Back

Implement physical security controls at all supply chain member locations.


CONTROL ID
08933
CONTROL TYPE
Business Processes
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain physical security controls for the supply chain., CC ID: 08931

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The FI should verify that adequate physical security measures are implemented at third party payment kiosks, which accept and process the FI’s payment cards. (§ 13.2.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The physical security practices over gold in conflict-affected and high-risk areas for medium and large-scale mining companies and artisanal and small-scale mining enterprises should be verifiable by appropriate and trusted third parties. (Supplement on Gold Step 1: § II.A.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]. (SA-9(5) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization restricts the location of [FedRAMP Selection: information processing, information data, AND information services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]. (SA-9(5) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization restricts the location of [FedRAMP Selection: information processing, information data, AND information services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]. (SA-9(5) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Restrict the location of [FedRAMP Assignment: information processing, information or data, AND system services] to [FedRAMP Assignment: U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction] based on [FedRAMP Assignment: all High impact data, systems, or services]. (SA-9(5) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Restrict the location of [FedRAMP Assignment: information processing, information or data, AND system services] to [FedRAMP Assignment: U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction] based on [FedRAMP Assignment: all High impact data, systems, or services]. (SA-9(5) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Restrict the location of [Selection (one or more): information processing; information or data; system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]. (SA-9(5) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]. (SA-9(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Restrict the location of [Selection (one or more): information processing; information or data; system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]. (SA-9(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Restrict the location of [Selection (one or more): information processing; information or data; system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]. (SA-9(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]. (SA-9(5) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization restricts the location of [TX-RAMP Selection (one or more): information processing, information data, AND information services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]. (SA-9(5) ¶ 1, TX-RAMP Security Controls Baseline Level 2)