Back

Control the delivery of assets through physical entry points and physical exit points.


CONTROL ID
01441
CONTROL TYPE
Physical and Environmental Protection
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Protect distributed assets against theft., CC ID: 06799

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • F16: The organization should designate only one entrance and install access control and security equipment there to prevent unauthorized persons from entering and suspicious items from entering or exiting the building. O12.2(6): For the computer center, the organization shall execute physical acces… (F16, O12.2(6), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The site layout should consider the location of the shipping and receiving areas. The shipping and receiving areas should be separated from the rest of the facility, and the material that is being sent and received should be physically separated from each other. (Pg 19-I-14, Protection of Assets Manual, ASIS International)
  • Incoming and outgoing materials should be inspected for potential hazards and security incidents. Holding areas should be provided to load, unload, and inspect organizational computers and related equipment. Procedures and policies should be developed to govern the movement of the organizational equ… (§ 6.4.13, § 6.5.3, § 6.5.4, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Delivery and loading areas should be protected. If possible, they should be located away from the processing facility to prevent unauthorized access. The following guidelines should be considered when securing delivery and loading areas: Access should be restricted to authorized personnel; delivery … (§ 9.1.6, ISO 27002 Code of practice for information security management, 2005)
  • The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. (PE-16 Control, StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. (PE-16 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. (PE-16 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. (PE-16 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Is there a procedure for equipment removal from the data center? (§ F.2.24, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • CSR 2.2.23: The organization must implement security procedures and assign responsibilities for bringing software and hardware into and out of the facility, movement in the facility, and maintaining a record. CSR 2.2.27: The organization must isolate delivery areas from controlled/restricted areas a… (CSR 2.2.23, CSR 2.2.27, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Policies and procedures shall be implemented for receiving and removing hardware and electronic media that contains electronic protected health information and the movement of this hardware and electronic media within the facility. (§ 164.310(d)(1), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. (§ 164.310(d)(1), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • The agency shall authorize and control Information System items entering and exiting the physically secure location. (§ 5.9.1.8, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall authorize and control information system-related items entering and exiting the physically secure location. (§ 5.9.1.8 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency shall authorize and control information system-related items entering and exiting the physically secure location. (§ 5.9.1.8 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • All cards disbursed from the storage area should be under accountability controls and delivered only to the mail room or be destroyed. (Pg 40, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The organization authorizes, monitors, and controls [FedRAMP Assignment: all information system components] entering and exiting the facility and maintains records of those items. (PE-16 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization authorizes, monitors, and controls [FedRAMP Assignment: all information system components] entering and exiting the facility and maintains records of those items. (PE-16 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization authorizes, monitors, and controls [FedRAMP Assignment: all information system components] entering and exiting the facility and maintains records of those items. (PE-16 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Authorize and control [FedRAMP Assignment: all information system components] entering and exiting the facility; and (PE-16a., FedRAMP Security Controls High Baseline, Version 5)
  • Authorize and control [FedRAMP Assignment: all information system components] entering and exiting the facility; and (PE-16a., FedRAMP Security Controls Low Baseline, Version 5)
  • Authorize and control [FedRAMP Assignment: all information system components] entering and exiting the facility; and (PE-16a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • System-related items in any way used for information technology systems that contain Federal Tax Information (FTI) and their entrance and exit must be authorized and controlled by the organization. Appropriate records of the items must be maintained. (§ 4.3.2, Exhibit 4 PE-16, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and (PE-16a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and (PE-16a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and (PE-16a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and (PE-16a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and (PE-16a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporti… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure all hardware, software, and firmware entering and exiting the facility is controlled, a log is maintained of all material entering and exiting the facility, and specific responsibilities and actions are defined for the implementation … (PE-16, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. (PE-16 Control: Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. (PE-16 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. (PE-16 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must authorize, monitor, and control the smart grid Information System components that enter and exit the facility and maintain a record of each item. (SG.PE-10 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must authorize, monitor, and control organization-defined components that enter and exit the facility and maintain a record of those items. (App F § PE-16, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization performs security checks {organizationally documented frequency} at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components. (PE-3(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization authorizes, monitors, and controls {organizationally documented types of information system components} entering and exiting the facility and maintains records of those items. (PE-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization authorizes, monitors, and controls {organizationally documented types of information system components} entering and exiting the facility and maintains records of those items. (PE-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization authorizes, monitors, and controls {organizationally documented types of information system components} entering and exiting the facility and maintains records of those items. (PE-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization authorizes, monitors, and controls {organizationally documented types of information system components} entering and exiting the facility and maintains records of those items. (PE-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. (PE-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. (PE-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. (PE-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. (PE-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs [Assignment: organization-defined out-of-band channels] for the physical delivery or electronic transmission of [Assignment: organization-defined information, information system components, or devices] to [Assignment: organization-defined individuals or information systems]. (SC-37 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and (PE-16a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ the following out-of-band channels for the physical delivery or electronic transmission of [Assignment: organization-defined information, system components, or devices] to [Assignment: organization-defined individuals or systems]: [Assignment: organization-defined out-of-band channels]. (SC-37 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and (PE-16a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employ the following out-of-band channels for the physical delivery or electronic transmission of [Assignment: organization-defined information, system components, or devices] to [Assignment: organization-defined individuals or systems]: [Assignment: organization-defined out-of-band channels]. (SC-37 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. (PE-16 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization employs [Assignment: organization-defined out-of-band channels] for the physical delivery or electronic transmission of [Assignment: organization-defined information, information system components, or devices] to [Assignment: organization-defined individuals or information systems]. (SC-37 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization authorizes, monitors, and controls [TX-RAMP Assignment: all information system components] entering and exiting the facility and maintains records of those items. (PE-16 Control, TX-RAMP Security Controls Baseline Level 1)
  • The organization authorizes, monitors, and controls [TX-RAMP Assignment: all information system components] entering and exiting the facility and maintains records of those items. (PE-16 Control, TX-RAMP Security Controls Baseline Level 2)