last sync: 2024-Oct-03 17:51:34 UTC

Implement physical security for offices, working areas, and secure areas | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Implement physical security for offices, working areas, and secure areas
Id 05ec66a2-137c-14b8-8e75-3d7a2bef07f8
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0323 - Implement physical security for offices, working areas, and secure areas
Additional metadata Name/Id: CMA_0323 / CMA_0323
Category: Operational
Title: Implement physical security for offices, working areas, and secure areas
Ownership: Customer
Description: Microsoft recommends that your organization design and implement adequate physical security mechanisms and guidelines to protect offices and other working areas based on the criticality of the areas. It is recommended that your organization enforce physical access authorizations to the information system in addition to the physical access controls for the facility at organization-defined physical spaces containing components of the information system. It is recommended that secure areas be supervised by a security officer or team, physically locked, and periodically reviewed. Microsoft recommends that data center and controlled areas are physically secured, and access is restricted to authorized personnel on a need-to-have basis only by using mechanisms such as access control vestibules, card access, biometric systems, or ISO standard locks. It is recommended that entries and exits to secure areas have an audit trail, such as entry and exit logs from a door access system, CCTV footage, and/or a visitor logbook. Microsoft recommends that all visitors are registered, given clear identification, and are always escorted by authorized personnel. Your organization should consider requiring visitors to present two forms of identification from a list of acceptable forms of identification determined by your organization. We recommend that requests for access to data centers by employees, contractors, and third parties to be approved and documented. It is recommended that access rights to data centers and controlled areas are reviewed periodically and access violations are monitored and reported. We recommend that physical access credentials be revoked or disabled promptly when no longer required. It is recommended to have and manage an inventory of security access cards and that damaged or lost cards are invalidated or revoked in the access control system. It is recommended that all access points to controlled areas are fitted with audible intruder alarms that are monitored by authorized security personnel. We recommend that the alarm system is tested regularly and the test documentation is retained. Various regulations recommend that photographic, video, audio or other recording equipment, such as cameras in mobile devices, not be allowed, unless authorized. It is recommended to control physical access to information system devices that display sensitive information and place information system devices in a manner that protects sensitive information from unauthorized access and use. Microsoft recommends that your organization use cable locks on transportable computing devices that handle content (e.g., laptops, tablets, desktops, towers) when they are left unattended. We also recommend considering applying seals or tamper evident stickers on cases used for all workstations and servers that manage content in the production network. Microsoft also recommends that your organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output by implementing appropriate security measures. It is also recommended for your organization to control physical access to organizations information system distribution and transmission lines within organizational facilities by implementing organization-defined security safeguards. In addition to securing physical spaces from unauthorized access, your organization is recommended to be protected from natural disasters. Microsoft recommends that your organization implement fire safety measures including alarms and fire resistant walls/ceilings. Your organization is encouraged to maintain optimal temperature and humidity set-points to facilitate optimal performance of equipment and to reduce the likelihood of hardware failures for areas that house servers, storage devices, LAN equipment, and network communications devices. The New Zealand Information Security Manual (NZISM) requires agencies to provide appropriate security clearances and briefings to all personnel with unescorted access to TOP SECRET areas.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 96 compliance controls are associated with this Policy definition 'Implement physical security for offices, working areas, and secure areas' (05ec66a2-137c-14b8-8e75-3d7a2bef07f8)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 PE-13 FedRAMP_High_R4_PE-13 FedRAMP High PE-13 Physical And Environmental Protection Fire Protection Shared n/a The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source. Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors. References: None. link 1
FedRAMP_High_R4 PE-13(1) FedRAMP_High_R4_PE-13(1) FedRAMP High PE-13 (1) Physical And Environmental Protection Detection Devices / Systems Shared n/a The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. link 3
FedRAMP_High_R4 PE-13(2) FedRAMP_High_R4_PE-13(2) FedRAMP High PE-13 (2) Physical And Environmental Protection Suppression Devices / Systems Shared n/a The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]. Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. link 1
FedRAMP_High_R4 PE-13(3) FedRAMP_High_R4_PE-13(3) FedRAMP High PE-13 (3) Physical And Environmental Protection Automatic Fire Suppression Shared n/a The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis. link 1
FedRAMP_High_R4 PE-14 FedRAMP_High_R4_PE-14 FedRAMP High PE-14 Physical And Environmental Protection Temperature And Humidity Controls Shared n/a The organization: a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and b. Monitors temperature and humidity levels [Assignment: organization-defined frequency]. Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms. Related control: AT-3. References: None. link 1
FedRAMP_High_R4 PE-14(2) FedRAMP_High_R4_PE-14(2) FedRAMP High PE-14 (2) Physical And Environmental Protection Monitoring With Alarms / Notifications Shared n/a The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment. link 2
FedRAMP_High_R4 PE-15 FedRAMP_High_R4_PE-15 FedRAMP High PE-15 Physical And Environmental Protection Water Damage Protection Shared n/a The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. Related control: AT-3. References: None. link 1
FedRAMP_High_R4 PE-18 FedRAMP_High_R4_PE-18 FedRAMP High PE-18 Physical And Environmental Protection Location Of Information System Components Shared n/a The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. Supplemental Guidance: Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). Related controls: CP-2, PE-19, RA-3. References: None. link 1
FedRAMP_High_R4 PE-3 FedRAMP_High_R4_PE-3 FedRAMP High PE-3 Physical And Environmental Protection Physical Access Control Shared n/a The organization: a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; e. Secures keys, combinations, and other physical access devices; f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. Supplemental Guidance: Related controls: CA-2, CA-7. link 4
FedRAMP_High_R4 PE-4 FedRAMP_High_R4_PE-4 FedRAMP High PE-4 Physical And Environmental Protection Access Control For Transmission Medium Shared n/a The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards]. Supplemental Guidance: Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Related controls: MP-2, MP-4, PE-2, PE-3, PE-5, SC-7, SC-8. Control Enhancements: None. References: NSTISSI No. 7003. link 2
FedRAMP_High_R4 PE-5 FedRAMP_High_R4_PE-5 FedRAMP High PE-5 Physical And Environmental Protection Access Control For Output Devices Shared n/a The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. Supplemental Guidance: Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices. Related controls: PE-2, PE-3, PE-4, PE-18. References: None. link 3
FedRAMP_High_R4 PE-8 FedRAMP_High_R4_PE-8 FedRAMP High PE-8 Physical And Environmental Protection Visitor Access Records Shared n/a The organization: a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and b. Reviews visitor access records [Assignment: organization-defined frequency]. Supplemental Guidance: Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas. References: None. link 2
FedRAMP_Moderate_R4 PE-13 FedRAMP_Moderate_R4_PE-13 FedRAMP Moderate PE-13 Physical And Environmental Protection Fire Protection Shared n/a The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source. Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors. References: None. link 1
FedRAMP_Moderate_R4 PE-13(2) FedRAMP_Moderate_R4_PE-13(2) FedRAMP Moderate PE-13 (2) Physical And Environmental Protection Suppression Devices / Systems Shared n/a The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]. Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. link 1
FedRAMP_Moderate_R4 PE-13(3) FedRAMP_Moderate_R4_PE-13(3) FedRAMP Moderate PE-13 (3) Physical And Environmental Protection Automatic Fire Suppression Shared n/a The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis. link 1
FedRAMP_Moderate_R4 PE-14 FedRAMP_Moderate_R4_PE-14 FedRAMP Moderate PE-14 Physical And Environmental Protection Temperature And Humidity Controls Shared n/a The organization: a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and b. Monitors temperature and humidity levels [Assignment: organization-defined frequency]. Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms. Related control: AT-3. References: None. link 1
FedRAMP_Moderate_R4 PE-14(2) FedRAMP_Moderate_R4_PE-14(2) FedRAMP Moderate PE-14 (2) Physical And Environmental Protection Monitoring With Alarms / Notifications Shared n/a The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment. link 2
FedRAMP_Moderate_R4 PE-15 FedRAMP_Moderate_R4_PE-15 FedRAMP Moderate PE-15 Physical And Environmental Protection Water Damage Protection Shared n/a The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. Related control: AT-3. References: None. link 1
FedRAMP_Moderate_R4 PE-3 FedRAMP_Moderate_R4_PE-3 FedRAMP Moderate PE-3 Physical And Environmental Protection Physical Access Control Shared n/a The organization: a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; e. Secures keys, combinations, and other physical access devices; f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. Supplemental Guidance: Related controls: CA-2, CA-7. link 4
FedRAMP_Moderate_R4 PE-4 FedRAMP_Moderate_R4_PE-4 FedRAMP Moderate PE-4 Physical And Environmental Protection Access Control For Transmission Medium Shared n/a The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards]. Supplemental Guidance: Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Related controls: MP-2, MP-4, PE-2, PE-3, PE-5, SC-7, SC-8. Control Enhancements: None. References: NSTISSI No. 7003. link 2
FedRAMP_Moderate_R4 PE-5 FedRAMP_Moderate_R4_PE-5 FedRAMP Moderate PE-5 Physical And Environmental Protection Access Control For Output Devices Shared n/a The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. Supplemental Guidance: Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices. Related controls: PE-2, PE-3, PE-4, PE-18. References: None. link 3
FedRAMP_Moderate_R4 PE-8 FedRAMP_Moderate_R4_PE-8 FedRAMP Moderate PE-8 Physical And Environmental Protection Visitor Access Records Shared n/a The organization: a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and b. Reviews visitor access records [Assignment: organization-defined frequency]. Supplemental Guidance: Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas. References: None. link 2
hipaa 0408.01y3Organizational.12-01.y hipaa-0408.01y3Organizational.12-01.y 0408.01y3Organizational.12-01.y 04 Mobile Device Security 0408.01y3Organizational.12-01.y 01.07 Mobile Computing and Teleworking Shared n/a Prior to authorizing teleworking, (i) the organization provides a definition of the work permitted, standard operating hours, classification of information that may be held/stored, and the internal systems and services that the teleworker is authorized to access; (ii) suitable equipment and storage furniture for the teleworking activities, where the use of privately owned equipment not under the control of the organization is forbidden; (iii) suitable communications equipment, including methods for securing remote access; (iv) rules and guidance on family and visitor access to equipment and information; (v) hardware and software support and maintenance; (vi) procedures for back-up and business continuity; (vii) a means for teleworkers to communicate with information security personnel in case of security incidents or problems; and, (viii) audit and security monitoring. 5
hipaa 11190.01t1Organizational.3-01.t hipaa-11190.01t1Organizational.3-01.t 11190.01t1Organizational.3-01.t 11 Access Control 11190.01t1Organizational.3-01.t 01.05 Operating System Access Control Shared n/a Bring your own device (BYOD) and/or company-owned devices are configured to require an automatic lockout screen, and the requirement is enforced through technical controls. 5
hipaa 1192.01l1Organizational.1-01.l hipaa-1192.01l1Organizational.1-01.l 1192.01l1Organizational.1-01.l 11 Access Control 1192.01l1Organizational.1-01.l 01.04 Network Access Control Shared n/a Access to network equipment is physically protected. 5
hipaa 1193.01l2Organizational.13-01.l hipaa-1193.01l2Organizational.13-01.l 1193.01l2Organizational.13-01.l 11 Access Control 1193.01l2Organizational.13-01.l 01.04 Network Access Control Shared n/a Controls for the access to diagnostic and configuration ports include the use of a key lock and the implementation of supporting procedures to control physical access to the port. 5
hipaa 1801.08b1Organizational.124-08.b hipaa-1801.08b1Organizational.124-08.b 1801.08b1Organizational.124-08.b 18 Physical & Environmental Security 1801.08b1Organizational.124-08.b 08.01 Secure Areas Shared n/a Visitor and third-party support access is recorded and supervised unless previously approved. 3
hipaa 1804.08b2Organizational.12-08.b hipaa-1804.08b2Organizational.12-08.b 1804.08b2Organizational.12-08.b 18 Physical & Environmental Security 1804.08b2Organizational.12-08.b 08.01 Secure Areas Shared n/a A visitor log containing appropriate information is reviewed monthly and maintained for at least two years. 2
hipaa 1808.08b2Organizational.7-08.b hipaa-1808.08b2Organizational.7-08.b 1808.08b2Organizational.7-08.b 18 Physical & Environmental Security 1808.08b2Organizational.7-08.b 08.01 Secure Areas Shared n/a Physical access rights are reviewed every 90 days and updated accordingly. 7
hipaa 1811.08b3Organizational.3-08.b hipaa-1811.08b3Organizational.3-08.b 1811.08b3Organizational.3-08.b 18 Physical & Environmental Security 1811.08b3Organizational.3-08.b 08.01 Secure Areas Shared n/a Combinations and keys for organization-defined high-risk entry/exit points are changed when lost or stolen or combinations are compromised. 4
hipaa 1813.08b3Organizational.56-08.b hipaa-1813.08b3Organizational.56-08.b 1813.08b3Organizational.56-08.b 18 Physical & Environmental Security 1813.08b3Organizational.56-08.b 08.01 Secure Areas Shared n/a The organization actively monitors unoccupied areas at all times and sensitive and/or restricted areas in real time as appropriate for the area. 4
hipaa 1814.08d1Organizational.12-08.d hipaa-1814.08d1Organizational.12-08.d 1814.08d1Organizational.12-08.d 18 Physical & Environmental Security 1814.08d1Organizational.12-08.d 08.01 Secure Areas Shared n/a Fire extinguishers and detectors are installed according to applicable laws and regulations. 3
hipaa 18146.08b3Organizational.8-08.b hipaa-18146.08b3Organizational.8-08.b 18146.08b3Organizational.8-08.b 18 Physical & Environmental Security 18146.08b3Organizational.8-08.b 08.01 Secure Areas Shared n/a The organization maintains an electronic log of alarm system events and regularly reviews the logs, no less than monthly. 4
hipaa 1815.08d2Organizational.123-08.d hipaa-1815.08d2Organizational.123-08.d 1815.08d2Organizational.123-08.d 18 Physical & Environmental Security 1815.08d2Organizational.123-08.d 08.01 Secure Areas Shared n/a Fire prevention and suppression mechanisms, including workforce training, are provided. 3
hipaa 1817.08d3Organizational.12-08.d hipaa-1817.08d3Organizational.12-08.d 1817.08d3Organizational.12-08.d 18 Physical & Environmental Security 1817.08d3Organizational.12-08.d 08.01 Secure Areas Shared n/a Water detection mechanisms are in place with master shutoff or isolation valves accessible, working and known. 1
hipaa 1818.08d3Organizational.3-08.d hipaa-1818.08d3Organizational.3-08.d 1818.08d3Organizational.3-08.d 18 Physical & Environmental Security 1818.08d3Organizational.3-08.d 08.01 Secure Areas Shared n/a Fire suppression and detection systems are supported by an independent energy source. 3
hipaa 1845.08b1Organizational.7-08.b hipaa-1845.08b1Organizational.7-08.b 1845.08b1Organizational.7-08.b 18 Physical & Environmental Security 1845.08b1Organizational.7-08.b 08.01 Secure Areas Shared n/a For facilities where the information system resides, the organization enforces physical access authorizations at defined entry/exit points to the facility where the information system resides, maintains physical access audit logs, and provides security safeguards that the organization determines necessary for areas officially designated as publicly accessible. 4
hipaa 1846.08b2Organizational.8-08.b hipaa-1846.08b2Organizational.8-08.b 1846.08b2Organizational.8-08.b 18 Physical & Environmental Security 1846.08b2Organizational.8-08.b 08.01 Secure Areas Shared n/a Visitors are only granted access for specific and authorized purposes and issued with instructions on the security requirements of the area and on emergency procedures. 1
ISO27001-2013 A.11.1.1 ISO27001-2013_A.11.1.1 ISO 27001:2013 A.11.1.1 Physical And Environmental Security Physical security perimeter Shared n/a Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. link 8
ISO27001-2013 A.11.1.2 ISO27001-2013_A.11.1.2 ISO 27001:2013 A.11.1.2 Physical And Environmental Security Physical entry controls Shared n/a Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. link 9
ISO27001-2013 A.11.1.3 ISO27001-2013_A.11.1.3 ISO 27001:2013 A.11.1.3 Physical And Environmental Security Securing offices, rooms and facilities Shared n/a Physical security for offices, rooms and facilities shall be designed and applied. link 5
ISO27001-2013 A.11.1.4 ISO27001-2013_A.11.1.4 ISO 27001:2013 A.11.1.4 Physical And Environmental Security Protecting against external and environmental threats Shared n/a Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. link 9
ISO27001-2013 A.11.2.1 ISO27001-2013_A.11.2.1 ISO 27001:2013 A.11.2.1 Physical And Environmental Security Equipment sitting and protection Shared n/a Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. link 1
ISO27001-2013 A.11.2.2 ISO27001-2013_A.11.2.2 ISO 27001:2013 A.11.2.2 Physical And Environmental Security Supporting utilities Shared n/a Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. link 3
ISO27001-2013 A.11.2.3 ISO27001-2013_A.11.2.3 ISO 27001:2013 A.11.2.3 Physical And Environmental Security Cabling security Shared n/a Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. link 4
ISO27001-2013 A.12.1.2 ISO27001-2013_A.12.1.2 ISO 27001:2013 A.12.1.2 Operations Security Change management Shared n/a Changes to organization, business processes, information processing facilities and systems that affect information security shall be controlled. link 27
ISO27001-2013 A.8.2.3 ISO27001-2013_A.8.2.3 ISO 27001:2013 A.8.2.3 Asset Management Handling of assets Shared n/a Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. link 26
mp.eq.1 Clear desk mp.eq.1 Clear desk 404 not found n/a n/a 19
mp.eq.2 User session lockout mp.eq.2 User session lockout 404 not found n/a n/a 29
mp.if.1 Separate areas with access control mp.if.1 Separate areas with access control 404 not found n/a n/a 23
mp.if.2 Identification of persons mp.if.2 Identification of persons 404 not found n/a n/a 13
mp.if.3 Fitting-out of premises mp.if.3 Fitting-out of premises 404 not found n/a n/a 18
mp.if.4 Electrical energy mp.if.4 Electrical energy 404 not found n/a n/a 8
mp.if.5 Fire protection mp.if.5 Fire protection 404 not found n/a n/a 16
mp.if.6 Flood protection mp.if.6 Flood protection 404 not found n/a n/a 16
mp.if.7 Recording of entries and exits of equipment mp.if.7 Recording of entries and exits of equipment 404 not found n/a n/a 12
mp.si.4 Transport mp.si.4 Transport 404 not found n/a n/a 24
NIST_SP_800-171_R2_3 .10.3 NIST_SP_800-171_R2_3.10.3 NIST SP 800-171 R2 3.10.3 Physical Protection Escort visitors and monitor visitor activity. Shared Microsoft is responsible for implementing this requirement. Individuals with permanent physical access authorization credentials are not considered visitors. Audit logs can be used to monitor visitor activity. link 2
NIST_SP_800-171_R2_3 .10.5 NIST_SP_800-171_R2_3.10.5 NIST SP 800-171 R2 3.10.5 Physical Protection Control and manage physical access devices. Shared Microsoft is responsible for implementing this requirement. Physical access devices include keys, locks, combinations, and card readers. link 4
NIST_SP_800-53_R4 PE-13 NIST_SP_800-53_R4_PE-13 NIST SP 800-53 Rev. 4 PE-13 Physical And Environmental Protection Fire Protection Shared n/a The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source. Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors. References: None. link 1
NIST_SP_800-53_R4 PE-13(1) NIST_SP_800-53_R4_PE-13(1) NIST SP 800-53 Rev. 4 PE-13 (1) Physical And Environmental Protection Detection Devices / Systems Shared n/a The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. link 3
NIST_SP_800-53_R4 PE-13(2) NIST_SP_800-53_R4_PE-13(2) NIST SP 800-53 Rev. 4 PE-13 (2) Physical And Environmental Protection Suppression Devices / Systems Shared n/a The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]. Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. link 1
NIST_SP_800-53_R4 PE-13(3) NIST_SP_800-53_R4_PE-13(3) NIST SP 800-53 Rev. 4 PE-13 (3) Physical And Environmental Protection Automatic Fire Suppression Shared n/a The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis. link 1
NIST_SP_800-53_R4 PE-14 NIST_SP_800-53_R4_PE-14 NIST SP 800-53 Rev. 4 PE-14 Physical And Environmental Protection Temperature And Humidity Controls Shared n/a The organization: a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and b. Monitors temperature and humidity levels [Assignment: organization-defined frequency]. Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms. Related control: AT-3. References: None. link 1
NIST_SP_800-53_R4 PE-14(2) NIST_SP_800-53_R4_PE-14(2) NIST SP 800-53 Rev. 4 PE-14 (2) Physical And Environmental Protection Monitoring With Alarms / Notifications Shared n/a The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment. link 2
NIST_SP_800-53_R4 PE-15 NIST_SP_800-53_R4_PE-15 NIST SP 800-53 Rev. 4 PE-15 Physical And Environmental Protection Water Damage Protection Shared n/a The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. Related control: AT-3. References: None. link 1
NIST_SP_800-53_R4 PE-18 NIST_SP_800-53_R4_PE-18 NIST SP 800-53 Rev. 4 PE-18 Physical And Environmental Protection Location Of Information System Components Shared n/a The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. Supplemental Guidance: Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). Related controls: CP-2, PE-19, RA-3. References: None. link 1
NIST_SP_800-53_R4 PE-3 NIST_SP_800-53_R4_PE-3 NIST SP 800-53 Rev. 4 PE-3 Physical And Environmental Protection Physical Access Control Shared n/a The organization: a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; e. Secures keys, combinations, and other physical access devices; f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. Supplemental Guidance: Related controls: CA-2, CA-7. link 4
NIST_SP_800-53_R4 PE-4 NIST_SP_800-53_R4_PE-4 NIST SP 800-53 Rev. 4 PE-4 Physical And Environmental Protection Access Control For Transmission Medium Shared n/a The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards]. Supplemental Guidance: Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Related controls: MP-2, MP-4, PE-2, PE-3, PE-5, SC-7, SC-8. Control Enhancements: None. References: NSTISSI No. 7003. link 2
NIST_SP_800-53_R4 PE-5 NIST_SP_800-53_R4_PE-5 NIST SP 800-53 Rev. 4 PE-5 Physical And Environmental Protection Access Control For Output Devices Shared n/a The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. Supplemental Guidance: Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices. Related controls: PE-2, PE-3, PE-4, PE-18. References: None. link 3
NIST_SP_800-53_R4 PE-8 NIST_SP_800-53_R4_PE-8 NIST SP 800-53 Rev. 4 PE-8 Physical And Environmental Protection Visitor Access Records Shared n/a The organization: a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and b. Reviews visitor access records [Assignment: organization-defined frequency]. Supplemental Guidance: Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas. References: None. link 2
NIST_SP_800-53_R5 PE-13 NIST_SP_800-53_R5_PE-13 NIST SP 800-53 Rev. 5 PE-13 Physical and Environmental Protection Fire Protection Shared n/a Employ and maintain fire detection and suppression systems that are supported by an independent energy source. link 1
NIST_SP_800-53_R5 PE-13(1) NIST_SP_800-53_R5_PE-13(1) NIST SP 800-53 Rev. 5 PE-13 (1) Physical and Environmental Protection Detection Systems ??? Automatic Activation and Notification Shared n/a Employ fire detection systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. link 3
NIST_SP_800-53_R5 PE-13(2) NIST_SP_800-53_R5_PE-13(2) NIST SP 800-53 Rev. 5 PE-13 (2) Physical and Environmental Protection Suppression Systems ??? Automatic Activation and Notification Shared n/a (a) Employ fire suppression systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]; and (b) Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis. link 1
NIST_SP_800-53_R5 PE-14 NIST_SP_800-53_R5_PE-14 NIST SP 800-53 Rev. 5 PE-14 Physical and Environmental Protection Environmental Controls Shared n/a a. Maintain [Selection (OneOrMore): temperature;humidity;pressure;radiation; [Assignment: organization-defined environmental control] ] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and b. Monitor environmental control levels [Assignment: organization-defined frequency]. link 1
NIST_SP_800-53_R5 PE-14(2) NIST_SP_800-53_R5_PE-14(2) NIST SP 800-53 Rev. 5 PE-14 (2) Physical and Environmental Protection Monitoring with Alarms and Notifications Shared n/a Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to [Assignment: organization-defined personnel or roles]. link 2
NIST_SP_800-53_R5 PE-15 NIST_SP_800-53_R5_PE-15 NIST SP 800-53 Rev. 5 PE-15 Physical and Environmental Protection Water Damage Protection Shared n/a Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. link 1
NIST_SP_800-53_R5 PE-18 NIST_SP_800-53_R5_PE-18 NIST SP 800-53 Rev. 5 PE-18 Physical and Environmental Protection Location of System Components Shared n/a Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. link 1
NIST_SP_800-53_R5 PE-3 NIST_SP_800-53_R5_PE-3 NIST SP 800-53 Rev. 5 PE-3 Physical and Environmental Protection Physical Access Control Shared n/a a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by: 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress and egress to the facility using [Selection (OneOrMore): [Assignment: organization-defined physical access control systems or devices] ;guards] ; b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points]; c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: organization-defined physical access controls]; d. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity]; e. Secure keys, combinations, and other physical access devices; f. Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated. link 4
NIST_SP_800-53_R5 PE-4 NIST_SP_800-53_R5_PE-4 NIST SP 800-53 Rev. 5 PE-4 Physical and Environmental Protection Access Control for Transmission Shared n/a Control physical access to [Assignment: organization-defined system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security controls]. link 2
NIST_SP_800-53_R5 PE-5 NIST_SP_800-53_R5_PE-5 NIST SP 800-53 Rev. 5 PE-5 Physical and Environmental Protection Access Control for Output Devices Shared n/a Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output. link 3
NIST_SP_800-53_R5 PE-8 NIST_SP_800-53_R5_PE-8 NIST SP 800-53 Rev. 5 PE-8 Physical and Environmental Protection Visitor Access Records Shared n/a a. Maintain visitor access records to the facility where the system resides for [Assignment: organization-defined time period]; b. Review visitor access records [Assignment: organization-defined frequency]; and c. Report anomalies in visitor access records to [Assignment: organization-defined personnel]. link 2
op.exp.4 Security maintenance and updates op.exp.4 Security maintenance and updates 404 not found n/a n/a 78
op.exp.5 Change management op.exp.5 Change management 404 not found n/a n/a 71
PCI_DSS_v4.0 9.2.3 PCI_DSS_v4.0_9.2.3 PCI DSS v4.0 9.2.3 Requirement 09: Restrict Physical Access to Cardholder Data Physical access controls manage entry into facilities and systems containing cardholder data Shared n/a Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted. link 2
PCI_DSS_v4.0 9.2.4 PCI_DSS_v4.0_9.2.4 PCI DSS v4.0 9.2.4 Requirement 09: Restrict Physical Access to Cardholder Data Physical access controls manage entry into facilities and systems containing cardholder data Shared n/a Access to consoles in sensitive areas is restricted via locking when not in use. link 2
PCI_DSS_v4.0 9.3.2 PCI_DSS_v4.0_9.3.2 PCI DSS v4.0 9.3.2 Requirement 09: Restrict Physical Access to Cardholder Data Physical access for personnel and visitors is authorized and managed Shared n/a Procedures are implemented for authorizing and managing visitor access to the CDE, including: • Visitors are authorized before entering. • Visitors are escorted at all times. • Visitors are clearly identified and given a badge or other identification that expires. • Visitor badges or other identification visibly distinguishes visitors from personnel. link 2
PCI_DSS_v4.0 9.3.3 PCI_DSS_v4.0_9.3.3 PCI DSS v4.0 9.3.3 Requirement 09: Restrict Physical Access to Cardholder Data Physical access for personnel and visitors is authorized and managed Shared n/a Visitor badges or identification are surrendered or deactivated before visitors leave the facility or at the date of expiration. link 2
PCI_DSS_v4.0 9.3.4 PCI_DSS_v4.0_9.3.4 PCI DSS v4.0 9.3.4 Requirement 09: Restrict Physical Access to Cardholder Data Physical access for personnel and visitors is authorized and managed Shared n/a A visitor log is used to maintain a physical record of visitor activity within the facility and within sensitive areas, including: • The visitor’s name and the organization represented. • The date and time of the visit. • The name of the personnel authorizing physical access. • Retaining the log for at least three months, unless otherwise restricted by law. link 2
PCI_DSS_v4.0 9.5.1 PCI_DSS_v4.0_9.5.1 PCI DSS v4.0 9.5.1 Requirement 09: Restrict Physical Access to Cardholder Data Point of interaction (POI) devices are protected from tampering and unauthorized substitution Shared n/a POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following: • Maintaining a list of POI devices. • Periodically inspecting POI devices to look for tampering or unauthorized substitution. • Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices. link 3
PCI_DSS_v4.0 9.5.1.2 PCI_DSS_v4.0_9.5.1.2 PCI DSS v4.0 9.5.1.2 Requirement 09: Restrict Physical Access to Cardholder Data Point of interaction (POI) devices are protected from tampering and unauthorized substitution Shared n/a POI device surfaces are periodically inspected to detect tampering and unauthorized substitution. link 3
PCI_DSS_v4.0 9.5.1.2.1 PCI_DSS_v4.0_9.5.1.2.1 PCI DSS v4.0 9.5.1.2.1 Requirement 09: Restrict Physical Access to Cardholder Data Point of interaction (POI) devices are protected from tampering and unauthorized substitution Shared n/a The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. link 3
SOC_2 A1.2 SOC_2_A1.2 SOC 2 Type 2 A1.2 Additional Criteria For Availability Environmental protections, software, data back-up processes, and recovery infrastructure Shared The customer is responsible for implementing this recommendation. Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water. • Designs Detection Measures — Detection measures are implemented to identify anomalies that could result from environmental threat events. • Implements and Maintains Environmental Protection Mechanisms — Management implements and maintains environmental protection mechanisms to prevent and mitigate environmental events. • Implements Alerts to Analyze Anomalies — Management implements alerts that are communicated to personnel for analysis to identify environmental threat events. • Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator backup subsystem). • Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary. • Determines Data Requiring Backup — Data is evaluated to determine whether backup is required. • Performs Data Backup — Procedures are in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur. • Addresses Offsite Storage — Backup data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level. • Implements Alternate Processing Infrastructure — Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. 13
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 78
SWIFT_CSCF_v2022 3.1 SWIFT_CSCF_v2022_3.1 SWIFT CSCF v2022 3.1 3. Physically Secure the Environment Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. Shared n/a Physical security controls are in place to protect access to sensitive equipment, hosting sites, and storage. link 8
SWIFT_CSCF_v2022 9.3 SWIFT_CSCF_v2022_9.3 SWIFT CSCF v2022 9.3 9. Ensure Availability through Resilience Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. Shared n/a Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. link 7
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 05ec66a2-137c-14b8-8e75-3d7a2bef07f8
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC