Back

Establish, implement, and maintain physical and environmental protection procedures.


CONTROL ID
14061
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a physical and environmental protection policy., CC ID: 14030

This Control has the following implementation support Control(s):
  • Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties., CC ID: 14175


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The DC's physical security and environmental controls should be monitored on a 24 by 7 basis. Appropriate escalation, response plans and procedures for physical and environmental incidents at DCs should be established and tested. (§ 8.5.5, Technology Risk Management Guidelines, January 2021)
  • Adequate measures to protect from environmental hazards should be commensurate with the importance of the buildings and the criticality of the operations or ICT systems located in these buildings. (3.4.3 35, Final Report EBA Guidelines on ICT and security risk management)
  • The entity tests the effectiveness of the key administrative, technical and physical safeguards protecting personal data, periodically and as required by entity policy, or by relevant, applicable laws or regulations. (S7.5, Privacy Management Framework, Updated March 1, 2020)
  • Once the scope is defined, all activities, products and services of the organization within that scope need to be included in the environmental management system. (§ 4.3 ¶ 3, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • use administrative controls. (§ 5.4 ¶ 3 Bullet 4, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • Physical and environmental protection procedures [Assignment: organization-defined frequency]. (PE-1b.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Physical and environmental protection procedures [Assignment: organization-defined frequency]. (PE-1b.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Physical and environmental protection procedures [Assignment: organization-defined frequency]. (PE-1b.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Physical and environmental protection procedures [Assignment: organization-defined frequency]. (PE-1b.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Physical and environmental protection procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. (PE-1b.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Physical and environmental protection procedures [FedRAMP Assignment: at least annually]. (PE-1b.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Physical and environmental protection procedures [FedRAMP Assignment: at least annually]. (PE-1b.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; (PE-1a.2., FedRAMP Security Controls High Baseline, Version 5)
  • Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (PE-1c.2., FedRAMP Security Controls High Baseline, Version 5)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; (PE-1a.2., FedRAMP Security Controls Low Baseline, Version 5)
  • Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (PE-1c.2., FedRAMP Security Controls Low Baseline, Version 5)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; (PE-1a.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (PE-1c.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; (PE-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PE-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PE-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; (PE-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; (PE-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PE-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; (PE-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PE-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; (PE-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PE-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; (PE-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PE-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; (PE-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PE-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Physical and environmental protection procedures [Assignment: organization-defined frequency]. (PE-1b.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Physical and environmental protection procedures [Assignment: organization-defined frequency]. (PE-1b.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Physical and environmental protection procedures [Assignment: organization-defined frequency]. (PE-1b.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Physical and environmental protection procedures [Assignment: organization-defined frequency]. (PE-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Physical and environmental protection procedures [Assignment: organization-defined frequency]. (PE-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Physical and environmental protection procedures [Assignment: organization-defined frequency]. (PE-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Physical and environmental protection procedures [Assignment: organization-defined frequency]. (PE-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; (PE-1a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PE-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; (PE-1a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PE-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Physical and environmental protection procedures [Assignment: organization-defined frequency]. (PE-1b.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2., TX-RAMP Security Controls Baseline Level 1)
  • Physical and environmental protection procedures [TX-RAMP Assignment: at least annually]. (PE-1b.2., TX-RAMP Security Controls Baseline Level 1)
  • Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (PE-1a.2., TX-RAMP Security Controls Baseline Level 2)
  • Physical and environmental protection procedures [TX-RAMP Assignment: at least annually]. (PE-1b.2., TX-RAMP Security Controls Baseline Level 2)