compliance controls are associated with this Policy definition 'Implement physical security for offices, working areas, and secure areas' (05ec66a2-137c-14b8-8e75-3d7a2bef07f8)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
PE-13 |
FedRAMP_High_R4_PE-13 |
FedRAMP High PE-13 |
Physical And Environmental Protection |
Fire Protection |
Shared |
n/a |
The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors.
References: None. |
link |
1 |
| FedRAMP_High_R4 |
PE-13(1) |
FedRAMP_High_R4_PE-13(1) |
FedRAMP High PE-13 (1) |
Physical And Environmental Protection |
Detection Devices / Systems |
Shared |
n/a |
The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.
Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. |
link |
3 |
| FedRAMP_High_R4 |
PE-13(2) |
FedRAMP_High_R4_PE-13(2) |
FedRAMP High PE-13 (2) |
Physical And Environmental Protection |
Suppression Devices / Systems |
Shared |
n/a |
The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders].
Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. |
link |
1 |
| FedRAMP_High_R4 |
PE-13(3) |
FedRAMP_High_R4_PE-13(3) |
FedRAMP High PE-13 (3) |
Physical And Environmental Protection |
Automatic Fire Suppression |
Shared |
n/a |
The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis. |
link |
1 |
| FedRAMP_High_R4 |
PE-14 |
FedRAMP_High_R4_PE-14 |
FedRAMP High PE-14 |
Physical And Environmental Protection |
Temperature And Humidity Controls |
Shared |
n/a |
The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency].
Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms. Related control: AT-3.
References: None. |
link |
1 |
| FedRAMP_High_R4 |
PE-14(2) |
FedRAMP_High_R4_PE-14(2) |
FedRAMP High PE-14 (2) |
Physical And Environmental Protection |
Monitoring With Alarms / Notifications |
Shared |
n/a |
The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment. |
link |
2 |
| FedRAMP_High_R4 |
PE-15 |
FedRAMP_High_R4_PE-15 |
FedRAMP High PE-15 |
Physical And Environmental Protection |
Water Damage Protection |
Shared |
n/a |
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. Related control: AT-3.
References: None. |
link |
1 |
| FedRAMP_High_R4 |
PE-18 |
FedRAMP_High_R4_PE-18 |
FedRAMP High PE-18 |
Physical And Environmental Protection |
Location Of Information System Components |
Shared |
n/a |
The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access.
Supplemental Guidance: Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). Related controls: CP-2, PE-19, RA-3.
References: None. |
link |
1 |
| FedRAMP_High_R4 |
PE-3 |
FedRAMP_High_R4_PE-3 |
FedRAMP High PE-3 |
Physical And Environmental Protection |
Physical Access Control |
Shared |
n/a |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3.
Supplemental Guidance: Related controls: CA-2, CA-7. |
link |
4 |
| FedRAMP_High_R4 |
PE-4 |
FedRAMP_High_R4_PE-4 |
FedRAMP High PE-4 |
Physical And Environmental Protection |
Access Control For Transmission Medium |
Shared |
n/a |
The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].
Supplemental Guidance: Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Related controls: MP-2, MP-4, PE-2, PE-3, PE-5, SC-7, SC-8.
Control Enhancements: None.
References: NSTISSI No. 7003. |
link |
2 |
| FedRAMP_High_R4 |
PE-5 |
FedRAMP_High_R4_PE-5 |
FedRAMP High PE-5 |
Physical And Environmental Protection |
Access Control For Output Devices |
Shared |
n/a |
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
Supplemental Guidance: Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices. Related controls: PE-2, PE-3, PE-4, PE-18.
References: None. |
link |
3 |
| FedRAMP_High_R4 |
PE-8 |
FedRAMP_High_R4_PE-8 |
FedRAMP High PE-8 |
Physical And Environmental Protection |
Visitor Access Records |
Shared |
n/a |
The organization:
a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
b. Reviews visitor access records [Assignment: organization-defined frequency].
Supplemental Guidance: Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas.
References: None. |
link |
2 |
| FedRAMP_Moderate_R4 |
PE-13 |
FedRAMP_Moderate_R4_PE-13 |
FedRAMP Moderate PE-13 |
Physical And Environmental Protection |
Fire Protection |
Shared |
n/a |
The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors.
References: None. |
link |
1 |
| FedRAMP_Moderate_R4 |
PE-13(2) |
FedRAMP_Moderate_R4_PE-13(2) |
FedRAMP Moderate PE-13 (2) |
Physical And Environmental Protection |
Suppression Devices / Systems |
Shared |
n/a |
The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders].
Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. |
link |
1 |
| FedRAMP_Moderate_R4 |
PE-13(3) |
FedRAMP_Moderate_R4_PE-13(3) |
FedRAMP Moderate PE-13 (3) |
Physical And Environmental Protection |
Automatic Fire Suppression |
Shared |
n/a |
The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis. |
link |
1 |
| FedRAMP_Moderate_R4 |
PE-14 |
FedRAMP_Moderate_R4_PE-14 |
FedRAMP Moderate PE-14 |
Physical And Environmental Protection |
Temperature And Humidity Controls |
Shared |
n/a |
The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency].
Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms. Related control: AT-3.
References: None. |
link |
1 |
| FedRAMP_Moderate_R4 |
PE-14(2) |
FedRAMP_Moderate_R4_PE-14(2) |
FedRAMP Moderate PE-14 (2) |
Physical And Environmental Protection |
Monitoring With Alarms / Notifications |
Shared |
n/a |
The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment. |
link |
2 |
| FedRAMP_Moderate_R4 |
PE-15 |
FedRAMP_Moderate_R4_PE-15 |
FedRAMP Moderate PE-15 |
Physical And Environmental Protection |
Water Damage Protection |
Shared |
n/a |
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. Related control: AT-3.
References: None. |
link |
1 |
| FedRAMP_Moderate_R4 |
PE-3 |
FedRAMP_Moderate_R4_PE-3 |
FedRAMP Moderate PE-3 |
Physical And Environmental Protection |
Physical Access Control |
Shared |
n/a |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3.
Supplemental Guidance: Related controls: CA-2, CA-7. |
link |
4 |
| FedRAMP_Moderate_R4 |
PE-4 |
FedRAMP_Moderate_R4_PE-4 |
FedRAMP Moderate PE-4 |
Physical And Environmental Protection |
Access Control For Transmission Medium |
Shared |
n/a |
The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].
Supplemental Guidance: Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Related controls: MP-2, MP-4, PE-2, PE-3, PE-5, SC-7, SC-8.
Control Enhancements: None.
References: NSTISSI No. 7003. |
link |
2 |
| FedRAMP_Moderate_R4 |
PE-5 |
FedRAMP_Moderate_R4_PE-5 |
FedRAMP Moderate PE-5 |
Physical And Environmental Protection |
Access Control For Output Devices |
Shared |
n/a |
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
Supplemental Guidance: Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices. Related controls: PE-2, PE-3, PE-4, PE-18.
References: None. |
link |
3 |
| FedRAMP_Moderate_R4 |
PE-8 |
FedRAMP_Moderate_R4_PE-8 |
FedRAMP Moderate PE-8 |
Physical And Environmental Protection |
Visitor Access Records |
Shared |
n/a |
The organization:
a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
b. Reviews visitor access records [Assignment: organization-defined frequency].
Supplemental Guidance: Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas.
References: None. |
link |
2 |
| hipaa |
0408.01y3Organizational.12-01.y |
hipaa-0408.01y3Organizational.12-01.y |
0408.01y3Organizational.12-01.y |
04 Mobile Device Security |
0408.01y3Organizational.12-01.y 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
Prior to authorizing teleworking, (i) the organization provides a definition of the work permitted, standard operating hours, classification of information that may be held/stored, and the internal systems and services that the teleworker is authorized to access; (ii) suitable equipment and storage furniture for the teleworking activities, where the use of privately owned equipment not under the control of the organization is forbidden; (iii) suitable communications equipment, including methods for securing remote access; (iv) rules and guidance on family and visitor access to equipment and information; (v) hardware and software support and maintenance; (vi) procedures for back-up and business continuity; (vii) a means for teleworkers to communicate with information security personnel in case of security incidents or problems; and, (viii) audit and security monitoring. |
|
5 |
| hipaa |
11190.01t1Organizational.3-01.t |
hipaa-11190.01t1Organizational.3-01.t |
11190.01t1Organizational.3-01.t |
11 Access Control |
11190.01t1Organizational.3-01.t 01.05 Operating System Access Control |
Shared |
n/a |
Bring your own device (BYOD) and/or company-owned devices are configured to require an automatic lockout screen, and the requirement is enforced through technical controls. |
|
5 |
| hipaa |
1192.01l1Organizational.1-01.l |
hipaa-1192.01l1Organizational.1-01.l |
1192.01l1Organizational.1-01.l |
11 Access Control |
1192.01l1Organizational.1-01.l 01.04 Network Access Control |
Shared |
n/a |
Access to network equipment is physically protected. |
|
5 |
| hipaa |
1193.01l2Organizational.13-01.l |
hipaa-1193.01l2Organizational.13-01.l |
1193.01l2Organizational.13-01.l |
11 Access Control |
1193.01l2Organizational.13-01.l 01.04 Network Access Control |
Shared |
n/a |
Controls for the access to diagnostic and configuration ports include the use of a key lock and the implementation of supporting procedures to control physical access to the port. |
|
5 |
| hipaa |
1801.08b1Organizational.124-08.b |
hipaa-1801.08b1Organizational.124-08.b |
1801.08b1Organizational.124-08.b |
18 Physical & Environmental Security |
1801.08b1Organizational.124-08.b 08.01 Secure Areas |
Shared |
n/a |
Visitor and third-party support access is recorded and supervised unless previously approved. |
|
3 |
| hipaa |
1804.08b2Organizational.12-08.b |
hipaa-1804.08b2Organizational.12-08.b |
1804.08b2Organizational.12-08.b |
18 Physical & Environmental Security |
1804.08b2Organizational.12-08.b 08.01 Secure Areas |
Shared |
n/a |
A visitor log containing appropriate information is reviewed monthly and maintained for at least two years. |
|
2 |
| hipaa |
1808.08b2Organizational.7-08.b |
hipaa-1808.08b2Organizational.7-08.b |
1808.08b2Organizational.7-08.b |
18 Physical & Environmental Security |
1808.08b2Organizational.7-08.b 08.01 Secure Areas |
Shared |
n/a |
Physical access rights are reviewed every 90 days and updated accordingly. |
|
7 |
| hipaa |
1811.08b3Organizational.3-08.b |
hipaa-1811.08b3Organizational.3-08.b |
1811.08b3Organizational.3-08.b |
18 Physical & Environmental Security |
1811.08b3Organizational.3-08.b 08.01 Secure Areas |
Shared |
n/a |
Combinations and keys for organization-defined high-risk entry/exit points are changed when lost or stolen or combinations are compromised. |
|
4 |
| hipaa |
1813.08b3Organizational.56-08.b |
hipaa-1813.08b3Organizational.56-08.b |
1813.08b3Organizational.56-08.b |
18 Physical & Environmental Security |
1813.08b3Organizational.56-08.b 08.01 Secure Areas |
Shared |
n/a |
The organization actively monitors unoccupied areas at all times and sensitive and/or restricted areas in real time as appropriate for the area. |
|
4 |
| hipaa |
1814.08d1Organizational.12-08.d |
hipaa-1814.08d1Organizational.12-08.d |
1814.08d1Organizational.12-08.d |
18 Physical & Environmental Security |
1814.08d1Organizational.12-08.d 08.01 Secure Areas |
Shared |
n/a |
Fire extinguishers and detectors are installed according to applicable laws and regulations. |
|
3 |
| hipaa |
18146.08b3Organizational.8-08.b |
hipaa-18146.08b3Organizational.8-08.b |
18146.08b3Organizational.8-08.b |
18 Physical & Environmental Security |
18146.08b3Organizational.8-08.b 08.01 Secure Areas |
Shared |
n/a |
The organization maintains an electronic log of alarm system events and regularly reviews the logs, no less than monthly. |
|
4 |
| hipaa |
1815.08d2Organizational.123-08.d |
hipaa-1815.08d2Organizational.123-08.d |
1815.08d2Organizational.123-08.d |
18 Physical & Environmental Security |
1815.08d2Organizational.123-08.d 08.01 Secure Areas |
Shared |
n/a |
Fire prevention and suppression mechanisms, including workforce training, are provided. |
|
3 |
| hipaa |
1817.08d3Organizational.12-08.d |
hipaa-1817.08d3Organizational.12-08.d |
1817.08d3Organizational.12-08.d |
18 Physical & Environmental Security |
1817.08d3Organizational.12-08.d 08.01 Secure Areas |
Shared |
n/a |
Water detection mechanisms are in place with master shutoff or isolation valves accessible, working and known. |
|
1 |
| hipaa |
1818.08d3Organizational.3-08.d |
hipaa-1818.08d3Organizational.3-08.d |
1818.08d3Organizational.3-08.d |
18 Physical & Environmental Security |
1818.08d3Organizational.3-08.d 08.01 Secure Areas |
Shared |
n/a |
Fire suppression and detection systems are supported by an independent energy source. |
|
3 |
| hipaa |
1845.08b1Organizational.7-08.b |
hipaa-1845.08b1Organizational.7-08.b |
1845.08b1Organizational.7-08.b |
18 Physical & Environmental Security |
1845.08b1Organizational.7-08.b 08.01 Secure Areas |
Shared |
n/a |
For facilities where the information system resides, the organization enforces physical access authorizations at defined entry/exit points to the facility where the information system resides, maintains physical access audit logs, and provides security safeguards that the organization determines necessary for areas officially designated as publicly accessible. |
|
4 |
| hipaa |
1846.08b2Organizational.8-08.b |
hipaa-1846.08b2Organizational.8-08.b |
1846.08b2Organizational.8-08.b |
18 Physical & Environmental Security |
1846.08b2Organizational.8-08.b 08.01 Secure Areas |
Shared |
n/a |
Visitors are only granted access for specific and authorized purposes and issued with instructions on the security requirements of the area and on emergency procedures. |
|
1 |
| ISO27001-2013 |
A.11.1.1 |
ISO27001-2013_A.11.1.1 |
ISO 27001:2013 A.11.1.1 |
Physical And Environmental Security |
Physical security perimeter |
Shared |
n/a |
Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. |
link |
8 |
| ISO27001-2013 |
A.11.1.2 |
ISO27001-2013_A.11.1.2 |
ISO 27001:2013 A.11.1.2 |
Physical And Environmental Security |
Physical entry controls |
Shared |
n/a |
Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. |
link |
9 |
| ISO27001-2013 |
A.11.1.3 |
ISO27001-2013_A.11.1.3 |
ISO 27001:2013 A.11.1.3 |
Physical And Environmental Security |
Securing offices, rooms and facilities |
Shared |
n/a |
Physical security for offices, rooms and facilities shall be designed and applied. |
link |
5 |
| ISO27001-2013 |
A.11.1.4 |
ISO27001-2013_A.11.1.4 |
ISO 27001:2013 A.11.1.4 |
Physical And Environmental Security |
Protecting against external and environmental threats |
Shared |
n/a |
Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. |
link |
9 |
| ISO27001-2013 |
A.11.2.1 |
ISO27001-2013_A.11.2.1 |
ISO 27001:2013 A.11.2.1 |
Physical And Environmental Security |
Equipment sitting and protection |
Shared |
n/a |
Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. |
link |
1 |
| ISO27001-2013 |
A.11.2.2 |
ISO27001-2013_A.11.2.2 |
ISO 27001:2013 A.11.2.2 |
Physical And Environmental Security |
Supporting utilities |
Shared |
n/a |
Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. |
link |
3 |
| ISO27001-2013 |
A.11.2.3 |
ISO27001-2013_A.11.2.3 |
ISO 27001:2013 A.11.2.3 |
Physical And Environmental Security |
Cabling security |
Shared |
n/a |
Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. |
link |
4 |
| ISO27001-2013 |
A.12.1.2 |
ISO27001-2013_A.12.1.2 |
ISO 27001:2013 A.12.1.2 |
Operations Security |
Change management |
Shared |
n/a |
Changes to organization, business processes, information processing facilities and systems that affect information security shall be controlled. |
link |
27 |
| ISO27001-2013 |
A.8.2.3 |
ISO27001-2013_A.8.2.3 |
ISO 27001:2013 A.8.2.3 |
Asset Management |
Handling of assets |
Shared |
n/a |
Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
link |
26 |
|
mp.eq.1 Clear desk |
mp.eq.1 Clear desk |
404 not found |
|
|
|
n/a |
n/a |
|
19 |
|
mp.eq.2 User session lockout |
mp.eq.2 User session lockout |
404 not found |
|
|
|
n/a |
n/a |
|
29 |
|
mp.if.1 Separate areas with access control |
mp.if.1 Separate areas with access control |
404 not found |
|
|
|
n/a |
n/a |
|
23 |
|
mp.if.2 Identification of persons |
mp.if.2 Identification of persons |
404 not found |
|
|
|
n/a |
n/a |
|
13 |
|
mp.if.3 Fitting-out of premises |
mp.if.3 Fitting-out of premises |
404 not found |
|
|
|
n/a |
n/a |
|
18 |
|
mp.if.4 Electrical energy |
mp.if.4 Electrical energy |
404 not found |
|
|
|
n/a |
n/a |
|
8 |
|
mp.if.5 Fire protection |
mp.if.5 Fire protection |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
|
mp.if.6 Flood protection |
mp.if.6 Flood protection |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
|
mp.if.7 Recording of entries and exits of equipment |
mp.if.7 Recording of entries and exits of equipment |
404 not found |
|
|
|
n/a |
n/a |
|
12 |
|
mp.si.4 Transport |
mp.si.4 Transport |
404 not found |
|
|
|
n/a |
n/a |
|
24 |
| NIST_SP_800-171_R2_3 |
.10.3 |
NIST_SP_800-171_R2_3.10.3 |
NIST SP 800-171 R2 3.10.3 |
Physical Protection |
Escort visitors and monitor visitor activity. |
Shared |
Microsoft is responsible for implementing this requirement. |
Individuals with permanent physical access authorization credentials are not considered visitors. Audit logs can be used to monitor visitor activity. |
link |
2 |
| NIST_SP_800-171_R2_3 |
.10.5 |
NIST_SP_800-171_R2_3.10.5 |
NIST SP 800-171 R2 3.10.5 |
Physical Protection |
Control and manage physical access devices. |
Shared |
Microsoft is responsible for implementing this requirement. |
Physical access devices include keys, locks, combinations, and card readers. |
link |
4 |
| NIST_SP_800-53_R4 |
PE-13 |
NIST_SP_800-53_R4_PE-13 |
NIST SP 800-53 Rev. 4 PE-13 |
Physical And Environmental Protection |
Fire Protection |
Shared |
n/a |
The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors.
References: None. |
link |
1 |
| NIST_SP_800-53_R4 |
PE-13(1) |
NIST_SP_800-53_R4_PE-13(1) |
NIST SP 800-53 Rev. 4 PE-13 (1) |
Physical And Environmental Protection |
Detection Devices / Systems |
Shared |
n/a |
The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.
Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. |
link |
3 |
| NIST_SP_800-53_R4 |
PE-13(2) |
NIST_SP_800-53_R4_PE-13(2) |
NIST SP 800-53 Rev. 4 PE-13 (2) |
Physical And Environmental Protection |
Suppression Devices / Systems |
Shared |
n/a |
The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders].
Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. |
link |
1 |
| NIST_SP_800-53_R4 |
PE-13(3) |
NIST_SP_800-53_R4_PE-13(3) |
NIST SP 800-53 Rev. 4 PE-13 (3) |
Physical And Environmental Protection |
Automatic Fire Suppression |
Shared |
n/a |
The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis. |
link |
1 |
| NIST_SP_800-53_R4 |
PE-14 |
NIST_SP_800-53_R4_PE-14 |
NIST SP 800-53 Rev. 4 PE-14 |
Physical And Environmental Protection |
Temperature And Humidity Controls |
Shared |
n/a |
The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency].
Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms. Related control: AT-3.
References: None. |
link |
1 |
| NIST_SP_800-53_R4 |
PE-14(2) |
NIST_SP_800-53_R4_PE-14(2) |
NIST SP 800-53 Rev. 4 PE-14 (2) |
Physical And Environmental Protection |
Monitoring With Alarms / Notifications |
Shared |
n/a |
The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment. |
link |
2 |
| NIST_SP_800-53_R4 |
PE-15 |
NIST_SP_800-53_R4_PE-15 |
NIST SP 800-53 Rev. 4 PE-15 |
Physical And Environmental Protection |
Water Damage Protection |
Shared |
n/a |
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. Related control: AT-3.
References: None. |
link |
1 |
| NIST_SP_800-53_R4 |
PE-18 |
NIST_SP_800-53_R4_PE-18 |
NIST SP 800-53 Rev. 4 PE-18 |
Physical And Environmental Protection |
Location Of Information System Components |
Shared |
n/a |
The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access.
Supplemental Guidance: Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). Related controls: CP-2, PE-19, RA-3.
References: None. |
link |
1 |
| NIST_SP_800-53_R4 |
PE-3 |
NIST_SP_800-53_R4_PE-3 |
NIST SP 800-53 Rev. 4 PE-3 |
Physical And Environmental Protection |
Physical Access Control |
Shared |
n/a |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3.
Supplemental Guidance: Related controls: CA-2, CA-7. |
link |
4 |
| NIST_SP_800-53_R4 |
PE-4 |
NIST_SP_800-53_R4_PE-4 |
NIST SP 800-53 Rev. 4 PE-4 |
Physical And Environmental Protection |
Access Control For Transmission Medium |
Shared |
n/a |
The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].
Supplemental Guidance: Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Related controls: MP-2, MP-4, PE-2, PE-3, PE-5, SC-7, SC-8.
Control Enhancements: None.
References: NSTISSI No. 7003. |
link |
2 |
| NIST_SP_800-53_R4 |
PE-5 |
NIST_SP_800-53_R4_PE-5 |
NIST SP 800-53 Rev. 4 PE-5 |
Physical And Environmental Protection |
Access Control For Output Devices |
Shared |
n/a |
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
Supplemental Guidance: Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices. Related controls: PE-2, PE-3, PE-4, PE-18.
References: None. |
link |
3 |
| NIST_SP_800-53_R4 |
PE-8 |
NIST_SP_800-53_R4_PE-8 |
NIST SP 800-53 Rev. 4 PE-8 |
Physical And Environmental Protection |
Visitor Access Records |
Shared |
n/a |
The organization:
a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
b. Reviews visitor access records [Assignment: organization-defined frequency].
Supplemental Guidance: Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas.
References: None. |
link |
2 |
| NIST_SP_800-53_R5 |
PE-13 |
NIST_SP_800-53_R5_PE-13 |
NIST SP 800-53 Rev. 5 PE-13 |
Physical and Environmental Protection |
Fire Protection |
Shared |
n/a |
Employ and maintain fire detection and suppression systems that are supported by an independent energy source. |
link |
1 |
| NIST_SP_800-53_R5 |
PE-13(1) |
NIST_SP_800-53_R5_PE-13(1) |
NIST SP 800-53 Rev. 5 PE-13 (1) |
Physical and Environmental Protection |
Detection Systems ??? Automatic Activation and Notification |
Shared |
n/a |
Employ fire detection systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. |
link |
3 |
| NIST_SP_800-53_R5 |
PE-13(2) |
NIST_SP_800-53_R5_PE-13(2) |
NIST SP 800-53 Rev. 5 PE-13 (2) |
Physical and Environmental Protection |
Suppression Systems ??? Automatic Activation and Notification |
Shared |
n/a |
(a) Employ fire suppression systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]; and
(b) Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis. |
link |
1 |
| NIST_SP_800-53_R5 |
PE-14 |
NIST_SP_800-53_R5_PE-14 |
NIST SP 800-53 Rev. 5 PE-14 |
Physical and Environmental Protection |
Environmental Controls |
Shared |
n/a |
a. Maintain [Selection (OneOrMore): temperature;humidity;pressure;radiation; [Assignment: organization-defined environmental control] ] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and
b. Monitor environmental control levels [Assignment: organization-defined frequency]. |
link |
1 |
| NIST_SP_800-53_R5 |
PE-14(2) |
NIST_SP_800-53_R5_PE-14(2) |
NIST SP 800-53 Rev. 5 PE-14 (2) |
Physical and Environmental Protection |
Monitoring with Alarms and Notifications |
Shared |
n/a |
Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to [Assignment: organization-defined personnel or roles]. |
link |
2 |
| NIST_SP_800-53_R5 |
PE-15 |
NIST_SP_800-53_R5_PE-15 |
NIST SP 800-53 Rev. 5 PE-15 |
Physical and Environmental Protection |
Water Damage Protection |
Shared |
n/a |
Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. |
link |
1 |
| NIST_SP_800-53_R5 |
PE-18 |
NIST_SP_800-53_R5_PE-18 |
NIST SP 800-53 Rev. 5 PE-18 |
Physical and Environmental Protection |
Location of System Components |
Shared |
n/a |
Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. |
link |
1 |
| NIST_SP_800-53_R5 |
PE-3 |
NIST_SP_800-53_R5_PE-3 |
NIST SP 800-53 Rev. 5 PE-3 |
Physical and Environmental Protection |
Physical Access Control |
Shared |
n/a |
a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by:
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress and egress to the facility using [Selection (OneOrMore): [Assignment: organization-defined physical access control systems or devices] ;guards] ;
b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points];
c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: organization-defined physical access controls];
d. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity];
e. Secure keys, combinations, and other physical access devices;
f. Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated. |
link |
4 |
| NIST_SP_800-53_R5 |
PE-4 |
NIST_SP_800-53_R5_PE-4 |
NIST SP 800-53 Rev. 5 PE-4 |
Physical and Environmental Protection |
Access Control for Transmission |
Shared |
n/a |
Control physical access to [Assignment: organization-defined system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security controls]. |
link |
2 |
| NIST_SP_800-53_R5 |
PE-5 |
NIST_SP_800-53_R5_PE-5 |
NIST SP 800-53 Rev. 5 PE-5 |
Physical and Environmental Protection |
Access Control for Output Devices |
Shared |
n/a |
Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output. |
link |
3 |
| NIST_SP_800-53_R5 |
PE-8 |
NIST_SP_800-53_R5_PE-8 |
NIST SP 800-53 Rev. 5 PE-8 |
Physical and Environmental Protection |
Visitor Access Records |
Shared |
n/a |
a. Maintain visitor access records to the facility where the system resides for [Assignment: organization-defined time period];
b. Review visitor access records [Assignment: organization-defined frequency]; and
c. Report anomalies in visitor access records to [Assignment: organization-defined personnel]. |
link |
2 |
|
op.exp.4 Security maintenance and updates |
op.exp.4 Security maintenance and updates |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.5 Change management |
op.exp.5 Change management |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
| PCI_DSS_v4.0 |
9.2.3 |
PCI_DSS_v4.0_9.2.3 |
PCI DSS v4.0 9.2.3 |
Requirement 09: Restrict Physical Access to Cardholder Data |
Physical access controls manage entry into facilities and systems containing cardholder data |
Shared |
n/a |
Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted. |
link |
2 |
| PCI_DSS_v4.0 |
9.2.4 |
PCI_DSS_v4.0_9.2.4 |
PCI DSS v4.0 9.2.4 |
Requirement 09: Restrict Physical Access to Cardholder Data |
Physical access controls manage entry into facilities and systems containing cardholder data |
Shared |
n/a |
Access to consoles in sensitive areas is restricted via locking when not in use. |
link |
2 |
| PCI_DSS_v4.0 |
9.3.2 |
PCI_DSS_v4.0_9.3.2 |
PCI DSS v4.0 9.3.2 |
Requirement 09: Restrict Physical Access to Cardholder Data |
Physical access for personnel and visitors is authorized and managed |
Shared |
n/a |
Procedures are implemented for authorizing and managing visitor access to the CDE, including:
• Visitors are authorized before entering.
• Visitors are escorted at all times.
• Visitors are clearly identified and given a badge or other identification that expires.
• Visitor badges or other identification visibly distinguishes visitors from personnel. |
link |
2 |
| PCI_DSS_v4.0 |
9.3.3 |
PCI_DSS_v4.0_9.3.3 |
PCI DSS v4.0 9.3.3 |
Requirement 09: Restrict Physical Access to Cardholder Data |
Physical access for personnel and visitors is authorized and managed |
Shared |
n/a |
Visitor badges or identification are surrendered or deactivated before visitors leave the facility or at the date of expiration. |
link |
2 |
| PCI_DSS_v4.0 |
9.3.4 |
PCI_DSS_v4.0_9.3.4 |
PCI DSS v4.0 9.3.4 |
Requirement 09: Restrict Physical Access to Cardholder Data |
Physical access for personnel and visitors is authorized and managed |
Shared |
n/a |
A visitor log is used to maintain a physical record of visitor activity within the facility and within sensitive areas, including:
• The visitor’s name and the organization represented.
• The date and time of the visit.
• The name of the personnel authorizing physical access.
• Retaining the log for at least three months, unless otherwise restricted by law. |
link |
2 |
| PCI_DSS_v4.0 |
9.5.1 |
PCI_DSS_v4.0_9.5.1 |
PCI DSS v4.0 9.5.1 |
Requirement 09: Restrict Physical Access to Cardholder Data |
Point of interaction (POI) devices are protected from tampering and unauthorized substitution |
Shared |
n/a |
POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following:
• Maintaining a list of POI devices.
• Periodically inspecting POI devices to look for tampering or unauthorized substitution.
• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices. |
link |
3 |
| PCI_DSS_v4.0 |
9.5.1.2 |
PCI_DSS_v4.0_9.5.1.2 |
PCI DSS v4.0 9.5.1.2 |
Requirement 09: Restrict Physical Access to Cardholder Data |
Point of interaction (POI) devices are protected from tampering and unauthorized substitution |
Shared |
n/a |
POI device surfaces are periodically inspected to detect tampering and unauthorized substitution. |
link |
3 |
| PCI_DSS_v4.0 |
9.5.1.2.1 |
PCI_DSS_v4.0_9.5.1.2.1 |
PCI DSS v4.0 9.5.1.2.1 |
Requirement 09: Restrict Physical Access to Cardholder Data |
Point of interaction (POI) devices are protected from tampering and unauthorized substitution |
Shared |
n/a |
The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. |
link |
3 |
| SOC_2 |
A1.2 |
SOC_2_A1.2 |
SOC 2 Type 2 A1.2 |
Additional Criteria For Availability |
Environmental protections, software, data back-up processes, and recovery infrastructure |
Shared |
The customer is responsible for implementing this recommendation. |
Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the
system, including threats resulting from adverse weather, failure of environmental
control systems, electrical discharge, fire, and water.
• Designs Detection Measures — Detection measures are implemented to identify
anomalies that could result from environmental threat events.
• Implements and Maintains Environmental Protection Mechanisms — Management
implements and maintains environmental protection mechanisms to prevent and
mitigate environmental events.
• Implements Alerts to Analyze Anomalies — Management implements alerts that are
communicated to personnel for analysis to identify environmental threat events.
• Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems
(for example, uninterruptable power system and generator backup subsystem).
• Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary.
• Determines Data Requiring Backup — Data is evaluated to determine whether
backup is required.
• Performs Data Backup — Procedures are in place for backing up data, monitoring
to detect backup failures, and initiating corrective action when such failures occur.
• Addresses Offsite Storage — Backup data is stored in a location at a distance from
its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level.
• Implements Alternate Processing Infrastructure — Measures are implemented for
migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. |
|
13 |
| SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
78 |
| SWIFT_CSCF_v2022 |
3.1 |
SWIFT_CSCF_v2022_3.1 |
SWIFT CSCF v2022 3.1 |
3. Physically Secure the Environment |
Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. |
Shared |
n/a |
Physical security controls are in place to protect access to sensitive equipment, hosting sites, and storage. |
link |
8 |
| SWIFT_CSCF_v2022 |
9.3 |
SWIFT_CSCF_v2022_9.3 |
SWIFT CSCF v2022 9.3 |
9. Ensure Availability through Resilience |
Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. |
Shared |
n/a |
Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. |
link |
7 |