Back

Establish, implement, and maintain physical security plans.


CONTROL ID
13307
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a physical security program., CC ID: 11757

This Control has the following implementation support Control(s):
  • Include a maintenance schedule for the physical security plan in the physical security plan., CC ID: 13309
  • Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed., CC ID: 13315
  • Conduct external audits of the physical security plan., CC ID: 13314


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The requirements for each zone should be determined through the risk assessment. The risk assessment should include, but is not limited to, threats like aircraft crashes, chemical effects, dust, electrical supply interference, electromagnetic radiation, explosives, fire, smoke, theft/destruction, vi… (Critical components of information security 8) (ii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A security zone concept including the associated protective measures based on the requirements for the handling of information assets is in place: (3.1.1 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • Review and approve the security and privacy plans for the system and the environment of operation. (TASK S-6, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Each Transmission Owner that identified a Transmission station, Transmission substation, or primary control center in Requirement R1 and verified according to Requirement R2, and each Transmission Operator notified by a Transmission Owner according to Requirement R3, shall develop and implement a do… (B. R5., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • If the unaffiliated third party reviewer recommends changes to the evaluation performed under Requirement R4 or security plan(s) developed under Requirement R5, the Transmission Owner or Transmission Operator shall, within 60 calendar days of the completion of the unaffiliated third party review, fo… (B. R6. 6.3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • Each Transmission Owner that identified a Transmission station, Transmission substation, or primary control center in Requirement R1 and verified according to Requirement R2, and each Transmission Operator notified by a Transmission Owner according to Requirement R3, shall develop and implement a do… (B. R5., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • Modify its evaluation or security plan(s) consistent with the recommendation; or (B. R6. 6.3. Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)