Back

Establish, implement, and maintain a physical security program.


CONTROL ID
11757
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Physical and environmental protection, CC ID: 00709

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain physical security plans., CC ID: 13307
  • Establish, implement, and maintain physical security procedures., CC ID: 13076
  • Establish, implement, and maintain an anti-tamper protection program., CC ID: 10638
  • Establish, implement, and maintain a facility physical security program., CC ID: 00711
  • Establish, implement, and maintain physical security controls for distributed assets., CC ID: 00718
  • Establish, implement, and maintain proper aircraft security., CC ID: 02213
  • Establish, implement, and maintain a vehicle access program., CC ID: 02216
  • Establish, implement, and maintain proper container security., CC ID: 02208
  • Establish, implement, and maintain returned card procedures., CC ID: 13567
  • Establish and maintain the physical security of non-issued payment cards., CC ID: 06402
  • Establish and maintain physical security of assets used for publicity., CC ID: 06724
  • Install and protect network cabling., CC ID: 08624
  • Install and maintain network jacks and outlet boxes., CC ID: 08635
  • Install and maintain network patch panels., CC ID: 08636
  • Encase network cabling in conduit or closed cable reticulation systems, as necessary., CC ID: 08647


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Physical security measures should be in place to protect computer facilities and equipment from damage or unauthorized access. Critical information processing facilities should be housed in secure areas such as data centres and network equipment rooms with appropriate security barriers and entry con… (3.6.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The DC should have adequate physical access controls including: (§ 8.5.6, Technology Risk Management Guidelines, January 2021)
  • Financial institutions' physical security measures should be defined, documented and implemented to protect their premises, data centres and sensitive areas from unauthorised access and from environmental hazards. (3.4.3 33, Final Report EBA Guidelines on ICT and security risk management)
  • put in place and maintain a sound and documented ICT risk management framework that details the mechanisms and measures aimed at a quick, efficient and comprehensive management of ICT risk, including for the protection of relevant physical components and infrastructures; (Art. 16.1. ¶ 2(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. (9.10, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. (9.10, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. (9.10, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are security policies and operational procedures for restricting physical access to cardholder data: - Documented - In use - Known to all affected parties? (9.10, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are security policies and operational procedures for restricting physical access to cardholder data: - Documented - In use - Known to all affected parties? (9.10, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are security policies and operational procedures for restricting physical access to cardholder data: - Documented - In use - Known to all affected parties? (9.10, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are security policies and operational procedures for restricting physical access to cardholder data: - Documented - In use - Known to all affected parties? (9.10, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are security policies and operational procedures for restricting physical access to cardholder data: - Documented - In use - Known to all affected parties? (9.10, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Are security policies and operational procedures for restricting physical access to cardholder data: - Documented - In use - Known to all affected parties? (9.10, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
  • Examine documentation and interview personnel to verify that security policies and operational procedures for restricting physical access to cardholder data are: - Documented, - In use, and - Known to all affected parties. (9.10, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Define the security and privacy requirements for the system and the environment of operation. (TASK P-15, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Physical and environmental security policies are implemented and managed. (PR.IP-5.1, CRI Profile, v1.2)
  • Physical and environmental security policies are implemented and managed. (PR.IP-5.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Each Responsible Entity shall implement one or more documented physical security plan(s) that collectively include all of the applicable requirement parts in CIP-006-6 Table R1 – Physical Security Plan. [Violation Risk Factor: Medium] [Time Horizon: Long Term Planning and Same Day Operations]. (B. R1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Physical Security of BES Cyber Systems CIP-006-6, Version 6)
  • The Transmission Owner or Transmission Operator, respectively, shall ensure that the unaffiliated third party review is completed within 90 calendar days of completing the security plan(s) developed in Requirement R5. The unaffiliated third party review may, but is not required to, include recommend… (B. R6. 6.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • The Transmission Owner or Transmission Operator, respectively, shall ensure that the unaffiliated third party review is completed within 90 calendar days of completing the security plan(s) developed in Requirement R5. The unaffiliated third party review may, but is not required to, include recommend… (B. R6. 6.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. (§ 164.310(a)(1), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Visitor control and physical access to spaces—discuss applicable physical security policy and procedures, e.g., challenge strangers, report unusual activity, etc. (§ 5.2.1.1 ¶ 1(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Physical protection policy and procedures shall be documented and implemented to ensure CJI and information system hardware, software, and media are physically protected through access control measures. (§ 5.9 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Physical protection policy and procedures shall be documented and implemented to ensure CJI and information system hardware, software, and media are physically protected through access control measures. (§ 5.9 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Determine whether management has implemented physical resilience measures that: (App A Objective 6:2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Implementation of physical security controls. (App A Objective 14:1d Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Physical security management (e.g., CCTV, guards, and badge systems). (App A Objective 8.1.e, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The quality of physical and logical security, including the privacy of data. (TIER II OBJECTIVES AND PROCEDURES C.1. Bullet 8, FFIEC IT Examination Handbook - Audit, April 2012)
  • People and Asset Tracking. Locating people and vehicles in a large installation is important for safety reasons, and it is increasingly important for security reasons as well. Asset location technologies can be used to track the movements of people and vehicles within the plant, to ensure that they … (§ 6.2.11 ICS-specific Recommendations and Guidance ¶ 4 Bullet 3, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Define and/or implement policies and procedures to ensure protection of critical infrastructure as appropriate. (T0282, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)