PE - Physical and Environmental Protection
- Controls Count: 7
- Controls IDs: PE-3 (1), PE-6 (4), PE-8 (1), PE-11 (1), PE-13 (2), PE-15 (1), PE-18
Controls
PE-3 (1): System Access
Enforce physical access authorizations to the system in addition to the physical access controls for the facility at physical spaces containing one or more components of the system are defined;.
Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components.
physical access authorizations to the system are enforced;
physical access controls are enforced for the facility at physical spaces containing one or more components of the system are defined;.
Physical and environmental protection policy
procedures addressing physical access control
physical access control logs or records
physical access control devices
access authorizations
access credentials
system entry and exit points
list of areas within the facility containing concentrations of system components or system components requiring additional physical protection
system security plan
other relevant documents or records
Organizational personnel with physical access authorization responsibilities
organizational personnel with information security responsibilities
Organizational processes for physical access control to the information system/components
mechanisms supporting and/or implementing physical access control for facility areas containing system components
PE-6 (4): Monitoring Physical Access to Systems
Monitor physical access to the system in addition to the physical access monitoring of the facility at physical spaces containing one or more components of the system are defined;.
Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization.
physical access to the system is monitored in addition to the physical access monitoring of the facility at physical spaces containing one or more components of the system are defined;.
Physical and environmental protection policy
procedures addressing physical access monitoring
physical access control logs or records
physical access control devices
access authorizations
access credentials
list of areas within the facility containing concentrations of system components or system components requiring additional physical access monitoring
system security plan
privacy plan
privacy impact assessment
privacy risk assessment documentation
other relevant documents or records
Organizational personnel with physical access monitoring responsibilities
organizational personnel with information security and privacy responsibilities
Organizational processes for monitoring physical access to the system
mechanisms supporting and/or implementing physical access monitoring for facility areas containing system components
PE-8 (1): Automated Records Maintenance and Review
Maintain and review visitor access records using organization-defined automated mechanisms.
Visitor access records may be stored and maintained in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on a regular basis to determine if access authorizations are current and still required to support organizational mission and business functions.
visitor access records are maintained using automated mechanisms used to maintain visitor access records are defined;;
visitor access records are reviewed using automated mechanisms used to review visitor access records are defined;.
Physical and environmental protection policy
procedures addressing visitor access records
automated mechanisms supporting management of visitor access records
visitor access control logs or records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with visitor access record responsibilities
organizational personnel with information security and privacy responsibilities
Organizational processes for maintaining and reviewing visitor access records
automated mechanisms supporting and/or implementing the maintenance and review of visitor access records
PE-11 (1): Alternate Power Supply — Minimal Operational Capability
Provide an alternate power supply for the system that is activated manuallyorautomatically and that can maintain minimally required operational capability in the event of an extended loss of the primary power source.
Provision of an alternate power supply with minimal operating capability can be satisfied by accessing a secondary commercial power supply or other external power supply.
an alternate power supply provided for the system is activated manuallyorautomatically;
the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source.
Physical and environmental protection policy
procedures addressing emergency power
alternate power supply
alternate power supply documentation
alternate power supply test records
system security plan
other relevant documents or records
Organizational personnel with the responsibility for emergency power and/or planning
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing an alternate power supply
the alternate power supply
PE-13 (2): Suppression Systems — Automatic Activation and Notification
Employ fire suppression systems that activate automatically and notify personnel or roles to be notified in the event of a fire is/are defined; and emergency responders to be notified in the event of a fire are defined; ; and
Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis.
Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and/or clearances (e.g., to enter to facilities where access is restricted due to the impact level or classification of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire.
fire suppression systems that activate automatically are employed;
fire suppression systems that notify personnel or roles to be notified in the event of a fire is/are defined; automatically are employed;
fire suppression systems that notify emergency responders to be notified in the event of a fire are defined; automatically are employed;
an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.
Physical and environmental protection policy
procedures addressing fire protection
fire suppression and detection devices/systems documentation
facility housing the system
alarm service-level agreements
test records of fire suppression and detection devices/systems
system security plan
other relevant documents or records
Organizational personnel with responsibilities for fire detection and suppression devices/systems
organizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders
organizational personnel with information security responsibilities
Automated mechanisms supporting and/or implementing fire suppression devices/systems
activation of fire suppression devices/systems (simulated)
automated notifications
PE-15 (1): Automation Support
Detect the presence of water near the system and alert personnel or roles to be alerted when the presence of water is detected near the system is/are defined; using automated mechanisms used to detect the presence of water near the system are defined;.
Automated mechanisms include notification systems, water detection sensors, and alarms.
the presence of water near the system can be detected automatically;
personnel or roles to be alerted when the presence of water is detected near the system is/are defined; is/are alerted using automated mechanisms used to detect the presence of water near the system are defined;.
Physical and environmental protection policy
procedures addressing water damage protection
facility housing the system
automated mechanisms for water shutoff valves
automated mechanisms for detecting the presence of water in the vicinity of the system
alerts/notifications of water detection in system facility
system security plan
other relevant documents or records
Organizational personnel with responsibilities for system environmental controls
organizational personnel with information security responsibilities
Automated mechanisms supporting and/or implementing water detection capabilities and alerts for the system
PE-18: Location of System Components
Position system components within the facility to minimize potential damage from physical and environmental hazards that could result in potential damage to system components within the facility are defined; and to minimize the opportunity for unauthorized access.
Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers or microphones, or unauthorized disclosure of information.
system components are positioned within the facility to minimize potential damage from physical and environmental hazards that could result in potential damage to system components within the facility are defined; and to minimize the opportunity for unauthorized access.
Physical and environmental protection policy
procedures addressing the positioning of system components
documentation providing the location and position of system components within the facility
locations housing system components within the facility
list of physical and environmental hazards with the potential to damage system components within the facility
system security plan
other relevant documents or records
Organizational personnel with responsibilities for positioning system components
organizational personnel with information security responsibilities
Organizational processes for positioning system components