PE - Physical and Environmental Protection
- Controls Count: 8
- Controls IDs: PE-4, PE-5, PE-6 (1), PE-9, PE-10, PE-11, PE-13 (1), PE-17
Controls
PE-4: Access Control for Transmission
Control physical access to system distribution and transmission lines requiring physical access controls are defined; within organizational facilities using security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;.
Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors.
physical access to system distribution and transmission lines requiring physical access controls are defined; within organizational facilities is controlled using security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;.
Physical and environmental protection policy
procedures addressing access control for transmission mediums
system design documentation
facility communications and wiring diagrams
list of physical security safeguards applied to system distribution and transmission lines
system security plan
other relevant documents or records
Organizational personnel with physical access control responsibilities
organizational personnel with information security responsibilities
Organizational processes for access control to distribution and transmission lines
mechanisms/security safeguards supporting and/or implementing access control to distribution and transmission lines
PE-5: Access Control for Output Devices
Control physical access to output from output devices that require physical access control to output are defined; to prevent unauthorized individuals from obtaining the output.
Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.
physical access to output from output devices that require physical access control to output are defined; is controlled to prevent unauthorized individuals from obtaining the output.
Physical and environmental protection policy
procedures addressing access control for display medium
facility layout of system components
actual displays from system components
list of output devices and associated outputs requiring physical access controls
physical access control logs or records for areas containing output devices and related outputs
system security plan
other relevant documents or records
Organizational personnel with physical access control responsibilities
organizational personnel with information security responsibilities
Organizational processes for access control to output devices
mechanisms supporting and/or implementing access control to output devices
PE-6 (1): Intrusion Alarms and Surveillance Equipment
Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.
Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility.
physical access to the facility where the system resides is monitored using physical intrusion alarms;
physical access to the facility where the system resides is monitored using physical surveillance equipment.
Physical and environmental protection policy
procedures addressing physical access monitoring
physical access logs or records
physical access monitoring records
physical access log reviews
system security plan
privacy plan
privacy impact assessment
privacy risk assessment documentation
other relevant documents or records
Organizational personnel with physical access monitoring responsibilities
organizational personnel with incident response responsibilities
organizational personnel with information security and privacy responsibilities
Organizational processes for monitoring physical intrusion alarms and surveillance equipment
mechanisms supporting and/or implementing physical access monitoring
mechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment
PE-9: Power Equipment and Cabling
Protect power equipment and power cabling for the system from damage and destruction.
Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems.
power equipment for the system is protected from damage and destruction;
power cabling for the system is protected from damage and destruction.
Physical and environmental protection policy
procedures addressing power equipment/cabling protection
facilities housing power equipment/cabling
system security plan
other relevant documents or records
Organizational personnel with the responsibility to protect power equipment/cabling
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing the protection of power equipment/cabling
PE-10: Emergency Shutoff
Provide the capability of shutting off power to system or individual system components that require the capability to shut off power in emergency situations is/are defined; in emergency situations;
Place emergency shutoff switches or devices in location of emergency shutoff switches or devices by system or system component is defined; to facilitate access for authorized personnel; and
Protect emergency power shutoff capability from unauthorized activation.
Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery.
the capability to shut off power to system or individual system components that require the capability to shut off power in emergency situations is/are defined; in emergency situations is provided;
emergency shutoff switches or devices are placed in location of emergency shutoff switches or devices by system or system component is defined; to facilitate access for authorized personnel;
the emergency power shutoff capability is protected from unauthorized activation.
Physical and environmental protection policy
procedures addressing power source emergency shutoff
emergency shutoff controls or switches
locations housing emergency shutoff switches and devices
security safeguards protecting the emergency power shutoff capability from unauthorized activation
system security plan
other relevant documents or records
Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability)
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing emergency power shutoff
PE-11: Emergency Power
Provide an uninterruptible power supply to facilitate an orderly shutdown of the systemortransition of the system to long-term alternate power in the event of a primary power source loss.
An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system.
an uninterruptible power supply is provided to facilitate an orderly shutdown of the systemortransition of the system to long-term alternate power in the event of a primary power source loss.
Physical and environmental protection policy
procedures addressing emergency power
uninterruptible power supply
uninterruptible power supply documentation
uninterruptible power supply test records
system security plan
other relevant documents or records
Organizational personnel with the responsibility for emergency power and/or planning
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing an uninterruptible power supply
the uninterruptable power supply
PE-13 (1): Detection Systems — Automatic Activation and Notification
Employ fire detection systems that activate automatically and notify personnel or roles to be notified in the event of a fire is/are defined; and emergency responders to be notified in the event of a fire are defined; in the event of a fire.
Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire.
fire detection systems that activate automatically are employed in the event of a fire;
fire detection systems that notify personnel or roles to be notified in the event of a fire is/are defined; automatically are employed in the event of a fire;
fire detection systems that notify emergency responders to be notified in the event of a fire are defined; automatically are employed in the event of a fire.
Physical and environmental protection policy
procedures addressing fire protection
facility housing the information system
alarm service-level agreements
test records of fire suppression and detection devices/systems
fire suppression and detection devices/systems documentation
alerts/notifications of fire events
system security plan
other relevant documents or records
Organizational personnel with responsibilities for fire detection and suppression devices/systems
organizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing fire detection devices/systems
activation of fire detection devices/systems (simulated)
automated notifications
PE-17: Alternate Work Site
Determine and document the alternate work sites allowed for use by employees are defined; allowed for use by employees;
Employ the following controls at alternate work sites: controls to be employed at alternate work sites are defined;;
Assess the effectiveness of controls at alternate work sites; and
Provide a means for employees to communicate with information security and privacy personnel in case of incidents.
Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.
alternate work sites allowed for use by employees are defined; are determined and documented;
controls to be employed at alternate work sites are defined; are employed at alternate work sites;
the effectiveness of controls at alternate work sites is assessed;
a means for employees to communicate with information security and privacy personnel in case of incidents is provided.
Physical and environmental protection policy
procedures addressing alternate work sites for organizational personnel
list of security controls required for alternate work sites
assessments of security controls at alternate work sites
system security plan
privacy plan
other relevant documents or records
Organizational personnel approving the use of alternate work sites
organizational personnel using alternate work sites
organizational personnel assessing controls at alternate work sites
organizational personnel with information security and privacy responsibilities
Organizational processes for security and privacy at alternate work sites
mechanisms supporting alternate work sites
security and privacy controls employed at alternate work sites
means of communication between personnel at alternate work sites and security and privacy personnel