Control physical access to LAN cabling.

UCF ID: 00723

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain physical security of distributed IT assets. [UCF Control ID 00718]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 8.2; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 5-313, § 5-314.d; FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 2.1.5; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.17.2; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.10.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § PE-4; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-4; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.9.2.3; Australian Government ICT Security Manual (ACSI 33), § 3.1.25, § 3.8.7, § 3.8.14, § 3.8.27; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.7(7)

Banking and Finance Guidance

[Exam Tier I Obj 8.2, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

Transmission lines located outside closed areas that carry access authorization, verification, or personal identification data must meet or exceed the Grade A requirements specified by Underwriters Laboratories. Electrical gear and wiring must be accessible only from inside classified areas. If the wiring or gear is located outside a classified area, it must be secured in a protective covering. [§ 5-313, § 5-314.d, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

[§ 2.1.5, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

Calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

US Internal Revenue Guidance

Precautions should be taken to ensure the cables transmitting information are protected from unauthorized access. [§ 5.6.17.2, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.10.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The organization must establish and maintain access control for transmission medium policies and procedures to control physical access to system transmission and distribution lines within the facility. [App F § PE-4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents and the facility should be examined to ensure distribution and transmission lines are protected from accidental damage, eavesdropping, disruption, and physical tampering, physical access to the lines are controlled, and specific responsibilities and actions are defined for the implementation of the transmission medium control. Any problems discovered during the implementation process of the transmission medium control should be documented and used to improve the controls.
Interviews should be conducted with personnel who control the location and physical protection of distribution and transmission lines. [PE-4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

All cables that carry sensitive information should be protected against interception and damage. [Annex A.9.2.3, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building is considered. Safeguards in this area are listed below.
7. Cabling
Power and communication cabling carrying data or supporting IT services should be protected from interception, damage and overloading. Cabling should be physically protected against accidental or deliberate damage, and selected and laid appropriate for its purpose; planning take into account future developments. Cables should be protected against wiretapping. [¶ 8.1.7(7), ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

Asia and Pacific Rim Guidance

All patch panels, cable distribution panels, and wiring enclosures should be located in locked spaces to prevent casual access by general users. If cabling is located in public areas, it should be labeled to not attract attention. All cabling should be installed according to the applicable standards. Classified cabling should be located in a separate cabling distribution system than the unclassified cabling. [§ 3.1.25, § 3.8.7, § 3.8.14, § 3.8.27, Australian Government ICT Security Manual (ACSI 33)]