NIST Physical and Environmental Protection Risk Controls (pe)

Policy and Procedures (pe-1)

Develop, document, and disseminate to organization-defined personnel or roles:

one or more,Organization-level,Mission/business process-level,System-level physical and environmental protection policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;

Designate an organization-defined official to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and

Review and update the current physical and environmental protection:

Policy organization-defined frequency and following organization-defined events; and

Procedures organization-defined frequency and following organization-defined events.

Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

Physical Access Authorizations (pe-2)

Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;

Issue authorization credentials for facility access;

Review the access list detailing authorized facility access by individuals organization-defined frequency; and

Remove individuals from the facility access list when access is no longer required.

Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.

Physical Access Control (pe-3)

Enforce physical access authorizations at organization-defined entry and exit points to the facility where the system resides by:

Verifying individual access authorizations before granting access to the facility; and

Controlling ingress and egress to the facility using one or more, organization-defined physical access control systems or devices ,guards;

Maintain physical access audit logs for organization-defined entry or exit points;

Control access to areas within the facility designated as publicly accessible by implementing the following controls: organization-defined physical access controls;

Escort visitors and control visitor activity organization-defined circumstances requiring visitor escorts and control of visitor activity;

Secure keys, combinations, and other physical access devices;

Inventory organization-defined physical access devices every organization-defined frequency; and

Change combinations and keys organization-defined frequency and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.

Access Control for Transmission (pe-4)

Control physical access to organization-defined system distribution and transmission lines within organizational facilities using organization-defined security controls.

Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors.

Access Control for Output Devices (pe-5)

Control physical access to output from organization-defined output devices to prevent unauthorized individuals from obtaining the output.

Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.

Monitoring Physical Access (pe-6)

Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;

Review physical access logs organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and

Coordinate results of reviews and investigations with the organizational incident response capability.

Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as #au-2(#au-2), if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.

Intrusion Alarms and Surveillance Equipment (pe-6.1)

Visitor Access Records (pe-8)

Maintain visitor access records to the facility where the system resides for organization-defined time period;

Review visitor access records organization-defined frequency; and

Report anomalies in visitor access records to organization-defined personnel.

Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.

Power Equipment and Cabling (pe-9)

Protect power equipment and power cabling for the system from damage and destruction.

Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems.

Emergency Shutoff (pe-10)

Provide the capability of shutting off power to organization-defined system or individual system components in emergency situations;

Place emergency shutoff switches or devices in organization-defined location by system or system component to facilitate access for authorized personnel; and

Protect emergency power shutoff capability from unauthorized activation.

Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery.

Emergency Power (pe-11)

Provide an uninterruptible power supply to facilitate one or more,an orderly shutdown of the system,transition of the system to long-term alternate power in the event of a primary power source loss.

An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system.

Emergency Lighting (pe-12)

Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies.

Fire Protection (pe-13)

Employ and maintain fire detection and suppression systems that are supported by an independent energy source.

The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility.

Detection Systems ? Automatic Activation and Notification (pe-13.1)

Environmental Controls (pe-14)

Maintain one or more,temperature,humidity,pressure,radiation, organization-defined environmental control levels within the facility where the system resides at organization-defined acceptable levels; and

Monitor environmental control levels organization-defined frequency.

The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions.

Water Damage Protection (pe-15)

Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations.

Delivery and Removal (pe-16)

Authorize and control organization-defined types of system components entering and exiting the facility; and

Maintain records of the system components.

Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.

Alternate Work Site (pe-17)

Determine and document the organization-defined alternate work sites allowed for use by employees;

Employ the following controls at alternate work sites: organization-defined controls;

Assess the effectiveness of controls at alternate work sites; and

Provide a means for employees to communicate with information security and privacy personnel in case of incidents.

Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.

Free security assessment Application