCIF, unless they have been approved in accordance with Director Central Intelligence Directive (DCID) 6/9 or 6/3.
International Standards Organization Guidance
ISO 17799 calls for a “clear desk and screen policy.”
The ISO/IEC 27002-2005 Code of practice for information security management § 11.3.3 states that a policy should be developed for the clearing off of information from desks and computer screens when the user is not present. This will reduce the risk of unauthorized access and the loss of or damage to information.
The ISO 27001:2005 Information Security Management Systems - Requirements § A.11.3.3 states that a policy should be enforced to ensure that all personnel keep their desks cleared when they are not using them. Their computer screens should be cleared before they leave their desks to ensure unauthorized personnel cannot view the information.
The ISO 17799:2005 Code of Practice for Information Security Management § 11.3.3 states that a policy should be developed for the clearing off of information from desks and computer screens when the user is not present. This will reduce the risk of unauthorized access and the loss of or damage to information.
Asia and Pacific Rim Guidance
The Australian Government ICT Security Manual (ACSI 33) § 3.1.7, 3.1.17, 3.1.34, 3.10.50 states that measures should be implemented to ensure equipment is protected from theft, damage, and unauthorized access. Servers and communications equipment should be separated from general user areas by a clearly defined perimeter..
Metrics
The metrics associated with this control are as follows:
• Report on the percentage of servers in locations with controlled physical access [UCF Common Control ID 02067]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.