PE - Physical and Environmental Protection
- Controls Count: 18
- Controls IDs: PE-1, PE-2, PE-3, PE-4, PE-5, PE-6, PE-6 (1), PE-8, PE-9, PE-10, PE-11, PE-12, PE-13, PE-13 (1), PE-14, PE-15, PE-16, PE-17
Controls
PE-1: Policy and Procedures
Develop, document, and disseminate to organization-defined personnel or roles:
organization-level, mission/business process-level, and/or system-level physical and environmental protection policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;
Designate an an official to manage the physical and environmental protection policy and procedures is defined; to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and
Review and update the current physical and environmental protection:
Policy the frequency at which the current physical and environmental protection policy is reviewed and updated is defined; and following events that would require the current physical and environmental protection policy to be reviewed and updated are defined; ; and
Procedures the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined; and following events that would require the physical and environmental protection procedures to be reviewed and updated are defined;.
Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
a physical and environmental protection policy is developed and documented;
the physical and environmental protection policy is disseminated to personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;;
physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;
the physical and environmental protection procedures are disseminated to personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy addresses purpose;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy addresses scope;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy addresses roles;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy addresses responsibilities;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy addresses management commitment;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy addresses coordination among organizational entities;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy addresses compliance;
the organization-level, mission/business process-level, and/or system-level physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
the an official to manage the physical and environmental protection policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;
the current physical and environmental protection policy is reviewed and updated the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;;
the current physical and environmental protection policy is reviewed and updated following events that would require the current physical and environmental protection policy to be reviewed and updated are defined;;
the current physical and environmental protection procedures are reviewed and updated the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;;
the current physical and environmental protection procedures are reviewed and updated following events that would require the physical and environmental protection procedures to be reviewed and updated are defined;.
Physical and environmental protection policy and procedures
system security plan
privacy plan
organizational risk management strategy
other relevant documents or records
Organizational personnel with physical and environmental protection responsibilities
organizational personnel with information security and privacy responsibilities
PE-2: Physical Access Authorizations
Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;
Issue authorization credentials for facility access;
Review the access list detailing authorized facility access by individuals frequency at which to review the access list detailing authorized facility access by individuals is defined; ; and
Remove individuals from the facility access list when access is no longer required.
Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.
a list of individuals with authorized access to the facility where the system resides has been developed;
the list of individuals with authorized access to the facility where the system resides has been approved;
the list of individuals with authorized access to the facility where the system resides has been maintained;
authorization credentials are issued for facility access;
the access list detailing authorized facility access by individuals is reviewed frequency at which to review the access list detailing authorized facility access by individuals is defined;;
individuals are removed from the facility access list when access is no longer required.
Physical and environmental protection policy
procedures addressing physical access authorizations
authorized personnel access list
authorization credentials
physical access list reviews
physical access termination records and associated documentation
system security plan
other relevant documents or records
Organizational personnel with physical access authorization responsibilities
organizational personnel with physical access to system facility
organizational personnel with information security responsibilities
Organizational processes for physical access authorizations
mechanisms supporting and/or implementing physical access authorizations
PE-3: Physical Access Control
Enforce physical access authorizations at entry and exit points to the facility in which the system resides are defined; by:
Verifying individual access authorizations before granting access to the facility; and
Controlling ingress and egress to the facility using physical access control systems or devices used to control ingress and egress to the facility are defined (if selected); and/orguards;
Maintain physical access audit logs for entry or exit points for which physical access logs are maintained are defined;;
Control access to areas within the facility designated as publicly accessible by implementing the following controls: physical access controls to control access to areas within the facility designated as publicly accessible are defined;;
Escort visitors and control visitor activity circumstances requiring visitor escorts and control of visitor activity are defined;;
Secure keys, combinations, and other physical access devices;
Inventory physical access devices to be inventoried are defined; every frequency at which to inventory physical access devices is defined; ; and
Change combinations and keys organization-defined frequency and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.
physical access authorizations are enforced at entry and exit points to the facility in which the system resides are defined; by verifying individual access authorizations before granting access to the facility;
physical access authorizations are enforced at entry and exit points to the facility in which the system resides are defined; by controlling ingress and egress to the facility using physical access control systems or devices used to control ingress and egress to the facility are defined (if selected); and/orguards;
physical access audit logs are maintained for entry or exit points for which physical access logs are maintained are defined;;
access to areas within the facility designated as publicly accessible are maintained by implementing physical access controls to control access to areas within the facility designated as publicly accessible are defined;;
visitors are escorted;
visitor activity is controlled circumstances requiring visitor escorts and control of visitor activity are defined;;
keys are secured;
combinations are secured;
other physical access devices are secured;
physical access devices to be inventoried are defined; are inventoried frequency at which to inventory physical access devices is defined;;
combinations are changed frequency at which to change combinations is defined; , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;
keys are changed frequency at which to change keys is defined; , when keys are lost, or when individuals possessing the keys are transferred or terminated.
Physical and environmental protection policy
procedures addressing physical access control
physical access control logs or records
inventory records of physical access control devices
system entry and exit points
records of key and lock combination changes
storage locations for physical access control devices
physical access control devices
list of security safeguards controlling access to designated publicly accessible areas within facility
system security plan
other relevant documents or records
Organizational personnel with physical access control responsibilities
organizational personnel with information security responsibilities
Organizational processes for physical access control
mechanisms supporting and/or implementing physical access control
physical access control devices
PE-4: Access Control for Transmission
Control physical access to system distribution and transmission lines requiring physical access controls are defined; within organizational facilities using security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;.
Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors.
physical access to system distribution and transmission lines requiring physical access controls are defined; within organizational facilities is controlled using security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;.
Physical and environmental protection policy
procedures addressing access control for transmission mediums
system design documentation
facility communications and wiring diagrams
list of physical security safeguards applied to system distribution and transmission lines
system security plan
other relevant documents or records
Organizational personnel with physical access control responsibilities
organizational personnel with information security responsibilities
Organizational processes for access control to distribution and transmission lines
mechanisms/security safeguards supporting and/or implementing access control to distribution and transmission lines
PE-5: Access Control for Output Devices
Control physical access to output from output devices that require physical access control to output are defined; to prevent unauthorized individuals from obtaining the output.
Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.
physical access to output from output devices that require physical access control to output are defined; is controlled to prevent unauthorized individuals from obtaining the output.
Physical and environmental protection policy
procedures addressing access control for display medium
facility layout of system components
actual displays from system components
list of output devices and associated outputs requiring physical access controls
physical access control logs or records for areas containing output devices and related outputs
system security plan
other relevant documents or records
Organizational personnel with physical access control responsibilities
organizational personnel with information security responsibilities
Organizational processes for access control to output devices
mechanisms supporting and/or implementing access control to output devices
PE-6: Monitoring Physical Access
Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;
Review physical access logs the frequency at which to review physical access logs is defined; and upon occurrence of events or potential indication of events requiring physical access logs to be reviewed are defined; ; and
Coordinate results of reviews and investigations with the organizational incident response capability.
Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as AU-2 , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.
physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;
physical access logs are reviewed the frequency at which to review physical access logs is defined;;
physical access logs are reviewed upon occurrence of events or potential indication of events requiring physical access logs to be reviewed are defined;;
results of reviews are coordinated with organizational incident response capabilities;
results of investigations are coordinated with organizational incident response capabilities.
Physical and environmental protection policy
procedures addressing physical access monitoring
physical access logs or records
physical access monitoring records
physical access log reviews
system security plan
other relevant documents or records
Organizational personnel with physical access monitoring responsibilities
organizational personnel with incident response responsibilities
organizational personnel with information security responsibilities
Organizational processes for monitoring physical access
mechanisms supporting and/or implementing physical access monitoring
mechanisms supporting and/or implementing the review of physical access logs
PE-6 (1): Intrusion Alarms and Surveillance Equipment
Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.
Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility.
physical access to the facility where the system resides is monitored using physical intrusion alarms;
physical access to the facility where the system resides is monitored using physical surveillance equipment.
Physical and environmental protection policy
procedures addressing physical access monitoring
physical access logs or records
physical access monitoring records
physical access log reviews
system security plan
privacy plan
privacy impact assessment
privacy risk assessment documentation
other relevant documents or records
Organizational personnel with physical access monitoring responsibilities
organizational personnel with incident response responsibilities
organizational personnel with information security and privacy responsibilities
Organizational processes for monitoring physical intrusion alarms and surveillance equipment
mechanisms supporting and/or implementing physical access monitoring
mechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment
PE-8: Visitor Access Records
Maintain visitor access records to the facility where the system resides for time period for which to maintain visitor access records for the facility where the system resides is defined;;
Review visitor access records the frequency at which to review visitor access records is defined; ; and
Report anomalies in visitor access records to personnel to whom visitor access records anomalies are reported to is/are defined;.
Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.
visitor access records for the facility where the system resides are maintained for time period for which to maintain visitor access records for the facility where the system resides is defined;;
visitor access records are reviewed the frequency at which to review visitor access records is defined;;
visitor access records anomalies are reported to personnel to whom visitor access records anomalies are reported to is/are defined;.
Physical and environmental protection policy
procedures addressing visitor access records
visitor access control logs or records
visitor access record or log reviews
system security plan
privacy plan
privacy impact assessment
privacy risk assessment documentation
other relevant documents or records
Organizational personnel with visitor access record responsibilities
organizational personnel with information security and privacy responsibilities
Organizational processes for maintaining and reviewing visitor access records
mechanisms supporting and/or implementing the maintenance and review of visitor access records
PE-9: Power Equipment and Cabling
Protect power equipment and power cabling for the system from damage and destruction.
Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems.
power equipment for the system is protected from damage and destruction;
power cabling for the system is protected from damage and destruction.
Physical and environmental protection policy
procedures addressing power equipment/cabling protection
facilities housing power equipment/cabling
system security plan
other relevant documents or records
Organizational personnel with the responsibility to protect power equipment/cabling
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing the protection of power equipment/cabling
PE-10: Emergency Shutoff
Provide the capability of shutting off power to system or individual system components that require the capability to shut off power in emergency situations is/are defined; in emergency situations;
Place emergency shutoff switches or devices in location of emergency shutoff switches or devices by system or system component is defined; to facilitate access for authorized personnel; and
Protect emergency power shutoff capability from unauthorized activation.
Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery.
the capability to shut off power to system or individual system components that require the capability to shut off power in emergency situations is/are defined; in emergency situations is provided;
emergency shutoff switches or devices are placed in location of emergency shutoff switches or devices by system or system component is defined; to facilitate access for authorized personnel;
the emergency power shutoff capability is protected from unauthorized activation.
Physical and environmental protection policy
procedures addressing power source emergency shutoff
emergency shutoff controls or switches
locations housing emergency shutoff switches and devices
security safeguards protecting the emergency power shutoff capability from unauthorized activation
system security plan
other relevant documents or records
Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability)
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing emergency power shutoff
PE-11: Emergency Power
Provide an uninterruptible power supply to facilitate an orderly shutdown of the systemortransition of the system to long-term alternate power in the event of a primary power source loss.
An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system.
an uninterruptible power supply is provided to facilitate an orderly shutdown of the systemortransition of the system to long-term alternate power in the event of a primary power source loss.
Physical and environmental protection policy
procedures addressing emergency power
uninterruptible power supply
uninterruptible power supply documentation
uninterruptible power supply test records
system security plan
other relevant documents or records
Organizational personnel with the responsibility for emergency power and/or planning
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing an uninterruptible power supply
the uninterruptable power supply
PE-12: Emergency Lighting
Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies.
automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;
automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;
automatic emergency lighting for the system covers emergency exits within the facility;
automatic emergency lighting for the system covers evacuation routes within the facility.
Physical and environmental protection policy
procedures addressing emergency lighting
emergency lighting documentation
emergency lighting test records
emergency exits and evacuation routes
system security plan
other relevant documents or records
Organizational personnel with the responsibility for emergency lighting and/or planning
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing an emergency lighting capability
PE-13: Fire Protection
Employ and maintain fire detection and suppression systems that are supported by an independent energy source.
The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility.
fire detection systems are employed;
employed fire detection systems are supported by an independent energy source;
employed fire detection systems are maintained;
fire suppression systems are employed;
employed fire suppression systems are supported by an independent energy source;
employed fire suppression systems are maintained.
Physical and environmental protection policy
procedures addressing fire protection
fire suppression and detection devices/systems
fire suppression and detection devices/systems documentation
test records of fire suppression and detection devices/systems
system security plan
other relevant documents or records
Organizational personnel with responsibilities for fire detection and suppression devices/systems
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing fire suppression/detection devices/systems
PE-13 (1): Detection Systems — Automatic Activation and Notification
Employ fire detection systems that activate automatically and notify personnel or roles to be notified in the event of a fire is/are defined; and emergency responders to be notified in the event of a fire are defined; in the event of a fire.
Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire.
fire detection systems that activate automatically are employed in the event of a fire;
fire detection systems that notify personnel or roles to be notified in the event of a fire is/are defined; automatically are employed in the event of a fire;
fire detection systems that notify emergency responders to be notified in the event of a fire are defined; automatically are employed in the event of a fire.
Physical and environmental protection policy
procedures addressing fire protection
facility housing the information system
alarm service-level agreements
test records of fire suppression and detection devices/systems
fire suppression and detection devices/systems documentation
alerts/notifications of fire events
system security plan
other relevant documents or records
Organizational personnel with responsibilities for fire detection and suppression devices/systems
organizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing fire detection devices/systems
activation of fire detection devices/systems (simulated)
automated notifications
PE-14: Environmental Controls
Maintain temperature, humidity, pressure, radiation, and/or environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected); levels within the facility where the system resides at acceptable levels for environmental controls are defined; ; and
Monitor environmental control levels frequency at which to monitor environmental control levels is defined;.
The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions.
temperature, humidity, pressure, radiation, and/or environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected); levels are maintained at acceptable levels for environmental controls are defined; within the facility where the system resides;
environmental control levels are monitored frequency at which to monitor environmental control levels is defined;.
Physical and environmental protection policy
procedures addressing temperature and humidity control
temperature and humidity controls
facility housing the system
temperature and humidity controls documentation
temperature and humidity records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for system environmental controls
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels
PE-15: Water Damage Protection
Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations.
the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;
the master shutoff or isolation valves are accessible;
the master shutoff or isolation valves are working properly;
the master shutoff or isolation valves are known to key personnel.
Physical and environmental protection policy
procedures addressing water damage protection
facility housing the system
master shutoff valves
list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system
master shutoff valve documentation
system security plan
other relevant documents or records
Organizational personnel with responsibilities for system environmental controls
organizational personnel with information security responsibilities
Master water-shutoff valves
organizational process for activating master water shutoff
PE-16: Delivery and Removal
Authorize and control organization-defined types of system components entering and exiting the facility; and
Maintain records of the system components.
Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.
types of system components to be authorized and controlled when entering the facility are defined; are authorized when entering the facility;
types of system components to be authorized and controlled when entering the facility are defined; are controlled when entering the facility;
types of system components to be authorized and controlled when exiting the facility are defined; are authorized when exiting the facility;
types of system components to be authorized and controlled when exiting the facility are defined; are controlled when exiting the facility;
records of the system components are maintained.
Physical and environmental protection policy
procedures addressing the delivery and removal of system components from the facility
facility housing the system
records of items entering and exiting the facility
system security plan
other relevant documents or records
Organizational personnel with responsibilities for controlling system components entering and exiting the facility
organizational personnel with information security responsibilities
Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility
mechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility
PE-17: Alternate Work Site
Determine and document the alternate work sites allowed for use by employees are defined; allowed for use by employees;
Employ the following controls at alternate work sites: controls to be employed at alternate work sites are defined;;
Assess the effectiveness of controls at alternate work sites; and
Provide a means for employees to communicate with information security and privacy personnel in case of incidents.
Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.
alternate work sites allowed for use by employees are defined; are determined and documented;
controls to be employed at alternate work sites are defined; are employed at alternate work sites;
the effectiveness of controls at alternate work sites is assessed;
a means for employees to communicate with information security and privacy personnel in case of incidents is provided.
Physical and environmental protection policy
procedures addressing alternate work sites for organizational personnel
list of security controls required for alternate work sites
assessments of security controls at alternate work sites
system security plan
privacy plan
other relevant documents or records
Organizational personnel approving the use of alternate work sites
organizational personnel using alternate work sites
organizational personnel assessing controls at alternate work sites
organizational personnel with information security and privacy responsibilities
Organizational processes for security and privacy at alternate work sites
mechanisms supporting alternate work sites
security and privacy controls employed at alternate work sites
means of communication between personnel at alternate work sites and security and privacy personnel