Back

Restrict physical access to distributed assets.


CONTROL ID
11865
CONTROL TYPE
Physical and Environmental Protection
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain physical security controls for distributed assets., CC ID: 00718

This Control has the following implementation support Control(s):
  • House network hardware in lockable rooms or lockable equipment cabinets., CC ID: 01873
  • Protect electronic storage media with physical access controls., CC ID: 00720


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is necessary to take countermeasures against unauthorized access to routers such as protection by the use of ID and password and access history management. (P42.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • access to equipment racks should be restricted to authorised staff and monitored; (§ 8.5.6(d), Technology Risk Management Guidelines, January 2021)
  • Physical access to systems, supporting infrastructure and facilities is restricted to authorised personnel. (P14:, Australian Government Information Security Manual, March 2021)
  • Physical access to systems, supporting infrastructure and facilities is restricted to authorised personnel. (P14:, Australian Government Information Security Manual, June 2023)
  • Physical access to systems, supporting infrastructure and facilities is restricted to authorised personnel. (P14:, Australian Government Information Security Manual, September 2023)
  • The entity restricts physical access to facilities and protected information assets (e.g., data center facilities, back-up media storage and other sensitive locations) to authorized personnel to meet the entity's objectives. (S7.2, Privacy Management Framework, Updated March 1, 2020)
  • The entity restricts logical and physical access to its information assets, including computing and network hardware, application systems, data (at-rest, during processing or in transmission), software, administrative authorities, mobile devices, output, and offline system components are restricted … (S7.1 Restricts logical and physical access to PI, Privacy Management Framework, Updated March 1, 2020)
  • How are data-storage systems protected from physical or direct console access? (Appendix D, Implement Strong Access Control Measures Bullet 14, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Mount APs on (or in) ceilings and walls that do not allow easy physical access, or locate in secure areas, such as locked closets or server rooms. (4.1.1 A, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Implement controls to restrict physical and logical access to network entry points. (3.2.4 B, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines. (9.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Implement physical and/or logical controls to restrict access to publicly accessible network jacks. (9.1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines. (9.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines. (9.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Restrict physical access to cardholder data (Requirement 9:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Is physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines restricted? (9.1.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines restricted? (9.1.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines restricted? (9.1.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines restricted? (9.1.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Verify that physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines is appropriately restricted. (9.1.3, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted. (9.2.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Interview responsible personnel and observe locations of hardware and lines to verify that physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted. (9.2.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted. (9.2.3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted. (9.2.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Physical access to information assets and functions by users and support personnel shall be restricted. (DCS-09, Cloud Controls Matrix, v3.0)
  • Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. (3.1 Control Objective, Swift Customer Security Controls Framework (CSCF), v2019)
  • Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. (A.11.2.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. (§ 11.2.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. (§ 5.15 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity's objectives. (CC6.4 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization manages and protects physical access to information assets (e.g., session lockout, physical control of server rooms). (PR.AC-2.1, CRI Profile, v1.2)
  • Physical access to assets is managed and protected. (PR.AC-2, CRI Profile, v1.2)
  • Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (§ 52.204-21(b)(1)(viii), Federal Acquisition Regulation 52.204-21 Basic Safeguarding of Covered Contractor Information Systems)
  • The organization manages and protects physical access to information assets (e.g., session lockout, physical control of server rooms). (PR.AC-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. (PE-5 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. (PE-5 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. (PE-5 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity's objectives. (CC6.4, Trust Services Criteria)
  • The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity's objectives. (CC6.4 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Restrict physical access; (Attachment 1 Section 1. 1.5. Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • Unauthorized Use Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the risk of unauthorized use of Transient Cyber Asset(s): - Restrict physical access; - Full-disk encryption with authentication; - Multi-factor authentication; or - Other method(s) … (Section 1. 1.5., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Restrict physical access; (Attachment 1 Section 1. 1.5. Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset and (2) the Low Impact BES Cyber System Electronic Access Points (LEAPs), i… (Section 2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and (2) the Cyber Asset(s), as specified by the Responsible Entity, that p… (Attachment 1 Section 2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (§ 52.204-21 (b)(1)(viii), 48 CFR Part 52.204-21, Basic Safeguarding of Covered Contractor Information Systems)
  • Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (PE.1.131, Cybersecurity Maturity Model Certification, Version 1.0, Level 1)
  • Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (PE.1.131, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (PE.1.131, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (PE.1.131, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (PE.1.131, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (PE.L1-3.10.1 Limit Physical Access, Cybersecurity Maturity Model Certification, Version 2.0, Level 1)
  • Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (PE.L1-3.10.1 Limit Physical Access, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Media protection policy and procedures shall be documented and implemented to ensure that access to digital and physical media in all forms is restricted to authorized individuals. Procedures shall be defined for securely handling, transporting and storing media. (§ 5.8 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency shall control physical access to information system devices that display CJI and shall position information system devices in such a way as to prevent unauthorized individuals from accessing and viewing CJI. (§ 5.9.1.5 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Physically securing it and restricting and monitoring access to it. (App A Objective 13:3l Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. (PE-5 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. (PE-5 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output. (PE-5 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output. (PE-5 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output. (PE-5 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output. (PE-5 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. (PE-5 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. (PE-5 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Access to data and devices is limited to authorized individuals, processes, and devices, and is managed consistent with the assessed risk of unauthorized access. (Identity Management, Authentication, and Access Control (PR.AC-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (3.10.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. (3.10.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. (3.10.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. (PE-5 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. (PE-5 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. (PE-5 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output. (PE-5 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output. (PE-5 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Physical access to assets is managed, monitored, and enforced commensurate with risk (PR.AA-06, The NIST Cybersecurity Framework, v2.0)
  • The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. (PE-5 Control, TX-RAMP Security Controls Baseline Level 2)