The organization will develop, disseminate, and review: 1) a formal process to establish and maintain physical security of distributed IT assets that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the process. [UCF ID 00718]
Supporting and supported controls
This control directly supports:
• Physical and environmental protection [UCF Control ID 00709]
This control has the following supporting controls:
• Maintain cabinet and vault security [UCF Control ID 00717]
• Desktop and notebook security [UCF Control ID 00719]
• Physical information and media security [UCF Control ID 00720]
• Physical LAN cabling access [UCF Control ID 00723]
• Physically separate systems that store sensitive data from those that don't [UCF Control ID 00722]
• Access controls for displays [UCF Control ID 01437]
• Delivery and removal of assets will be properly controlled through entry and exit areas [UCF Control ID 01441]
• Physically protect managed network hardware in locked rooms or cabinets [UCF Control ID 01873]
• Ensure the proper return of assets [UCF Control ID 04537]
• Establish off site physical and logical controls for all distributed assets [UCF Control ID 04539]
• All IT assets being removed from the facility must have proper authorization [UCF Control ID 04540]
• The physical use of mobile e-mail devices near classified data will be disallowed unless expressly authorized [UCF Control ID 04597]
• The physical use of mobile communications devices with camera capability will be disallowed near classified data unless expressly authorized [UCF Control ID 04598]
Authority documents complied with:
Australian Government ICT Security Manual (ACSI 33) § 3.1.7, 3.1.17, 3.1.34, 3.10.50; FFIEC IT Examination Handbook – Information Security Pg 47-48, Exam Tier I Obj 4.1, Exam Tier II Obj E.1, Exam Tier II Obj E.4; FFIEC IT Examination Handbook – Business Continuity Planning Exam Tier II Obj 1.3; FFIEC IT Examination Handbook – Audit Exam Tier II Obj E.2, Exam Tier II Obj E.3; FFIEC IT Examination Handbook – Operations Pg 21, Exam Tier II Obj E.1; FFIEC IT Examination Handbook – Wholesale Payment Systems Exam Tier I Obj 2.1; FFIEC IT Examination Handbook – Retail Payment Systems Exam Tier II Obj 3.1; FFIEC IT Examination Handbook – E-Banking Obj 5.4; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-006-1 R1, R1.1; CobiT 4.1 AI3.2, DS13.4; CERT Operationally Critical Threat, Asset & Vulnerability Evaluation (OCTAVE) Pg A-11 OP1.1.5, Pg A-14 OP2.1.1; The Standard of Good Practice for Information Security SM4.5.4(b), SM4.5.4(c ), CI2.8.2(a), UE6.4.5(b); HIPAA (Health Insurance Portability and Accountability Act) § 164.310(a)(2)(ii) ; ISO 17799:2000, Code of Practice for Information Security Management § 7.2, § 7.3.2; ISO 17799:2005 Code of Practice for Information Security Management § 11.3.3; ISO 27001:2005, Information Security Management Systems - Requirements § A.11.3.3; ISO/IEC 27002-2005 Code of practice for information security management § 11.3.3; Guidelines on Firewalls and Firewall Policy, NIST SP 800-41 4.6; Recommended Security Controls for Federal Information Systems, NIST SP 800-53 PE-4 thru 9; Payment Card Industry Self-Assessment Questionnaire D 9.1.2; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 § 9.1.3; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 § 9.1.3; AICPA Suitable Trust Services Criteria ¶ .17 § 3.2, ¶ .20 § 3.5, ¶ .24 § 3.6, ¶ .29 § 3.5; Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings § 1.11; Mac OS X Security Configuration for version 10.4 or later, second edition Pg 31, 82; DISA Windows Server 2003 Security Checklist Version 6 § 3.1; DISA Windows XP Security Checklist Version 6 § 3.1; DISA Windows VISTA Security Checklist Version 6 § 3.1 (1.001)
Sarbanes Oxley Guidance
¶ .17 § 3.2, ¶ .20 § 3.5, ¶ .24 § 3.6, ¶ .29 § 3.5 of AICPA Suitable Trust Services Criteria states that procedures should be in place to restrict physical access to system components.
§ II.C of OMB Circular A-123 Management’s Responsibility for Internal Control states that the organization should have controls in place to limit access to all the system's assets.
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Operations Pg 21, Exam Tier II Obj E.1 states that all critical and valuable equipment should contain bar codes and labels and be logged in an inventory.
Healthcare and Life Science Guidance
HIPAA § 164.310(a)(2)(ii) indicates that the organization should implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Energy Guidance
The North American Electric Reliability Corporation's, CIP-006-1 R1 states that the Responsible Entity shall create and maintain a physical security plan, approved by a senior manager or delegate(s).
R1.1 states that the organization establish processes to ensure and document that all Cyber Assets within an Electronic Security Perimeter also reside within an identified Physical Security Perimeter. Where a completely enclosed (“six-wall”) border cannot be established, the Responsible Entity shall deploy and document alternative measures to control physical access to the Critical Cyber Assets.
Credit Card Guidance
The Payment Card Industry Self-Assessment Questionnaire D § 9.1.2 states that the ability to access publicly accessible network jacks should be restricted.
§ 9.1.3 of Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 states that the organization must restrict physical access to gateways and wireless access points.
§ 9.1.3 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that the organization must restrict physical access to gateways and wireless access points.
US Federal Security Guidance
FIPS Publication 191 2.1.5 lists inadequate physical protection of LAN devices as a potential vulnerability to an organization’s network.
FIPS Publication 200, § 3 Specifications for Minimum Security Requirements calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
NIST Guidance
NIST 800-14 requires that all portable systems should be secured when not in use and the information stored on them, when cost-effective, should be encrypted.
NIST 800-41 § 4.6 describes the physical security of a firewall. If they can be easily accessed by intruders or accidentally damaged, no matter what kind of defense they might provide, they’re highly vulnerable. It is recommended that they be stored behind locked doors, or kept with guards and physical security alarms.
NIST 800-53 calls for agencies to implement physical access controls over systems and devices that allow for the display or transmission of unencrypted information. The standard also calls for agencies to limit access to laptop computers or other portable information systems to authorized individuals. Additionally, the standard requires that agencies control the delivery and removal of information systems and generate records of such activity.
PE-6 states that the organization should review physical access logs periodically, investigates apparent security violations or suspicious physical access activities, and takes remedial actions.
For moderate and high risk systems, PE-6(1) suggests the organization monitor real-time intrusion alarms and surveillance equipment.
For high risk systems, PE-6(2) suggests the organization employ automated mechanisms to ensure potential intrusions are recognized and appropriate response actions initiated.
NIST 800-66 § 4.11-4.12 address § 164.310(b) and § 164.310(c) of the HIPAA Standard. Both sections cover workstations and how to implement policies and procedures for proper use and security of each employee workstation. Detailed lists of tasks to carry out in order to achieve proper use and security are provided. These lists contain so much information that it is best to read from the document directly.
4.13 matches up with § 164.310(d)(1) of the HIPAA Standard. The goal of this section is to provide detailed steps for implementing policies and procedures for the safe receipt and removal of hardware and electronic media containing electronic protected health information into and out of a facility. This goal is accomplished through the use of an elaborate activities chart describing the process by which an organization may implement appropriate policies and procedures. Due to the high volume of information, it is best to read this section directly.
§ 9.1.3 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that the organization must restrict physical access to gateways and wireless access points.
Systems security checklist guidance
The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings § 1.11 states that if the server can be physically accessed, many security precautions can be overridden. The server should be located where the keyboard, mouse, and ports cannot be accessed without proper authorization.
Apple’s Mac OS X Security Configuration For Version 10.4 or Later Second Edition Pg 31, 82 states that physical access to the computer should be protected. Only personnel needing access to the computer should be admitted to the room. If the computer is located in an open area, it should be bolted to a wall or heavy furniture, or it should be locked in a secure container when not in use. Printers should be located in a secure location to prevent printed data from being read by unauthorized users.
The DISA Windows Server 2003 Security Checklist Version 6 § 3.1 states that physical access to the computer should be protected. Servers should be in either locked cabinets or rooms only accessible by authorized personnel. If workstations contain sensitive data, they should be located in an access-controlled area.
The DISA Windows XP Security Checklist Version 6 § 3.1 states that all equipment and ancillary devices should be protected. Servers should be located in locked cabinets or rooms where only authorized personnel are permitted. If workstations contain sensitive information, they should be located in a controlled-access area.
The DISA Windows VISTA Security Checklist Version 6 § 3.1 (1.001) states that all equipment and ancillary devices should be protected. Servers should be located in locked cabinets or rooms where only authorized personnel are permitted. If workstations contain sensitive information, they should be located in a controlled access area.
International Standards Organization Guidance
ISO 17799 calls for a “clear desk and screen policy.”
The ISO/IEC 27002-2005 Code of practice for information security management § 11.3.3 states that a policy should be developed for the clearing off of information from desks and computer screens when the user is not present. This will reduce the risk of unauthorized access and the loss of or damage to information.
The ISO 27001:2005 Information Security Management Systems - Requirements § A.11.3.3 states that a policy should be enforced to ensure that all personnel keep their desks cleared when they are not using them. Their computer screens should be cleared before they leave their desks to ensure unauthorized personnel cannot view the information.
The ISO 17799:2005 Code of Practice for Information Security Management § 11.3.3 states that a policy should be developed for the clearing off of information from desks and computer screens when the user is not present. This will reduce the risk of unauthorized access and the loss of or damage to information.
Asia and Pacific Rim Guidance
The Australian Government ICT Security Manual (ACSI 33) § 3.1.7, 3.1.17, 3.1.34, 3.10.50 states that measures should be implemented to ensure equipment is protected from theft, damage, and unauthorized access. Servers and communications equipment should be separated from general user areas by a clearly defined perimeter..
Metrics
The metrics associated with this control are as follows:
• Metric Reporting Standard 02067.doc