Back

House network hardware in lockable rooms or lockable equipment cabinets.


CONTROL ID
01873
CONTROL TYPE
Physical and Environmental Protection
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Restrict physical access to distributed assets., CC ID: 11865

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • O58: The organization should protect network-related devices from unauthorized use, theft, and destruction. O58.1: The organization should apply device management measures equal to those for server locations to network devices. (O58, O58.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Servers, network devices and cryptographic equipment are secured in security containers or secure rooms suitable for their sensitivity or classification taking into account the combination of security zones they reside in. (Control: ISM-1530; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Servers, network devices and cryptographic equipment are secured in security containers or secure rooms suitable for their classification taking into account the combination of security zones they reside in. (Control: ISM-1530; Revision: 2, Australian Government Information Security Manual, September 2023)
  • The organization must ensure network devices and servers are secured in security rooms or security containers as stated in the australian government physical security management protocol. (Control: 1053, Australian Government Information Security Manual: Controls)
  • The organization must not leave communications rooms, server rooms, security rooms, and security containers in an unsecured state. (Control: 0813, Australian Government Information Security Manual: Controls)
  • The cryptographic equipment should be stored in a room that meets the server room requirements for the classification or sensitivity of the information the cryptographic system processes. (Control: 0505, Australian Government Information Security Manual: Controls)
  • All servers, communications equipment, and cryptographic system equipment located in a server room should be stored in locked containers. (§ 3.1.19, § 3.9.48, Australian Government ICT Security Manual (ACSI 33))
  • If hubs are used, how does the organization ensure that someone cannot plug another device into the hub, and thereby view all of the networks data? (Table Row VII.18, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the organization place access points in secure areas? (Table Row XIII.16, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Physically protect and store the router in a secure room. Physically protect and store the firewall in a secure room. Physically protect and store the IDS in a secure room. Physically store and protect the DNS servers in a secure room. (§ 3-3, § 3-4, § 3-6, § 3-15, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
  • Placing servers in a locked room that has restricted access is a typical environmental and physical control. (§ 5.3.4 ¶ 2, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • All telephone system switching equipment should be maintained in locked rooms that are alarmed. (Pg 15-IV-28, Protection of Assets Manual, ASIS International)
  • Servers should be subject to standard security management practices, which includes restricting physical access to servers to authorized staff (e.g., by locating them in protected data centres or dedicated, locked storage rooms). (CF.07.02.06a, The Standard of Good Practice for Information Security)
  • Network devices should be subject to standard security management practices, which include restricting physical access to network devices to authorized staff (e.g., by locating them in protected data centers or dedicated, locked storage rooms). (CF.09.01.03a, The Standard of Good Practice for Information Security)
  • Telecommunications cables (i.e., network and telephone cables) should be protected by locking inspection / termination points. (CF.09.02.01d, The Standard of Good Practice for Information Security)
  • Network access points should be protected by locating them in secure environments (e.g., locked rooms or cabinets). (CF.09.02.02a, The Standard of Good Practice for Information Security)
  • Network devices should be subject to standard security management practices, which include restricting physical access to network devices to authorized staff (e.g., by locating them in protected data centers or dedicated, locked storage rooms). (CF.09.01.03a, The Standard of Good Practice for Information Security, 2013)
  • Telecommunications cables (i.e., network and telephone cables) should be protected by locking inspection / termination points. (CF.09.02.01d, The Standard of Good Practice for Information Security, 2013)
  • Network access points should be protected by locating them in secure environments (e.g., locked rooms or cabinets). (CF.09.02.02a, The Standard of Good Practice for Information Security, 2013)
  • Servers should be subject to standard security management practices, which includes restricting physical access to servers to authorized staff (e.g., by locating them in protected data centres or dedicated, locked storage rooms). (CF.07.02.09a, The Standard of Good Practice for Information Security, 2013)
  • Communications circuits should be approved as a protected distribution system (PDS) in order for it to be permissible to transmit classified data in clear text. The circuits should be protected by physical, electrical, electromagnetic, or acoustical safeguards. A PDS should be used only if it is con… (§ 4-5, § 4-6, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • CSR 7.3.5: The organization must secure the workstations and lock the workstation rooms when the workstations are not being used. CSR 10.1.2: The organization must restrict physical access to areas that house network equipment. The organization must restrict access to system transmission lines carry… (CSR 7.3.5, CSR 10.1.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • System servers are to be stored in a fireproof locked room where access is restricted and tracked. (Pg 47, C-TPAT Supply Chain Security Best Practices Catalog)
  • All network devices, such as routers, servers, firewalls, etc., should be located in a secure room with limited access to prevent tampering or theft. Examine the locations of all network devices, such as servers, routers, intrusion detection systems, etc., to ensure they are located in secure rooms … (§ 2 (WIR0072), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • All network devices (i.e., Intrusion Detection System [IDS], routers, servers, Remote Access System [RAS], firewalls, wireless local area network [WLAN] access points, etc.) are located in a secure room with limited access or otherwise secured to prevent tampering or theft. (§ 2.2 (WIR0072), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • The Network Security Officer (NSO) will ensure all network devices (i.e., Intrusion Detection System (IDS), routers, servers, Remote Access System (RAS), firewalls, WLAN access points, etc.) are located in a secure room with limited access or otherwise secured to prevent tampering or theft. (§ 2.1 (WIR0072), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • All network devices, such as routers, servers, firewalls, etc., should be located in a secure room with limited access or otherwise secured to prevent tampering or theft. (§ 2.1 (WIR0072), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • The agency shall install access points in secured areas. (§ 5.5.7.1(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Place APs in secured areas to prevent unauthorized physical access and user manipulation. (§ 5.13.1.1 ¶ 2 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Physically securing it and restricting and monitoring access to it. (App A Objective 13:3l Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Telecommunications closets should be locked and should not be labeled as a telecommunications closet. The physical security of the telecommunications equipment should be the same at the alternate site as it is at the main site. (Pg 28, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization must ensure all routers and network monitors are located so that unauthorized personnel cannot gain access to them. (§ 5.6.17.1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Are communication routers and patch panels that are not located inside the computer facility adequately secured? (IT - General Q 7, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the firewall located in a controlled access area? (IT - Firewalls Q 6, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is physical access to the routers secured, if the routers are maintained by a third party? (IT - Routers Q 3, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is physical access to the routers controlled? (IT - Routers Q 13, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has the Credit Union adequately implemented physical access controls for access points, bridges, etc.? (IT - WLANS Q 19, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Access points should be located in a physically secure area to prevent tampering. (Table 8-2 Item 12, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • If computers are readily accessible, and they have removable media drives (e.g., floppy disks, compact discs, external hard drives) or USB ports, the drives can be fitted with locks or removed from the computers and USB ports disabled. Depending on security needs and risks, it might also be prudent … (§ 6.2.11 ICS-specific Recommendations and Guidance ¶ 3, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • § 6.2 Par 1 WLAN infrastructure equipment, such as APs, should have additional security mechanisms installed to prevent theft, alteration, or misuse. § 6.3.3.1(Controlling the reset function) Physical access control mechanisms should be in place to prevent unauthorized users from resetting APs. (§ 6.2 Par 1, § 6.3.3.1(Controlling the reset function), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)