Back

Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls.


CONTROL ID
00722
CONTROL TYPE
Physical and Environmental Protection
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain physical security controls for distributed assets., CC ID: 00718

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • segregation of delivery and common areas from security sensitive areas should be enforced. (§ 8.5.6(f), Technology Risk Management Guidelines, January 2021)
  • Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area. (Security Control: 0506; Revision: 3, Australian Government Information Security Manual, March 2021)
  • An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat. (Security Control: 0594; Revision: 4, Australian Government Information Security Manual, March 2021)
  • Cryptographic system material should be kept in an area that is separate from other areas and is designated as a cryptographic controlled area. (Control: 0506, Australian Government Information Security Manual: Controls)
  • Internet Protocol telephony traffic and video conferencing traffic should be physically or logically separated from other data traffic on unclassified systems. (Control: 0549, Australian Government Information Security Manual: Controls)
  • Internet Protocol telephony traffic and video conferencing traffic must be physically or logically separated from other data traffic on classified systems. (Control: 0550, Australian Government Information Security Manual: Controls)
  • Then, applications having the same protection needs should be operated on a virtualisation cluster correspondingly provided for this. The individual areas should be physically separated from each other and it should be ensured that virtual machines cannot be moved across areas. (§ 8.2.4 Subsection 3 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In the case of IaaS/PaaS, the secure separation is ensured by physically separated networks or by means of strongly encrypted VLANs. (Section 5.9 KOS-05 Description of additional requirements (confidentiality) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • App 2 ¶ 18: The organization must ensure tokens, password(s), or touch memory devices that are associated with the encryption package are kept separate from the machine when it is left unattended, not in use, or in transit. This is applicable to UK contractors. App 6 ¶ 19: The organization must en… (App 2 ¶ 18, App 6 ¶ 19, The Contractual process, Version 5.0 October 2010)
  • § 2.2 (2.2.080) If possible, WLAN devices should not be allowed to be used within close proximity of highly sensitive data, because signals may radiate further than expected or may be picked up by other devices that were not intended to process sensitive data. § 2.2 (2.2.100) RF and IR signals sh… (§ 2.2 (2.2.080), § 2.2 (2.2.100), The Center for Internet Security Wireless Networking Benchmark, 1)
  • The control system shall provide the capability to physically segment control system networks from non-control system networks and to physically segment critical control system networks from non-critical control system networks. (9.3.3.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • How are systems with high security classifications segregated from systems with low security classifications? (Appendix D, Build and Maintain a Secure Network Bullet 8, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Physically segment unsecured wireless networks from secured networks (4.5.1 C, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • To reduce the risks from environmental threats, hazards, and opportunities for unauthorized access, equipment shall be kept away from locations subject to high probability environmental risks and supplemented by redundant equipment located at a reasonable distance. (BCR-06, Cloud Controls Matrix, v3.0)
  • ¶ 8.1.7(1)(5) Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the build… (¶ 8.1.7(1)(5), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Portable equipment should not be brought into areas that house sensitive facilities, unless they are under the control of authorized service provider and/or organization staff. (§ 6.4.11, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. (A.11.1.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Systems that store sensitive information should have their own dedicated environment. This isolation of the system can be accomplished by physical or logical methods. (§ 11.6.2, ISO 27002 Code of practice for information security management, 2005)
  • Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. (§ 11.1.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Co… (M1030 Network Segmentation, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • For cloud computing services, is data segmentation and separation capability implemented with physical segmentation (a private cloud)? (§ V.1.10.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • The organization must keep sensitive information separate from other information to the maximum extent possible. (CSR 2.5.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Wireless devices should not be used in areas that process, store, or transmit classified data electronically, unless these devices have been approved for use by the Designated Approving Authority in consultation with the Certified TEMPEST Technical Authority (CTTA) or the equipment is separated by a… (§ 2 (WIR0225), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • Wireless PEDs should not be used or permitted in areas that processes classified data, unless these devices have been approved for use by the Designated Approving Authority (DAA) in consultation with the Certified TEMPEST Technical Authority (CTTA) or the equipment is separated by a predetermined di… (§ 2.1 (WIR0225), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • The IAO will ensure wireless devices are not operated in areas where classified information is electronically stored, processed, or transmitted unless: • Approved by the DAA in consultation with the Certified TEMPEST Technical Authority (CTTA). • The wireless equipment is separated from the clas… ($ 2.1 (WIR0225), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • Wireless PEDs (Personal Electronic Devices) should not be used or permitted in areas that process classified data, unless these devices have been approved for use by the Designated Approving Authority (DAA) in consultation with the Certified TEMPEST Technical Authority (CTTA); or the equipment is se… (§ 2.1 (WIR0225), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • MFDs with copy, scan, or fax capabilities are not allowed on classified networks, unless approved by a Designated Approving Authority (DAA). (MFD07.001, Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3)
  • Physical separation from non-DoD/non-Federal Government tenants (i.e., public, local/state government tenants) is required. (Section 5.2.2.3 ¶ 2, Bullet 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Virtual/logical separation between DoD and Federal Government tenants / SECRET missions is sufficient. (Section 5.2.2.4 ¶ 2, Bullet 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • A patient safety organization, regardless of media type, must maintain physical separation of patient safety work product from non-patient safety work product. (§ 3.106(b)(2)(i), 42 CFR Part 3, Patient Safety and Quality Improvements, Final Rule)
  • A physically secure location's perimeter shall be prominently posted and separated from non-secure locations by physical controls. (§ 5.9.1.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall separate publicly accessible Information System components to a separate subnetwork with separate network interfaces. (§ 5.10.1.1(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • An agency that uses Voice over Internet Protocol inside a network that contains unencrypted criminal justice information shall use a Virtual Local Area Network to segment the Voice over Internet Protocol traffic from the data traffic. (§ 5.10.1.4 ¶ 2(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Internet facing virtual machines shall be physically separate from virtual machines that internally process criminal justice information. (§ 5.10.3.2 ¶ 1(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • If an agency cannot meet all of the controls required for establishing a physically secure location, but has an operational need to access or store CJI, the agency shall designate an area, a room, or a storage container, as a controlled area for the purpose of day-to-day CJI access or storage. The a… (§ 5.9.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • If an agency cannot meet all of the controls required for establishing a physically secure location, but has an operational need to access or store CJI, the agency shall designate an area, a room, or a storage container, as a controlled area for the purpose of day-to-day CJI access or storage. The a… (§ 5.9.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The perimeter of a physically secure location shall be prominently posted and separated from non-secure locations by physical controls. Security perimeters shall be defined, controlled and secured in a manner acceptable to the CSA or SIB. (§ 5.9.1.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Restricted areas must be identified with signs and must have physical barriers to separate them from non-restricted areas. Federal Tax Information (FTI) must be kept separate from other information, if possible, to avoid inadvertent disclosures. If the FTI cannot be kept separate, the file(s) must b… (§ 4.3.1, § 5.3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • § 4.11.3 Bullet 2: Establish policies and procedures to prevent unauthorized access to unattended workstations. § 4.12.3 Bullet 1: Implement physical safeguards and other security measures to minimize inappropriate access to ePHI through workstations. (§ 4.11.3 Bullet 2, § 4.12.3 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The organization should physically isolate publicly accessible Information Systems to separate sub-networks with dedicated network interfaces. (App F § SC-7(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)