Back

Establish, implement, and maintain on-site physical controls for all distributed assets.


CONTROL ID
04820
CONTROL TYPE
Physical and Environmental Protection
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Protect distributed assets against theft., CC ID: 06799

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is necessary to keep forms, consumables, fixtures, and fittings in a computer room for system operation and management. Keep them in order, and do not put them in a space necessary for maintenance or evacuation, and do not make the passages narrower. (F25.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The procedures for handling and using media should be included in the Standard Operating Procedures for the user. (Control: 0056 Table Row "Media control", Australian Government Information Security Manual: Controls)
  • The organization must ensure information and communications technology equipment and media that contains sensitive information or classified information is secured in accordance with the requirements from the australian government physical security management protocol. (Control: 0161, Australian Government Information Security Manual: Controls)
  • The organization should secure encryption devices with logical controls and physical controls. (Attach F ¶ 7, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • CSIRTs' premises and the supporting information systems shall be located in secure sites. (ANNEX I ¶ 1(1)(b), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • The organization must implement a clear desk policy and a need to know policy, restrict access to sensitive locations, and restrict access to information or assets to individuals who need it. (Part I ¶ 30, HMG BASELINE PERSONNEL SECURITY STANDARD, GUIDANCE ON THE PRE-EMPLOYMENT SCREENING OF CIVIL SERVANTS, MEMBERS OF THE ARMED FORCES, TEMPORARY STAFF AND GOVERNMENT CONTRACTORS, Version 3, February 2001)
  • The security officer must ensure the organization has baseline counter-terrorist physical security measures and incremental security measures for each response level and that the incremental security measures are implemented at each of the appropriate response levels. (Mandatory Requirement 65, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must use the physical security assessment questionnaire and the physical security baseline controls matrix to identify physical security measures. (Mandatory Requirement 51, HMG Security Policy Framework, Version 6.0 May 2011)
  • ¶ 25: The organization should only allow visiting inspectors that are conducting statutory inspections access to assets marked confidential or above, if the inspector cannot perform the inspection without the access and the organization has received assurances from the inspector's organization that… (¶ 25, ¶ 58, ¶ 60, Security Requirements for List X Contractors, Version 5.0 October 2010)
  • Physical and logical system Information Security infrastructure control features must be controlled and managed. (¶ 21.8 Bullet 6, Good Practices For Computerized systems In Regulated GXP Environments)
  • Interview responsible personnel and observe publicly accessible network jack locations to verify that logical controls and/or physical controls have been implemented to restrict access. (Testing Procedures § 9.1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Physical controls and/or logical controls must be implemented to restrict access to publicly accessible network jacks. (PCI DSS Requirements § 9.1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • § 4.1.1.A Mount Access Points (APs) on ceilings and walls that do not allow easy physical access. § 4.1.1.B Use Access Points (APs) with chassis and mounting options that prevent physical access to ports and reset features. APs housed in tamper-proof chassis are recommended. (§ 4.1.1.A, § 4.1.1.B, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Information associated with office equipment shall be protected against physical access and tampering by preventing the unauthorized removal of hard disk drives (e.g. by using padlocks). (CF.12.03.03c, The Standard of Good Practice for Information Security)
  • Important internal Certification Authorities (and related sub-certification authorities) should be protected by employing other general security controls (e.g., Change Management, back-up, and security event logging) in a particularly disciplined manner. (CF.08.06.03c, The Standard of Good Practice for Information Security)
  • The sources of forensic information should be protected by preventing the tampering of possible evidence. (CF.11.04.07b, The Standard of Good Practice for Information Security, 2013)
  • Information associated with office equipment shall be protected against physical access and tampering by preventing the unauthorized removal of hard disk drives (e.g. by using padlocks). (CF.12.03.03c, The Standard of Good Practice for Information Security, 2013)
  • The security program, in relation to protecting personal information, should include implementing physical access controls and logical access controls to prevent unauthorized access. (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should have implemented systems and procedures that manages physical access and logical access to personal information, including backup copies, archived copies, and hard copies. (Table Ref 8.2.3, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • CSR 2.2.19: The organization must implement physical safeguards for restricting access to workstations that access CMS sensitive information to authorized users. CSR 3.6.3: The organization must implement physical and logical controls over workstations that are set up as master consoles. CSR 10.3.2:… (CSR 2.2.19, CSR 3.6.3, CSR 10.3.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Cleared, authorized individuals must maintain custody of classified physical assets at all times, unless the workspace is an approved secure room, and return them to an approved container or destroy them when access is no longer needed. (§ 2.1.2.1 ¶ 1, DISA Access Control STIG, Version 2, Release 3)
  • Controls exist over on-line terminals employed by users and customers; (TIER II OBJECTIVES AND PROCEDURES F.1. Bullet 5, FFIEC IT Examination Handbook - Audit, April 2012)
  • Document hardware and electronic media movements including any person responsible. (§ 4.13.3 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Cabling design and implementation for the control network should be addressed in the cybersecurity plan. Unshielded twisted pair communications cable, while acceptable for the office environment, is generally not suitable for the plant environment due to its susceptibility to interference from magne… (§ 6.2.11.3 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization should require that smart grid Information System assets have physical access mechanisms, in addition to the facility's physical access mechanisms. (SG.PE-3 Requirement Enhancements 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)