PE - Physical and Environmental Protection
- Controls Count: 10
- Controls IDs: PE-1, PE-2, PE-3, PE-6, PE-8, PE-12, PE-13, PE-14, PE-15, PE-16
Controls
PE-1: Policy and Procedures
Develop, document, and disseminate to organization-defined personnel or roles:
organization-level, mission/business process-level, and/or system-level physical and environmental protection policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;
Designate an an official to manage the physical and environmental protection policy and procedures is defined; to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and
Review and update the current physical and environmental protection:
Policy the frequency at which the current physical and environmental protection policy is reviewed and updated is defined; and following events that would require the current physical and environmental protection policy to be reviewed and updated are defined; ; and
Procedures the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined; and following events that would require the physical and environmental protection procedures to be reviewed and updated are defined;.
Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
a physical and environmental protection policy is developed and documented;
the physical and environmental protection policy is disseminated to personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;;
physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;
the physical and environmental protection procedures are disseminated to personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy addresses purpose;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy addresses scope;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy addresses roles;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy addresses responsibilities;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy addresses management commitment;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy addresses coordination among organizational entities;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy addresses compliance;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
the an official to manage the physical and environmental protection policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;
the current physical and environmental protection policy is reviewed and updated the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;;
the current physical and environmental protection policy is reviewed and updated following events that would require the current physical and environmental protection policy to be reviewed and updated are defined;;
the current physical and environmental protection procedures are reviewed and updated the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;;
the current physical and environmental protection procedures are reviewed and updated following events that would require the physical and environmental protection procedures to be reviewed and updated are defined;.
Physical and environmental protection policy and procedures
system security plan
privacy plan
organizational risk management strategy
other relevant documents or records
Organizational personnel with physical and environmental protection responsibilities
organizational personnel with information security and privacy responsibilities
PE-2: Physical Access Authorizations
Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;
Issue authorization credentials for facility access;
Review the access list detailing authorized facility access by individuals frequency at which to review the access list detailing authorized facility access by individuals is defined; ; and
Remove individuals from the facility access list when access is no longer required.
Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.
a list of individuals with authorized access to the facility where the system resides has been developed;
the list of individuals with authorized access to the facility where the system resides has been approved;
the list of individuals with authorized access to the facility where the system resides has been maintained;
authorization credentials are issued for facility access;
the access list detailing authorized facility access by individuals is reviewed frequency at which to review the access list detailing authorized facility access by individuals is defined;;
individuals are removed from the facility access list when access is no longer required.
Physical and environmental protection policy
procedures addressing physical access authorizations
authorized personnel access list
authorization credentials
physical access list reviews
physical access termination records and associated documentation
system security plan
other relevant documents or records
Organizational personnel with physical access authorization responsibilities
organizational personnel with physical access to system facility
organizational personnel with information security responsibilities
Organizational processes for physical access authorizations
mechanisms supporting and/or implementing physical access authorizations
PE-3: Physical Access Control
Enforce physical access authorizations at entry and exit points to the facility in which the system resides are defined; by:
Verifying individual access authorizations before granting access to the facility; and
Controlling ingress and egress to the facility using physical access control systems or devices used to control ingress and egress to the facility are defined (if selected); and/orguards;
Maintain physical access audit logs for entry or exit points for which physical access logs are maintained are defined;;
Control access to areas within the facility designated as publicly accessible by implementing the following controls: physical access controls to control access to areas within the facility designated as publicly accessible are defined;;
Escort visitors and control visitor activity circumstances requiring visitor escorts and control of visitor activity are defined;;
Secure keys, combinations, and other physical access devices;
Inventory physical access devices to be inventoried are defined; every frequency at which to inventory physical access devices is defined; ; and
Change combinations and keys organization-defined frequency and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.
physical access authorizations are enforced at entry and exit points to the facility in which the system resides are defined; by verifying individual access authorizations before granting access to the facility;
physical access authorizations are enforced at entry and exit points to the facility in which the system resides are defined; by controlling ingress and egress to the facility using physical access control systems or devices used to control ingress and egress to the facility are defined (if selected); and/orguards;
physical access audit logs are maintained for entry or exit points for which physical access logs are maintained are defined;;
access to areas within the facility designated as publicly accessible are maintained by implementing physical access controls to control access to areas within the facility designated as publicly accessible are defined;;
visitors are escorted;
visitor activity is controlled circumstances requiring visitor escorts and control of visitor activity are defined;;
keys are secured;
combinations are secured;
other physical access devices are secured;
physical access devices to be inventoried are defined; are inventoried frequency at which to inventory physical access devices is defined;;
combinations are changed frequency at which to change combinations is defined; , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;
keys are changed frequency at which to change keys is defined; , when keys are lost, or when individuals possessing the keys are transferred or terminated.
Physical and environmental protection policy
procedures addressing physical access control
physical access control logs or records
inventory records of physical access control devices
system entry and exit points
records of key and lock combination changes
storage locations for physical access control devices
physical access control devices
list of security safeguards controlling access to designated publicly accessible areas within facility
system security plan
other relevant documents or records
Organizational personnel with physical access control responsibilities
organizational personnel with information security responsibilities
Organizational processes for physical access control
mechanisms supporting and/or implementing physical access control
physical access control devices
PE-6: Monitoring Physical Access
Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;
Review physical access logs the frequency at which to review physical access logs is defined; and upon occurrence of events or potential indication of events requiring physical access logs to be reviewed are defined; ; and
Coordinate results of reviews and investigations with the organizational incident response capability.
Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as AU-2 , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.
physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;
physical access logs are reviewed the frequency at which to review physical access logs is defined;;
physical access logs are reviewed upon occurrence of events or potential indication of events requiring physical access logs to be reviewed are defined;;
results of reviews are coordinated with organizational incident response capabilities;
results of investigations are coordinated with organizational incident response capabilities.
Physical and environmental protection policy
procedures addressing physical access monitoring
physical access logs or records
physical access monitoring records
physical access log reviews
system security plan
other relevant documents or records
Organizational personnel with physical access monitoring responsibilities
organizational personnel with incident response responsibilities
organizational personnel with information security responsibilities
Organizational processes for monitoring physical access
mechanisms supporting and/or implementing physical access monitoring
mechanisms supporting and/or implementing the review of physical access logs
PE-8: Visitor Access Records
Maintain visitor access records to the facility where the system resides for time period for which to maintain visitor access records for the facility where the system resides is defined;;
Review visitor access records the frequency at which to review visitor access records is defined; ; and
Report anomalies in visitor access records to personnel to whom visitor access records anomalies are reported to is/are defined;.
Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.
visitor access records for the facility where the system resides are maintained for time period for which to maintain visitor access records for the facility where the system resides is defined;;
visitor access records are reviewed the frequency at which to review visitor access records is defined;;
visitor access records anomalies are reported to personnel to whom visitor access records anomalies are reported to is/are defined;.
Physical and environmental protection policy
procedures addressing visitor access records
visitor access control logs or records
visitor access record or log reviews
system security plan
privacy plan
privacy impact assessment
privacy risk assessment documentation
other relevant documents or records
Organizational personnel with visitor access record responsibilities
organizational personnel with information security and privacy responsibilities
Organizational processes for maintaining and reviewing visitor access records
mechanisms supporting and/or implementing the maintenance and review of visitor access records
PE-12: Emergency Lighting
Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies.
automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;
automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;
automatic emergency lighting for the system covers emergency exits within the facility;
automatic emergency lighting for the system covers evacuation routes within the facility.
Physical and environmental protection policy
procedures addressing emergency lighting
emergency lighting documentation
emergency lighting test records
emergency exits and evacuation routes
system security plan
other relevant documents or records
Organizational personnel with the responsibility for emergency lighting and/or planning
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing an emergency lighting capability
PE-13: Fire Protection
Employ and maintain fire detection and suppression systems that are supported by an independent energy source.
The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility.
fire detection systems are employed;
employed fire detection systems are supported by an independent energy source;
employed fire detection systems are maintained;
fire suppression systems are employed;
employed fire suppression systems are supported by an independent energy source;
employed fire suppression systems are maintained.
Physical and environmental protection policy
procedures addressing fire protection
fire suppression and detection devices/systems
fire suppression and detection devices/systems documentation
test records of fire suppression and detection devices/systems
system security plan
other relevant documents or records
Organizational personnel with responsibilities for fire detection and suppression devices/systems
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing fire suppression/detection devices/systems
PE-14: Environmental Controls
Maintain temperature, humidity, pressure, radiation, and/or environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected); levels within the facility where the system resides at acceptable levels for environmental controls are defined; ; and
Monitor environmental control levels frequency at which to monitor environmental control levels is defined;.
The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions.
temperature, humidity, pressure, radiation, and/or environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected); levels are maintained at acceptable levels for environmental controls are defined; within the facility where the system resides;
environmental control levels are monitored frequency at which to monitor environmental control levels is defined;.
Physical and environmental protection policy
procedures addressing temperature and humidity control
temperature and humidity controls
facility housing the system
temperature and humidity controls documentation
temperature and humidity records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for system environmental controls
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels
PE-15: Water Damage Protection
Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations.
the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;
the master shutoff or isolation valves are accessible;
the master shutoff or isolation valves are working properly;
the master shutoff or isolation valves are known to key personnel.
Physical and environmental protection policy
procedures addressing water damage protection
facility housing the system
master shutoff valves
list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system
master shutoff valve documentation
system security plan
other relevant documents or records
Organizational personnel with responsibilities for system environmental controls
organizational personnel with information security responsibilities
Master water-shutoff valves
organizational process for activating master water shutoff
PE-16: Delivery and Removal
Authorize and control organization-defined types of system components entering and exiting the facility; and
Maintain records of the system components.
Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.
types of system components to be authorized and controlled when entering the facility are defined; are authorized when entering the facility;
types of system components to be authorized and controlled when entering the facility are defined; are controlled when entering the facility;
types of system components to be authorized and controlled when exiting the facility are defined; are authorized when exiting the facility;
types of system components to be authorized and controlled when exiting the facility are defined; are controlled when exiting the facility;
records of the system components are maintained.
Physical and environmental protection policy
procedures addressing the delivery and removal of system components from the facility
facility housing the system
records of items entering and exiting the facility
system security plan
other relevant documents or records
Organizational personnel with responsibilities for controlling system components entering and exiting the facility
organizational personnel with information security responsibilities
Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility
mechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility