Back

Establish, implement, and maintain physical security procedures.


CONTROL ID
13076
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a physical security program., CC ID: 11757

This Control has the following implementation support Control(s):
  • Analyze and evaluate engineering systems., CC ID: 13080
  • Analyze and evaluate facilities and their structural elements., CC ID: 13079
  • Analyze and evaluate mechanical systems, as necessary., CC ID: 13078
  • Report damaged property to interested personnel and affected parties., CC ID: 13702


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The FI should include in the scope of the TVRA a review of the DC’s perimeter and surrounding environment, as well as the building and DC facility. The FI should also review daily security procedures, critical mechanical and engineering systems, building and structural elements as well as physical… (§ 10.1.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • External properties used for storing and processing information assets are taken into account in the security zone concept (e.g. storage rooms, garages, workshops, test tracks, data processing centers). (3.1.1 Requirements (should) Bullet 5, Information Security Assessment, Version 5.1)
  • Define and implement physical security measures in line with business requirements to secure the location and the physical assets. Physical security measures must be capable of effectively preventing, detecting and mitigating risks relating to theft, temperature, fire, smoke, water, vibration, terro… (DS12.2 Physical Security Measures, CobiT, Version 4.1)
  • Physically Secure the Environment (3, Swift Customer Security Controls Framework (CSCF), v2019)
  • Allocate security and privacy requirements to the system and to the environment of operation. (TASK P-17, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Resiliency or security measures designed collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified during the evaluation conducted in Requirement R4. (B. R5. 5.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • Resiliency or security measures designed collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified during the evaluation conducted in Requirement R4. (B. R5. 5.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • Physical Security—increases in risks to systems and data. (§ 5.2.1.3 ¶ 1(7), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Determine whether management applies appropriate physical security controls to protect its premises and more sensitive areas, such as its data center(s). (App A Objective 6.9, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Personnel safety and evacuation during and after a disruption are typically addressed in an OEP. Personnel should be aware of their physical security and exit procedures and should practice these procedures during regular fire drill exercises. OEPs and ISCPs may include instructions for securing off… (Appendix D Subsection 1 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))