Include identification cards or badges in the physical security program., CC ID: 14818
Protect facilities from eavesdropping., CC ID: 02222
Create security zones in facilities, as necessary., CC ID: 16295
Establish clear zones around any sensitive facilities., CC ID: 02214
Establish, implement, and maintain floor plans., CC ID: 16419
Post and maintain security signage for all facilities., CC ID: 02201
Inspect items brought into the facility., CC ID: 06341
Maintain all physical security systems., CC ID: 02206
Maintain all security alarm systems., CC ID: 11669
Identify and document physical access controls for all physical entry points., CC ID: 01637
Establish a security room, if necessary., CC ID: 00738
Implement physical security standards for mainframe rooms or data centers., CC ID: 00749
Establish, implement, and maintain vault physical security standards., CC ID: 02203
Establish, implement, and maintain a guideline for working in a secure area., CC ID: 04538
Establish, implement, and maintain emergency re-entry procedures., CC ID: 11672
Establish, implement, and maintain emergency exit procedures., CC ID: 01252
Establish, Implement, and maintain a camera operating policy., CC ID: 15456
Monitor for unauthorized physical access at physical entry points and physical exit points., CC ID: 01638
Build and maintain fencing, as necessary., CC ID: 02235
Implement security measures for all interior spaces that allow for any payment transactions., CC ID: 06352
Physically segregate business areas in accordance with organizational standards., CC ID: 16718
Employ security guards to provide physical security, as necessary., CC ID: 06653
Establish, implement, and maintain a facility wall standard., CC ID: 06692
Refrain from search and seizure inside organizational facilities absent a warrant., CC ID: 09980
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
A licensed or registered person should establish physical security policies and procedures to protect critical system components (eg, system servers and network devices) in a secure environment and to prevent unauthorised physical access to the facilities hosting the internet trading system as well … (2.7. ¶ 1, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
Access in and out of facilities and machine rooms must be controlled to protect confidentiality and prevent fraud. This is an IT general control. (App 2-1 Item Number IV.10(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
F19: The organization shall install entrance doors to the facility that have sufficient strength and locks to prevent crime and disasters.
F28: The organization shall install doors with sufficient strength at the entrance of the computer and data storage rooms and add locks to prevent crime and disa… (F19, F28, F28.2, F88, F88.1, F90, F115, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
In order to operate automated equipment smoothly, such as terminal devices and CDs/ATMs, it is necessary to establish a method through which to manage disaster/crime prevention facilities such as power supply facilities, various sensors, and cameras. (P53.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Security measures for an in-store branch must be appropriate for the condition of facilities in the store and the staffing structure of the in-store branch. (P125.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
In cases when the computer center is located in a shared building, in order to ensure the security control, it is necessary to give equivalent consideration to the facility and operational aspects as in the case of a building dedicated to computer system-related operations. (F8.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
During the period of unattended operation, the emergency call systems should be installed to allow communications with control centers or other responsible sections. (F112.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
It is recommended to install the emergency call systems also in machinery rooms (maintenance and cash loading rooms). The emergency call systems should be installed in a conspicuous place for maintenance personnel and identified with a sign showing emergency call unit. (F112.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Image collection and personal identification equipment in public places shall be installed only when it is necessary for the purpose of maintaining public security, and shall be installed in compliance with the relevant provisions of the state and with prominent reminders. The personal images and id… (Article 26, Personal Information Protection Law of the People's Republic of China)
Human resources and physical facilities required for carrying on the business; (Article 53(1)(3), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
The FI should ensure that the perimeter of the DC, DC building, facility, and equipment room are physically secured and monitored. The FI should employ physical, human and procedural controls such as the use of security guards, card access systems, mantraps and bollards where appropriate. (§ 10.2.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system. (Security Control: 0810; Revision: 4, Australian Government Information Security Manual, March 2021)
Systems are secured in facilities that meet the requirements for a security zone suitable for their sensitivity or classification. (Control: ISM-0810; Revision: 5, Australian Government Information Security Manual, June 2023)
Server rooms, communications rooms, security containers and secure rooms are not left in unsecured states. (Control: ISM-0813; Revision: 4, Australian Government Information Security Manual, June 2023)
Server rooms, communications rooms, security containers and secure rooms are not left in unsecured states. (Control: ISM-0813; Revision: 4, Australian Government Information Security Manual, September 2023)
Systems are secured in facilities that meet the requirements for a security zone suitable for their classification. (Control: ISM-0810; Revision: 6, Australian Government Information Security Manual, September 2023)
The information security policy should include physical security. (Control: 0890 Bullet 6, Australian Government Information Security Manual: Controls)
the security of systems and facilities; (Art. 16.1 (a), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: (Article 21 2., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
Document the room in a secure facility and create a list of all properties, buildings, and rooms when documenting the it systems. (4.2.5 Bullet 1, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
Derive the protection needs of the rooms from the protection needs of the business processes, applications and IT systems, ICS and other devices (§ 8.2.7 Subsection 2 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Consider dependencies, the maximum principle and, if necessary, the cumulative effect (§ 8.2.7 Subsection 2 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
The protection requirements for the relevant properties and/or and rooms should be derived from the results of defining the protection needs of the business processes and applications as well as of the IT systems, ICS and other devices. These protection needs are derived from the protection needs of… (§ 8.2.7 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
In addition, checks must be made as to whether information that requires protection is stored in other rooms. Then these rooms must also be recorded. Here, also the rooms where non-electronic information requiring protection is stored, e.g. document files or microfilms, must be acquired. The type of… (§ 8.1.8 ¶ 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
The perimeter of premises or buildings which house sensitive or critical information, information systems or other network infrastructure are protected in a physically solid manner and by means of appropriate security safeguards that conform to the current state of the art. (Section 5.5 PS-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
Physical conditions (e.g. premises / buildings / spaces) are taken into account in the definition of security zones, (3.1.1 Requirements (must) Bullet 1 Sub-Bullet 1, Information Security Assessment, Version 5.1)
Data about genetic identity must be processed only in protected premises that may be accessed only by persons in charge of processing and entities that have been specifically authorized to access them. (Annex B.24, Italy Personal Data Protection Code)
The security officer must refer to this framework when developing counter-terrorist policies and plans, but needs to ensure that facilities (existing and new construction) are suitably robust and has an appropriate degree of protection against attack and hostile interest. (Security Policy No. 6 ¶ 12.a, HMG Security Policy Framework, Version 6.0 May 2011)
The organization must use a layered approach to physical security. (Mandatory Requirement 50, HMG Security Policy Framework, Version 6.0 May 2011)
(§ 4.3.2, OGC ITIL: Security Management)
The entity restricts physical access to facilities and protected information assets (e.g., data center facilities, back-up media storage and other sensitive locations) to authorized personnel to meet the entity's objectives. (S7.2, Privacy Management Framework, Updated March 1, 2020)
Do the security policies restrict physical access to networked systems facilities? (Table Row II.54, OECD / World Bank Technology Risk Checklist, Version 7.3)
Is the facility securely locked at all times? (Table Row II.58, OECD / World Bank Technology Risk Checklist, Version 7.3)
Interview personnel and examine documentation to verify the security policies and operational procedures for restricting physical access to cardholder data are documented. (Testing Procedures § 9.10 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Interview personnel and examine documentation to verify the security policies and operational procedures for restricting physical access to cardholder data are implemented. (Testing Procedures § 9.10 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Security policies and operating procedures for restricting physical access to cardholder data must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 9.10, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Are security policies and operational procedures for restricting physical access to cardholder data documented, in use, and known to all affected parties? (PCI DSS Question 9.10, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Are security policies and operational procedures for restricting physical access to cardholder data documented, in use, and known to all affected parties? (PCI DSS Question 9.10, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Are security policies and operational procedures for restricting physical access to cardholder data documented, in use, and known to all affected parties? (PCI DSS Question 9.10, PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
An effective physical protection plan should include a series of barriers, not just a single barrier. Each barrier should be designed to delay entry as long as possible and should have a method to notify the organization when a penetration has occurred. The building's surfaces should be evaluated fo… (Pg 3-I-2, Pg 3-I-6, Pg 11-II-9, Pg 11-II-16, Pg 19-I-14, Pg 23-VI-9, Pg 36-I-3, Protection of Assets Manual, ASIS International)
There should be documented standards / procedures for the physical protection of critical facilities (including locations that house Information Systems, such as data centres, networks, telecommunication equipment, sensitive physical material, and other important assets) inside the organization. (CF.19.01.01, The Standard of Good Practice for Information Security)
Standards / procedures should cover restricting access to critical facilities that support or enable the organization's critical infrastructure. (CF.19.01.02c, The Standard of Good Practice for Information Security)
There should be documented standards / procedures for the physical protection of critical facilities (including locations that house Information Systems, such as data centres, networks, telecommunication equipment, sensitive physical material, and other important assets) inside the organization. (CF.19.01.01, The Standard of Good Practice for Information Security, 2013)
Standards / procedures should cover restricting access to critical facilities that support or enable the organization's critical infrastructure. (CF.19.01.02c, The Standard of Good Practice for Information Security, 2013)
Implement physical security perimeters to safeguard personnel, data, and information systems. Establish physical security perimeters between the administrative and business areas and the data storage and processing facilities areas. (DCS-07, Cloud Controls Matrix, v4.0)
¶ 8.1.7(1)(5) Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the build… (¶ 8.1.7(1)(5), ¶ 10.2.9, ¶ 10.4.19, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
The building should provide fire protection, a suitable range and stability of temperature and humidity levels, safety measures, water damage protection, contaminant protection, controlled access to storage areas, protection against damage by insects or vermin, and detection systems for unauthorized… (§ 4.3.7.2 ¶ 1(b), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
The service provider should establish a way to segregate and identify personnel located at the recovery facilities from accessing the ICT systems and information without a need by placing restrictions on the physical access to facilities that house ICT systems and work areas that are being used by s… (§ 5.7.3, § 6.3.1, § 6.4.3.1, § 6.4.3.2, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
Physical security for offices, rooms and facilities shall be designed and applied. (A.11.1.3 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
A security perimeter should be used to protect areas containing information processing facilities. The strength of the perimeter depends on the classification of the information being protected. (§ 9.1.1, ISO 27002 Code of practice for information security management, 2005)
workplace locations and surroundings; (§ 8.1.3 ¶ 1 a) Bullet 1, ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
Physical security for offices, rooms and facilities should be designed and applied. (§ 11.1.3 Control, ISO/IEC 27002:2013(E), Information technology â Security techniques â Code of practice for information security controls, Second Edition)
Security perimeters should be defined and used to protect areas that contain information and other associated assets. (§ 7.1 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection â Information security controls, Third Edition)
Physical security for offices, rooms and facilities should be designed and implemented. (§ 7.3 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection â Information security controls, Third Edition)
Select the controls for the system and the environment of operation. (TASK S-1, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
Allocate security and privacy controls to the system and to the environment of operation. (TASK S-3, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
The organization should implement procedures to restrict physical access to personal information. (ID 8.2.3, AICPA/CICA Privacy Framework)
Procedures exist to restrict physical access to the system, including backup media, facilities, and other system components. (Security Prin. and Criteria Table § 3.3, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
Procedures exist to restrict physical access to the system, including backup media, facilities, and other system components. (Availability Prin. and Criteria Table § 3.6, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
Procedures exist to restrict physical access to the system, including backup media, facilities, and other system components. (Processing Integrity Prin. and Criteria Table § 3.7, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
Procedures exist to restrict physical access to the system, including backup media, facilities, and other system components. (Confidentiality Prin. and Criteria Table § 3.9, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (Section 4.D ¶ 1(2)(b), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
Senior Officials of the Intelligence Community (SOICs) shall implement Technical Surveillance Countermeasure programs for facilities. (§ D.1, Intelligence Community Directive Number 702, Technical Surveillance Countermeasures)
Facilities that house information systems may be designated as restricted areas. Facilities designated as restricted areas must have all entrances protected by a minimum of 2 independent barriers or security systems, such as a second access door or a chain-link fence outside the facility that can be… (§ 2-10.c thru § 2-10.e, § 2-12.e, Army Regulation 380-19: Information Systems Security, February 27, 1998)
Public access to the roof should be restricted to authorized personnel. Access should be controlled by keyed locks, keycards, or another similar measure. (Pg 12, Guidance for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks, NIOSH, May 2002, DHHS (NIOSH) Publication No. 2002-139, May 2002)
§ 4.2.1: To qualify as a restricted area, CMS business partners must implement the following procedures: prominently posted signs; separated from non-restricted areas by physical barriers; a minimum number of entrances; control main entrance access with a responsible person; maintain a register; an… (§ 4.2.1, § 4.2.3, CMS Business Partners Systems Security Manual, Rev. 10)
CSR 1.8.6: The organization must verify that adequate physical security controls have been implemented and that they are commensurate with the risks and possible magnitude of physical damage and the risks and possible consequences of unauthorized access.
CSR 2.2.6: The organization must design the s… (CSR 1.8.6, CSR 2.2.6, CSR 2.2.10, CSR 2.12.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
Departments and agencies which plan, implement, and manage Technical Surveillance Countermeasure programs shall provide Technical Surveillance Countermeasure support that is appropriate for the facility. (§ 149.2(a)(1), 32 CFR Part 149, Policy of Technical Surveillance Countermeasures)
The airport operator must post warning signs on access points and perimeters to secured areas. (§ 1542.203, 49 CFR Part 1542, Airport Security)
The security manager must ensure windows, doors, fire escapes, loading docks, sewer access, garage entrances, garage exits, roof access, and balconies are appropriately secured. (§ 3.5.8 ¶ 2, DISA Access Control STIG, Version 2, Release 3)
Protect and monitor the physical facility and support infrastructure for organizational systems. (PE.2.135, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
Protect and monitor the physical facility and support infrastructure for organizational systems. (PE.2.135, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
Protect and monitor the physical facility and support infrastructure for organizational systems. (PE.2.135, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
Protect and monitor the physical facility and support infrastructure for organizational systems. (PE.2.135, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
Protect and monitor the physical facility and support infrastructure for organizational systems. (PE.L2-3.10.2 Monitor Facility, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
Impact Level 6: DoD data on-premises processing facilities that support cloud services infrastructure and classified service offerings will be housed in facilities (designated as a secure room) designed, built, and approved for open storage commensurate with the highest classification level of the i… (Section 5.6.1 ¶ 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
Impact Level 2: CSP data processing facilities supporting Level 2 information will meet the physical security requirements defined in the FedRAMP Moderate baseline. (Section 5.6.1 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
Impact Levels 4 and 5: CSP data processing facilities supporting Level 4 and 5 CSOs/information will meet the physical security requirements defined in the FedRAMP Moderate baseline as well as any FedRAMP+ C/CEs related to physical security. (Section 5.6.1 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
DoD components shall implement adequate security controls over any area that requires protection. (§ 5.1.1, DoD Instruction 5240.5, DoD Technical Surveillance Countermeasures (TSCM) Survey Program, May 23, 1984)
The organization must implement workplace security requirements for the proper handling and storage of information, such as unannounced security checks, end-of-day security checks, and two-person rule inside the computing facility. (PESP-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
The organization must have a facility penetration testing process that includes periodic, unannounced attempts to penetrate the computing facilities. (PEPS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Contractors must ensure the closed area between raised floors and false ceilings are structurally secure. (§ 5-306, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
Policies and procedures shall be implemented for limiting physical access to the facility or facilities that house electronic information systems and to ensure only properly authorized personnel are allowed access. (§ 164.310(a)(1), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
Policies and procedures shall be implemented for safeguarding the equipment and the facility from unauthorized tampering, access, and theft. The covered entity shall assess these policies and procedures to determine if it is a reasonable and appropriate safeguard in the environment and, if it is rea… (§ 164.310(a)(2)(ii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. (§ 164.310(a)(2)(ii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Facilities covered by the Chemical Facility Anti-Terrorism Standards (CFATS) must secure and monitor the facilities' perimeter and restricted areas within the facility. Attacks on the facility must be deterred using visible and professional security measures and systems and that must detect attacks … (§ 27.230(a)(1), § 27.230(a)(4)(ii), § 27.230(a)(4)(iii), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
The areas around the cargo handling and storage facilities should be enclosed by a perimeter fence. The fencing must be inspected regularly. Private vehicles should be prohibited from parking near storage and cargo handling areas. Buildings must be inspected regularly to ensure their integrity, and … (Fencing, Parking, Building Structure, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria)
The transit facility should have a perimeter barrier that is under continuous surveillance. If the perimeter barrier is a chain link fence, it should be #11 gauge or heavier, have mesh openings no more than 2-inches square, have barbed wire, and have the bottom extended into the ground. If the perim… (Perimeter Barriers, DOT Physical Security Survey Checklist)
Physical security facilities - the adequacy of physical perimeter security, physical access controls, protection services, and video monitoring. (TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 3 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
Management should develop and implement operational controls to safeguard the entity's operational environment. These controls should be designed to protect the overall environment, including the physical facilities, infrastructure supporting the entity's operations, systems and software, and person… (VI.A Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Appropriate security and environmental controls within the entity's infrastructure, including: (App A Objective 14:1d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
The organization should use locked doors, guards, motion detectors, and other controls to restrict physical access to the facility. (Pg C-1, Exam Tier I Obj 10.7 (Testing Strategies), Exam Tier II Obj 1.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
The facility should have limited windows and access points; adequate lighting around the perimeter; perimeter video surveillance and alarms, if necessary; and trained guards, if necessary. (Pg 21, Exam Tier II Obj E.1, FFIEC IT Examination Handbook - Operations, July 2004)
Building security. (App A Tier 2 Objectives and Procedures N.7 Bullet 1 Sub-Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Determine whether management periodically reviews individual sites providing retail EFT/POS and bankcard services to ensure policies, procedures, security measures, and equipment maintenance requirements are appropriate. (App A Tier 2 Objectives and Procedures A.2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Assess the adequacy of security devices and access control procedures for EFT/POS, bankcard, and acquiring processing facilities to ensure appropriate physical and logical access controls are in place. (Exam Tier II Obj 7.10, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
Obtain, review, and test the policies and procedures regarding the physical security of the funds transfer department. Determine if:
⪠Management restricts access to the funds transfer area to authorized personnel. Identify and assess the physical controls (e.g., locked doors, sign-in sheets, term… (Exam Tier II Obj 9.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
Identify and manage the data, personnel, devices, systems, and facilities that enable you to achieve business purposes in accordance with their relative importance to business objectives and your risk strategy; (§ 314.4 ¶ 1(c)(2), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
(AC-3.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
Buildings, rooms, facilities, and containers that contain sensitive or vulnerable information should be locked when not in use. (§ 4.3.9, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
Physical security measures must be implemented to detect and prevent technical penetration attempts. (§ 5.a, Marine Corps Order 5511.11D; Technical Surveillance Countermeasures (TSCM) Program)
Appropriate security measures and controls must be provided to reduce the technical penetration vulnerabilities. (§ 12.b, Marine Corps Order 5511.11D; Technical Surveillance Countermeasures (TSCM) Program)
Has the Credit Union implemented physical access controls to the equipment and facilities that house data files and archives of sensitive member information? (IT - 748 Compliance Q 6b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Does the Credit Union Information Technology policy include physical access controls for the data center? (IT - Policy Checklist Q 3, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Has management included physical security in the overall security policy? (IT - Security Program Q 15, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Establish and maintain policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. (§ 4.10.3 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
Audit facilities to identify shortfalls and vulnerabilities of the current physical security capabilities. (§ 4.10.1 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; (PM-10a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; (PM-10a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; (PM-10a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provid… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
Physical access to assets is managed and protected (PR.AC-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
Physical access to assets is managed and protected (PR.AC-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
Physical access to assets is managed and protected. (PR.AC-2, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
The physical environment is monitored to detect potential cybersecurity events. (DE.CM-2, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
(§ 3.10.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
Organizational records and documents and the facility should be examined to ensure all entry and exit points are controlled; access authorization is verified prior to being granted access publicly available areas are controlled according to the risk assessment; physical access devices are functionin… (PE-3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes; (PM-10a., Guide to Industrial Control Systems (ICS) Security, Revision 2)
Protection of Physical Locations. Classic physical security considerations typically refer to a ringed architecture of layered security measures. Creating several physical barriers, both active and passive, around buildings, facilities, rooms, equipment, or other informational assets, establishes th… (§ 6.2.11 ICS-specific Recommendations and Guidance ¶ 4 Bullet 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The physical protection of the cyber components and data associated with the ICS must be addressed as part of the overall security of a plant. Security at many ICS facilities is closely tied to plant safety. A primary goal is to keep people out of hazardous situations without preventing them from do… (§ 6.2.11 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Access Limiting Systems. Access limiting systems may employ a combination of devices to physically control or prevent access to protected resources. Access limiting systems include both active and passive security devices such as fences, doors, safes, gates, and guards. They are often coupled with i… (§ 6.2.11 ICS-specific Recommendations and Guidance ¶ 4 Bullet 2 ¶ 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Providing physical security for the control center/control room is essential to reduce the potential of many threats. Control centers/control rooms frequently have consoles continuously logged onto the primary control server, where speed of response and continual view of the plant is of utmost impor… (§ 6.2.11.1 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The organization must develop and implement a physical and environmental security policy. (SG.PE-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The physical and environmental security policy must include the objectives, roles, and responsibilities of the program. (SG.PE-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The physical and environmental security policy must include the scope of the program. (SG.PE-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
Protect and monitor the physical facility and support infrastructure for those information systems. (3.10.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
Protect and monitor the physical facility and support infrastructure for organizational systems. (3.10.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
Protect and monitor the physical facility and support infrastructure for organizational systems. (3.10.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
The organization should enforce physical access authorizations to the Information System independently to the facility access controls. (App F § PE-3(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must consider the Industrial Control System safety and security interdependencies when determining physical access control measures. (App I § PE-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should use physical access controls and defense-in-depth measures to supplement the Industrial Control System security when electronic mechanisms cannot fulfill the security requirements of the security plan. (App I § PE-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization develops, documents, and disseminates to {organizationally documented personnel} a physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (PE-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls. (PE-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at {organizationally documented physical spaces containing one or more components of the information system}. (PE-3(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} a physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (PE-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls. (PE-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at {organizationally documented physical spaces containing one or more components of the information system}. (PE-3(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} a physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (PE-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls. (PE-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} a physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (PE-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls. (PE-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes; (PM-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; (PM-10a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; (PM-10a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Bank information system security controls should include clearly defined security measures with measurable performance standards. Responsible personnel should be assigned to ensure a comprehensive security program. Bank management should take necessary steps to protect mission-critical systems from … (¶ 34, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
The physical security needs of the facility must be used to determine where law enforcement officials are deployed. (§ 106(a), Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001)
Install and maintain gates of an equivalent quality to the barrier to which they are attached. (Table 1: Gates Enhanced Security Measures Cell 1, Pipeline Security Guidelines)
Provide sufficient illumination for human or technological recognition of intrusion into the facility perimeter or critical areas. (Table 1: Facility Lighting Enhanced Security Measures Cell 1, Pipeline Security Guidelines)
Implement appropriate threat level protective measures upon receipt of a pertinent National Terrorism Advisory System (NTAS) Bulletin or Alert; and (2 ¶ 1 Bullet 7, Pipeline Security Guidelines)
Create a security perimeter that impedes unauthorized vehicles from entering the facility perimeter or critical areas by installing and maintaining barriers (e.g., fences, bollards, jersey barriers, or equivalent.) (Table 1: Fencing/Barriers Enhanced Security Measures Cell 1, Pipeline Security Guidelines)
Provide critical facilities or critical areas within a facility with security measures to monitor, detect, and assess unauthorized access 24 hours a day,
7 days a week. (Table 1: Intrusion Detection & Monitoring Enhanced Security Measures Cell 1, Pipeline Security Guidelines)
Conduct or participate in an annual security drill or exercise. Multiple facilities may participate in a common drill or exercise. (Table 1: Drills and Exercises Enhanced Security Measures Cell 1, Pipeline Security Guidelines)
Operators should develop and implement a security plan customized to the needs of the company. The corporate security plan should be comprehensive in scope, systematic in its development, and risk-based reflecting the security environment. At a minimum, the plan should: (3.1 ¶ 1, Pipeline Security Guidelines)
The physical security needs of the facility will be used to decide where to deploy law enforcement officials. The Under Secretary of Transportation for Security must develop guidelines to achieve maximum security for the design and construction of new airports. (§ 44903(h)(2), § 44914, TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001)
All hangar and personnel doors should be locked when unattended. Hangars should have security signs and not have keys that are easily copied or obtained. The keys should be rekeyed whenever a new tenant takes over the hangar. (§ 3.3.1, Transportation Security Administration (TSA) Security Guidelines for General Aviation Airports, Information Publication A-001, May 2004, Version 1.0)
Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the risk strategy of the licensee. (Section 27-62-4(d)(2) b., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
Identification and management of the data, personnel, devices, systems and facilities that enable such licensee to achieve such licensee's business purposes in accordance with their relative importance to such licensee's business objectives and risk strategy; (Part VI(c)(4)(B)(ii), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (§ 8604.(d)(2) b., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes in accordance with their relative importance to business objectives and the licensee's risk strategy; (§431:3B-203(2)(B), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
Identifying and managing the data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. (Sec. 18.(2)(B), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve its business purposes in accordance with the data, personnel, devices, systems, and facilities relative importance to the licenseeâs business objectives and risk strategy. (507F.4 4.b.(2), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (§2504.D.(2)(b), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
Identify and manage the data, personnel, devices, systems and facilities that enable the licensee to achieve its business purposes in accordance with their relative importance to business objectives and the licensee's risk management strategy; (§2264 4.B.(2), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
Identifying and managing the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (Sec. 555.(4)(b)(ii), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (§ 60A.9851 Subdivision 4(2)(ii), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
Identify and manage the data, personnel, devices, systems and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organizationâs risk strategy; (§ 83-5-807 (4)(b)(ii), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (§ 420-P:4 IV.(b)(2), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with the business' relative importance to business objectives and the organization's risk strategy; (26.1-02.2-03. 4.b.(2), North Dakota Century Code, Title 26.1, Chapter 26.1â02.2, Sections 1-11, Insurance Data Security)
Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (Section 3965.02 (D)(2)(b), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
identifying and managing the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (SECTION 38-99-20. (D)(2)(b), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve the licensee's business objectives in accordance with the relative importance of the data, personnel, devices, systems, and facilities to the licensee's business objectives and risk strategy… (§ 56-2-1004 (4)(B)(ii), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve its business purposes, taking into consideration the relative importance of the data, personnel, devices, systems, and facilities to the business objectives and risk strategy of the licensee… (§ 601.952(3)(b)2., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)
