Physically protect managed network hardware in locked rooms or cabinets

Status: Live

The organization will ensure that it places its routers and other key managed networking devices in either locked cabinets or locked rooms. [UCF ID 01873]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Operations, July 2004, Pg 28; MasterCard Electronic Commerce Security Architecture Best Practices, April 2003, § 3-3, § 3-4, § 3-6, § 3-15; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 9.1.2; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 4-5, § 4-6; Protection of Assets Manual, ASIS International, Pg 15-IV-28; C-TPAT Supply Chain Security Best Practices Catalog, Pg 47; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.17.1; The Standard of Good Practice for Information Security, NW3.4.4(a), NW5.2.4; DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2, § 2.2 (WIR0072); DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3, § 2.2 (WIR0072); DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4, § 2.1 (WIR0072); DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2, § 2 (WIR0072); Australian Government ICT Security Manual (ACSI 33), § 3.1.19, § 3.9.48; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 9.1.2; Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1, § 6.2, § 6.3.3.1; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007, Table 8-2 Item 12; Archer Control Table, ATCS-103, ATCS-357

Banking and Finance Guidance

Telecommunications closets should be locked and should not be labeled as a telecommunications closet. The physical security of the telecommunications equipment should be the same at the alternate site as it is at the main site. [Pg 28, FFIEC IT Examination Handbook – Operations, July 2004]

Payment Card Guidance

Physically protect and store the router in a secure room.
Physically protect and store the firewall in a secure room.
Physically protect and store the IDS in a secure room.
Physically store and protect the DNS servers in a secure room. [§ 3-3, § 3-4, § 3-6, § 3-15, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003]

The organization must ensure network jacks that are publicly accessible have physical access to them restricted.
Observe that network jacks are only activated when needed by authorized employees.
Interview network administrators to ensure they activate network jacks only when needed by authorized employees. [§ 9.1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The organization must ensure network jacks that are publicly accessible have physical access to them restricted. [§ 9.1.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

Communications circuits should be approved as a protected distribution system (PDS) in order for it to be permissible to transmit classified data in clear text. The circuits should be protected by physical, electrical, electromagnetic, or acoustical safeguards. A PDS should be used only if it is controlled and cost-effective. The PDS should be constructed according to HQDA (SAIS-ADS). Additions to the PDS or changes to the installation or the use of the PDS should be not made until the changes are approved by the approval authority. [§ 4-5, § 4-6, Army Regulation 380-19: Information Systems Security, February 27, 1998]

All telephone system switching equipment should be maintained in locked rooms that are alarmed. [Pg 15-IV-28, Protection of Assets Manual, ASIS International]

System servers are to be stored in a fireproof locked room where access is restricted and tracked. [Pg 47, C-TPAT Supply Chain Security Best Practices Catalog]

US Internal Revenue Guidance

The organization must ensure all routers and network monitors are located so that unauthorized personnel cannot gain access to them. [§ 5.6.17.1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

WLAN infrastructure equipment, such as APs, should have additional security mechanisms installed to prevent theft, alteration, or misuse. Physical access control mechanisms should be in place to prevent unauthorized users from resetting APs. [§ 6.2, § 6.3.3.1, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1]

Access points should be located in a physically secure area to prevent tampering. [Table 8-2 Item 12, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007]

Other Configuration Guidance

All network devices, such as routers, servers, firewalls, etc., should be located in a secure room with limited access to prevent tampering or theft. [§ 2.2 (WIR0072), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2]

All network devices, such as routers, servers, firewalls, etc., should be located in a secure room with limited access to prevent tampering or theft. [§ 2.2 (WIR0072), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3]

All network devices, such as routers, servers, firewalls, etc., should be located in a secure room with limited access to prevent tampering or theft. [§ 2.1 (WIR0072), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4]

All network devices, such as routers, servers, firewalls, etc., should be located in a secure room with limited access to prevent tampering or theft.
Examine the locations of all network devices, such as servers, routers, intrusion detection systems, etc., to ensure they are located in secure rooms with limited access.
Have the Network Security Officer (NSO) show the locations of all network devices to the examiner to ensure the devices are located in secure rooms. [§ 2 (WIR0072), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2]

General Guidance

Network access points should be located in locked rooms to prevent unauthorized access. Telephone exchanges and operator consoles should be located in physically secured locations. [NW3.4.4(a), NW5.2.4, The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

All servers, communications equipment, and cryptographic system equipment located in a server room should be stored in locked containers. [§ 3.1.19, § 3.9.48, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of servers in locations with controlled physical access [UCF Control ID 02067]
    Report on the percentage of data transmission facilities (telecom closets/housings) in the organization that have restricted access to authorized users [UCF Control ID 02148]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.