Physical LAN cabling access

Status: Live

The organization will restrict physical access to publicly accessible network jacks, wireless access points, routers, gateways, firewalls, and handheld devices. [UCF ID 00723]

Supporting and supported controls

This control directly supports:

Establish and maintain physical security of distributed IT assets [UCF Control ID 00718]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 8.2; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 5-313, § 5-314.d; FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 2.1.5; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.17.2; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.10.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, PE-4; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-4; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.9.2.3; Australian Government ICT Security Manual (ACSI 33), § 3.1.25, § 3.8.7, § 3.8.14, § 3.8.27; Archer Control Table, ATCS-099, ATCS-503

Banking and Finance Guidance

[Exam Tier I Obj 8.2, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

Transmission lines located outside closed areas that carry access authorization, verification, or personal identification data must meet or exceed the Grade A requirements specified by Underwriters Laboratories. Electrical gear and wiring must be accessible only from inside classified areas. If the wiring or gear is located outside a classified area, it must be secured in a protective covering. [§ 5-313, § 5-314.d, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

[§ 2.1.5, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

Calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

US Internal Revenue Guidance

Precautions should be taken to ensure the cables transmitting information are protected from unauthorized access. [§ 5.6.17.2, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.10.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The organization needs to control physical access to information system transmission lines carrying unencrypted information to prevent eavesdropping, in-transit modification, disruption, or physical tampering. Physical protections applied to information system distribution and transmission lines help prevent accidental damage, disruption, and physical tampering. Additionally, physical protections are necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Protective measures to control physical access to information system distribution and transmission lines include: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. [PE-4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents and the facility should be examined to ensure distribution and transmission lines are protected from accidental damage, eavesdropping, disruption, and physical tampering, physical access to the lines are controlled, and specific responsibilities and actions are defined for the implementation of the transmission medium control. Any problems discovered during the implementation process of the transmission medium control should be documented and used to improve the controls.
Interviews should be conducted with personnel who control the location and physical protection of distribution and transmission lines. [PE-4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

All cables that carry sensitive information should be protected against interception and damage. [Annex A.9.2.3, ISO 27001:2005, Information Security Management Systems - Requirements]

Asia and Pacific Rim Guidance

All patch panels, cable distribution panels, and wiring enclosures should be located in locked spaces to prevent casual access by general users. If cabling is located in public areas, it should be labeled to not attract attention. All cabling should be installed according to the applicable standards. Classified cabling should be located in a separate cabling distribution system than the unclassified cabling. [§ 3.1.25, § 3.8.7, § 3.8.14, § 3.8.27, Australian Government ICT Security Manual (ACSI 33)]