last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Control physical access

Name Control physical access
Azure Portal
Id 55a7f9a0-6397-7589-05ef-5ed59a8149e7
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_0081 - Control physical access
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 75 compliance controls are associated with this Policy definition 'Control physical access' (55a7f9a0-6397-7589-05ef-5ed59a8149e7)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.3.0 7.1 CIS_Azure_1.3.0_7.1 CIS Microsoft Azure Foundations Benchmark recommendation 7.1 7 Virtual Machines Ensure Virtual Machines are utilizing Managed Disks Shared The customer is responsible for implementing this recommendation. Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include 1) Default Disk Encryption 2) Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty 3) Reduction of costs over storage accounts link 4
CIS_Azure_1.4.0 7.1 CIS_Azure_1.4.0_7.1 CIS Microsoft Azure Foundations Benchmark recommendation 7.1 7 Virtual Machines Ensure Virtual Machines are utilizing Managed Disks Shared The customer is responsible for implementing this recommendation. Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include 1) Default Disk Encryption 2) Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty 3) Reduction of costs over storage accounts link 4
FedRAMP_High_R4 PE-2 FedRAMP_High_R4_PE-2 FedRAMP High PE-2 Physical And Environmental Protection Physical Access Authorizations Shared n/a The organization: a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; b. Issues authorization credentials for facility access; c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and d. Removes individuals from the facility access list when access is no longer required. Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. References: None link 1
FedRAMP_High_R4 PE-3 FedRAMP_High_R4_PE-3 FedRAMP High PE-3 Physical And Environmental Protection Physical Access Control Shared n/a The organization: a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; e. Secures keys, combinations, and other physical access devices; f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. Supplemental Guidance: Related controls: CA-2, CA-7. link 4
FedRAMP_High_R4 PE-4 FedRAMP_High_R4_PE-4 FedRAMP High PE-4 Physical And Environmental Protection Access Control For Transmission Medium Shared n/a The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards]. Supplemental Guidance: Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Related controls: MP-2, MP-4, PE-2, PE-3, PE-5, SC-7, SC-8. Control Enhancements: None. References: NSTISSI No. 7003. link 2
FedRAMP_High_R4 PE-5 FedRAMP_High_R4_PE-5 FedRAMP High PE-5 Physical And Environmental Protection Access Control For Output Devices Shared n/a The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. Supplemental Guidance: Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices. Related controls: PE-2, PE-3, PE-4, PE-18. References: None. link 3
FedRAMP_High_R4 PE-8 FedRAMP_High_R4_PE-8 FedRAMP High PE-8 Physical And Environmental Protection Visitor Access Records Shared n/a The organization: a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and b. Reviews visitor access records [Assignment: organization-defined frequency]. Supplemental Guidance: Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas. References: None. link 2
FedRAMP_High_R4 SI-12 FedRAMP_High_R4_SI-12 FedRAMP High SI-12 System And Information Integrity Information Handling And Retention Shared n/a The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. Supplemental Guidance: Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4. Control Enhancements: None. References: None. link 3
FedRAMP_Moderate_R4 PE-2 FedRAMP_Moderate_R4_PE-2 FedRAMP Moderate PE-2 Physical And Environmental Protection Physical Access Authorizations Shared n/a The organization: a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; b. Issues authorization credentials for facility access; c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and d. Removes individuals from the facility access list when access is no longer required. Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. References: None link 1
FedRAMP_Moderate_R4 PE-3 FedRAMP_Moderate_R4_PE-3 FedRAMP Moderate PE-3 Physical And Environmental Protection Physical Access Control Shared n/a The organization: a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; e. Secures keys, combinations, and other physical access devices; f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. Supplemental Guidance: Related controls: CA-2, CA-7. link 4
FedRAMP_Moderate_R4 PE-4 FedRAMP_Moderate_R4_PE-4 FedRAMP Moderate PE-4 Physical And Environmental Protection Access Control For Transmission Medium Shared n/a The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards]. Supplemental Guidance: Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Related controls: MP-2, MP-4, PE-2, PE-3, PE-5, SC-7, SC-8. Control Enhancements: None. References: NSTISSI No. 7003. link 2
FedRAMP_Moderate_R4 PE-5 FedRAMP_Moderate_R4_PE-5 FedRAMP Moderate PE-5 Physical And Environmental Protection Access Control For Output Devices Shared n/a The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. Supplemental Guidance: Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices. Related controls: PE-2, PE-3, PE-4, PE-18. References: None. link 3
FedRAMP_Moderate_R4 PE-8 FedRAMP_Moderate_R4_PE-8 FedRAMP Moderate PE-8 Physical And Environmental Protection Visitor Access Records Shared n/a The organization: a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and b. Reviews visitor access records [Assignment: organization-defined frequency]. Supplemental Guidance: Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas. References: None. link 2
FedRAMP_Moderate_R4 SI-12 FedRAMP_Moderate_R4_SI-12 FedRAMP Moderate SI-12 System And Information Integrity Information Handling And Retention Shared n/a The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. Supplemental Guidance: Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4. Control Enhancements: None. References: None. link 3
hipaa 11190.01t1Organizational.3-01.t hipaa-11190.01t1Organizational.3-01.t 11190.01t1Organizational.3-01.t 11 Access Control 11190.01t1Organizational.3-01.t 01.05 Operating System Access Control Shared n/a Bring your own device (BYOD) and/or company-owned devices are configured to require an automatic lockout screen, and the requirement is enforced through technical controls. 5
hipaa 1192.01l1Organizational.1-01.l hipaa-1192.01l1Organizational.1-01.l 1192.01l1Organizational.1-01.l 11 Access Control 1192.01l1Organizational.1-01.l 01.04 Network Access Control Shared n/a Access to network equipment is physically protected. 5
hipaa 1193.01l2Organizational.13-01.l hipaa-1193.01l2Organizational.13-01.l 1193.01l2Organizational.13-01.l 11 Access Control 1193.01l2Organizational.13-01.l 01.04 Network Access Control Shared n/a Controls for the access to diagnostic and configuration ports include the use of a key lock and the implementation of supporting procedures to control physical access to the port. 5
hipaa 1801.08b1Organizational.124-08.b hipaa-1801.08b1Organizational.124-08.b 1801.08b1Organizational.124-08.b 18 Physical & Environmental Security 1801.08b1Organizational.124-08.b 08.01 Secure Areas Shared n/a Visitor and third-party support access is recorded and supervised unless previously approved. 3
hipaa 1802.08b1Organizational.3-08.b hipaa-1802.08b1Organizational.3-08.b 1802.08b1Organizational.3-08.b 18 Physical & Environmental Security 1802.08b1Organizational.3-08.b 08.01 Secure Areas Shared n/a Areas where sensitive information (e.g., covered information, payment card data) is stored or processed are controlled and restricted to authorized individuals only. 1
hipaa 1804.08b2Organizational.12-08.b hipaa-1804.08b2Organizational.12-08.b 1804.08b2Organizational.12-08.b 18 Physical & Environmental Security 1804.08b2Organizational.12-08.b 08.01 Secure Areas Shared n/a A visitor log containing appropriate information is reviewed monthly and maintained for at least two years. 2
hipaa 1805.08b2Organizational.3-08.b hipaa-1805.08b2Organizational.3-08.b 1805.08b2Organizational.3-08.b 18 Physical & Environmental Security 1805.08b2Organizational.3-08.b 08.01 Secure Areas Shared n/a Physical authentication controls are used to authorize and validate access. 1
hipaa 1806.08b2Organizational.4-08.b hipaa-1806.08b2Organizational.4-08.b 1806.08b2Organizational.4-08.b 18 Physical & Environmental Security 1806.08b2Organizational.4-08.b 08.01 Secure Areas Shared n/a An audit trail of all physical access is maintained. 1
hipaa 1807.08b2Organizational.56-08.b hipaa-1807.08b2Organizational.56-08.b 1807.08b2Organizational.56-08.b 18 Physical & Environmental Security 1807.08b2Organizational.56-08.b 08.01 Secure Areas Shared n/a Visible identification that clearly identifies the individual is required to be worn by employees, visitors, contractors and third-parties. 1
hipaa 1808.08b2Organizational.7-08.b hipaa-1808.08b2Organizational.7-08.b 1808.08b2Organizational.7-08.b 18 Physical & Environmental Security 1808.08b2Organizational.7-08.b 08.01 Secure Areas Shared n/a Physical access rights are reviewed every 90 days and updated accordingly. 7
hipaa 1810.08b3Organizational.2-08.b hipaa-1810.08b3Organizational.2-08.b 1810.08b3Organizational.2-08.b 18 Physical & Environmental Security 1810.08b3Organizational.2-08.b 08.01 Secure Areas Shared n/a Inventories of physical access devices are performed every 90 days. 1
hipaa 1811.08b3Organizational.3-08.b hipaa-1811.08b3Organizational.3-08.b 1811.08b3Organizational.3-08.b 18 Physical & Environmental Security 1811.08b3Organizational.3-08.b 08.01 Secure Areas Shared n/a Combinations and keys for organization-defined high-risk entry/exit points are changed when lost or stolen or combinations are compromised. 4
hipaa 1813.08b3Organizational.56-08.b hipaa-1813.08b3Organizational.56-08.b 1813.08b3Organizational.56-08.b 18 Physical & Environmental Security 1813.08b3Organizational.56-08.b 08.01 Secure Areas Shared n/a The organization actively monitors unoccupied areas at all times and sensitive and/or restricted areas in real time as appropriate for the area. 4
hipaa 18146.08b3Organizational.8-08.b hipaa-18146.08b3Organizational.8-08.b 18146.08b3Organizational.8-08.b 18 Physical & Environmental Security 18146.08b3Organizational.8-08.b 08.01 Secure Areas Shared n/a The organization maintains an electronic log of alarm system events and regularly reviews the logs, no less than monthly. 4
hipaa 1844.08b1Organizational.6-08.b hipaa-1844.08b1Organizational.6-08.b 1844.08b1Organizational.6-08.b 18 Physical & Environmental Security 1844.08b1Organizational.6-08.b 08.01 Secure Areas Shared n/a The organization develops, approves and maintains a list of individuals with authorized access to the facility where the information system resides; issues authorization credentials for facility access; reviews the access list and authorization credentials periodically but no less than quarterly; and removes individuals from the facility access list when access is no longer required. 1
hipaa 1845.08b1Organizational.7-08.b hipaa-1845.08b1Organizational.7-08.b 1845.08b1Organizational.7-08.b 18 Physical & Environmental Security 1845.08b1Organizational.7-08.b 08.01 Secure Areas Shared n/a For facilities where the information system resides, the organization enforces physical access authorizations at defined entry/exit points to the facility where the information system resides, maintains physical access audit logs, and provides security safeguards that the organization determines necessary for areas officially designated as publicly accessible. 4
ISO27001-2013 A.11.1.1 ISO27001-2013_A.11.1.1 ISO 27001:2013 A.11.1.1 Physical And Environmental Security Physical security perimeter Shared n/a Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. link 8
ISO27001-2013 A.11.1.2 ISO27001-2013_A.11.1.2 ISO 27001:2013 A.11.1.2 Physical And Environmental Security Physical entry controls Shared n/a Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. link 9
ISO27001-2013 A.11.1.3 ISO27001-2013_A.11.1.3 ISO 27001:2013 A.11.1.3 Physical And Environmental Security Securing offices, rooms and facilities Shared n/a Physical security for offices, rooms and facilities shall be designed and applied. link 5
ISO27001-2013 A.11.2.3 ISO27001-2013_A.11.2.3 ISO 27001:2013 A.11.2.3 Physical And Environmental Security Cabling security Shared n/a Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. link 4
ISO27001-2013 A.18.1.3 ISO27001-2013_A.18.1.3 ISO 27001:2013 A.18.1.3 Compliance Protection of records Shared n/a Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislative, regulatory, contractual and business requirements. link 15
ISO27001-2013 A.18.1.4 ISO27001-2013_A.18.1.4 ISO 27001:2013 A.18.1.4 Compliance Privacy and protection of personally identifiable information Shared n/a Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. link 6
ISO27001-2013 A.8.2.2 ISO27001-2013_A.8.2.2 ISO 27001:2013 A.8.2.2 Asset Management Labelling of information Shared n/a An appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. link 4
ISO27001-2013 A.8.2.3 ISO27001-2013_A.8.2.3 ISO 27001:2013 A.8.2.3 Asset Management Handling of assets Shared n/a Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. link 26
NIST_SP_800-171_R2_3 .10.1 NIST_SP_800-171_R2_3.10.1 NIST SP 800-171 R2 3.10.1 Physical Protection Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. Shared Microsoft is responsible for implementing this requirement. This requirement applies to employees, individuals with permanent physical access authorization credentials, and visitors. Authorized individuals have credentials that include badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, directives, policies, regulations, standards, procedures, and guidelines. This requirement applies only to areas within facilities that have not been designated as publicly accessible. Limiting physical access to equipment may include placing equipment in locked rooms or other secured areas and allowing access to authorized individuals only; and placing equipment in locations that can be monitored by organizational personnel. Computing devices, external disk drives, networking devices, monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of equipment. link 1
NIST_SP_800-171_R2_3 .10.3 NIST_SP_800-171_R2_3.10.3 NIST SP 800-171 R2 3.10.3 Physical Protection Escort visitors and monitor visitor activity. Shared Microsoft is responsible for implementing this requirement. Individuals with permanent physical access authorization credentials are not considered visitors. Audit logs can be used to monitor visitor activity. link 2
NIST_SP_800-171_R2_3 .10.4 NIST_SP_800-171_R2_3.10.4 NIST SP 800-171 R2 3.10.4 Physical Protection Maintain audit logs of physical access. Shared Microsoft is responsible for implementing this requirement. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both. System components (e.g., workstations, notebook computers) may be in areas designated as publicly accessible with organizations safeguarding access to such devices. link 1
NIST_SP_800-171_R2_3 .10.5 NIST_SP_800-171_R2_3.10.5 NIST SP 800-171 R2 3.10.5 Physical Protection Control and manage physical access devices. Shared Microsoft is responsible for implementing this requirement. Physical access devices include keys, locks, combinations, and card readers. link 4
NIST_SP_800-53_R4 PE-2 NIST_SP_800-53_R4_PE-2 NIST SP 800-53 Rev. 4 PE-2 Physical And Environmental Protection Physical Access Authorizations Shared n/a The organization: a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; b. Issues authorization credentials for facility access; c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and d. Removes individuals from the facility access list when access is no longer required. Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. References: None link 1
NIST_SP_800-53_R4 PE-3 NIST_SP_800-53_R4_PE-3 NIST SP 800-53 Rev. 4 PE-3 Physical And Environmental Protection Physical Access Control Shared n/a The organization: a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; e. Secures keys, combinations, and other physical access devices; f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. Supplemental Guidance: Related controls: CA-2, CA-7. link 4
NIST_SP_800-53_R4 PE-4 NIST_SP_800-53_R4_PE-4 NIST SP 800-53 Rev. 4 PE-4 Physical And Environmental Protection Access Control For Transmission Medium Shared n/a The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards]. Supplemental Guidance: Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Related controls: MP-2, MP-4, PE-2, PE-3, PE-5, SC-7, SC-8. Control Enhancements: None. References: NSTISSI No. 7003. link 2
NIST_SP_800-53_R4 PE-5 NIST_SP_800-53_R4_PE-5 NIST SP 800-53 Rev. 4 PE-5 Physical And Environmental Protection Access Control For Output Devices Shared n/a The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. Supplemental Guidance: Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices. Related controls: PE-2, PE-3, PE-4, PE-18. References: None. link 3
NIST_SP_800-53_R4 PE-8 NIST_SP_800-53_R4_PE-8 NIST SP 800-53 Rev. 4 PE-8 Physical And Environmental Protection Visitor Access Records Shared n/a The organization: a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and b. Reviews visitor access records [Assignment: organization-defined frequency]. Supplemental Guidance: Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas. References: None. link 2
NIST_SP_800-53_R4 SI-12 NIST_SP_800-53_R4_SI-12 NIST SP 800-53 Rev. 4 SI-12 System And Information Integrity Information Handling And Retention Shared n/a The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. Supplemental Guidance: Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4. Control Enhancements: None. References: None. link 3
NIST_SP_800-53_R5 PE-2 NIST_SP_800-53_R5_PE-2 NIST SP 800-53 Rev. 5 PE-2 Physical and Environmental Protection Physical Access Authorizations Shared n/a a. Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; b. Issue authorization credentials for facility access; c. Review the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and d. Remove individuals from the facility access list when access is no longer required. link 1
NIST_SP_800-53_R5 PE-3 NIST_SP_800-53_R5_PE-3 NIST SP 800-53 Rev. 5 PE-3 Physical and Environmental Protection Physical Access Control Shared n/a a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by: 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress and egress to the facility using [Selection (OneOrMore): [Assignment: organization-defined physical access control systems or devices] ;guards] ; b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points]; c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: organization-defined physical access controls]; d. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity]; e. Secure keys, combinations, and other physical access devices; f. Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated. link 4
NIST_SP_800-53_R5 PE-4 NIST_SP_800-53_R5_PE-4 NIST SP 800-53 Rev. 5 PE-4 Physical and Environmental Protection Access Control for Transmission Shared n/a Control physical access to [Assignment: organization-defined system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security controls]. link 2
NIST_SP_800-53_R5 PE-5 NIST_SP_800-53_R5_PE-5 NIST SP 800-53 Rev. 5 PE-5 Physical and Environmental Protection Access Control for Output Devices Shared n/a Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output. link 3
NIST_SP_800-53_R5 PE-8 NIST_SP_800-53_R5_PE-8 NIST SP 800-53 Rev. 5 PE-8 Physical and Environmental Protection Visitor Access Records Shared n/a a. Maintain visitor access records to the facility where the system resides for [Assignment: organization-defined time period]; b. Review visitor access records [Assignment: organization-defined frequency]; and c. Report anomalies in visitor access records to [Assignment: organization-defined personnel]. link 2
NIST_SP_800-53_R5 SI-12 NIST_SP_800-53_R5_SI-12 NIST SP 800-53 Rev. 5 SI-12 System and Information Integrity Information Management and Retention Shared n/a Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. link 3
PCI_DSS_v4.0 3.2.1 PCI_DSS_v4.0_3.2.1 PCI DSS v4.0 3.2.1 Requirement 03: Protect Stored Account Data Storage of account data is kept to a minimum Shared n/a Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: • Coverage for all locations of stored account data. • Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. • Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. • Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. • Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy. • A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable. link 8
PCI_DSS_v4.0 9.2.2 PCI_DSS_v4.0_9.2.2 PCI DSS v4.0 9.2.2 Requirement 09: Restrict Physical Access to Cardholder Data Physical access controls manage entry into facilities and systems containing cardholder data Shared n/a Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility. link 1
PCI_DSS_v4.0 9.2.3 PCI_DSS_v4.0_9.2.3 PCI DSS v4.0 9.2.3 Requirement 09: Restrict Physical Access to Cardholder Data Physical access controls manage entry into facilities and systems containing cardholder data Shared n/a Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted. link 2
PCI_DSS_v4.0 9.2.4 PCI_DSS_v4.0_9.2.4 PCI DSS v4.0 9.2.4 Requirement 09: Restrict Physical Access to Cardholder Data Physical access controls manage entry into facilities and systems containing cardholder data Shared n/a Access to consoles in sensitive areas is restricted via locking when not in use. link 2
PCI_DSS_v4.0 9.3.1 PCI_DSS_v4.0_9.3.1 PCI DSS v4.0 9.3.1 Requirement 09: Restrict Physical Access to Cardholder Data Physical access for personnel and visitors is authorized and managed Shared n/a Procedures are implemented for authorizing and managing physical access of personnel to the CDE, including: • Identifying personnel. • Managing changes to an individual’s physical access requirements. • Revoking or terminating personnel identification. • Limiting access to the identification process or system to authorized personnel. link 1
PCI_DSS_v4.0 9.3.1.1 PCI_DSS_v4.0_9.3.1.1 PCI DSS v4.0 9.3.1.1 Requirement 09: Restrict Physical Access to Cardholder Data Physical access for personnel and visitors is authorized and managed Shared n/a Physical access to sensitive areas within the CDE for personnel is controlled as follows: • Access is authorized and based on individual job function. • Access is revoked immediately upon termination. • All physical access mechanisms, such as keys, access cards, etc., are returned or disabled upon termination. link 1
PCI_DSS_v4.0 9.3.2 PCI_DSS_v4.0_9.3.2 PCI DSS v4.0 9.3.2 Requirement 09: Restrict Physical Access to Cardholder Data Physical access for personnel and visitors is authorized and managed Shared n/a Procedures are implemented for authorizing and managing visitor access to the CDE, including: • Visitors are authorized before entering. • Visitors are escorted at all times. • Visitors are clearly identified and given a badge or other identification that expires. • Visitor badges or other identification visibly distinguishes visitors from personnel. link 2
PCI_DSS_v4.0 9.3.3 PCI_DSS_v4.0_9.3.3 PCI DSS v4.0 9.3.3 Requirement 09: Restrict Physical Access to Cardholder Data Physical access for personnel and visitors is authorized and managed Shared n/a Visitor badges or identification are surrendered or deactivated before visitors leave the facility or at the date of expiration. link 2
PCI_DSS_v4.0 9.3.4 PCI_DSS_v4.0_9.3.4 PCI DSS v4.0 9.3.4 Requirement 09: Restrict Physical Access to Cardholder Data Physical access for personnel and visitors is authorized and managed Shared n/a A visitor log is used to maintain a physical record of visitor activity within the facility and within sensitive areas, including: • The visitor’s name and the organization represented. • The date and time of the visit. • The name of the personnel authorizing physical access. • Retaining the log for at least three months, unless otherwise restricted by law. link 2
PCI_DSS_v4.0 9.5.1 PCI_DSS_v4.0_9.5.1 PCI DSS v4.0 9.5.1 Requirement 09: Restrict Physical Access to Cardholder Data Point of interaction (POI) devices are protected from tampering and unauthorized substitution Shared n/a POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following: • Maintaining a list of POI devices. • Periodically inspecting POI devices to look for tampering or unauthorized substitution. • Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices. link 3
PCI_DSS_v4.0 9.5.1.2 PCI_DSS_v4.0_9.5.1.2 PCI DSS v4.0 9.5.1.2 Requirement 09: Restrict Physical Access to Cardholder Data Point of interaction (POI) devices are protected from tampering and unauthorized substitution Shared n/a POI device surfaces are periodically inspected to detect tampering and unauthorized substitution. link 3
PCI_DSS_v4.0 9.5.1.2.1 PCI_DSS_v4.0_9.5.1.2.1 PCI DSS v4.0 9.5.1.2.1 Requirement 09: Restrict Physical Access to Cardholder Data Point of interaction (POI) devices are protected from tampering and unauthorized substitution Shared n/a The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. link 3
SOC_2 C1.1 SOC_2_C1.1 SOC 2 Type 2 C1.1 Additional Criteria For Confidentiality Protection of confidential information Shared The customer is responsible for implementing this recommendation. Identifies Confidential information — Procedures are in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained. • Protects Confidential Information From Destruction — Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information. 3
SOC_2 C1.2 SOC_2_C1.2 SOC 2 Type 2 C1.2 Additional Criteria For Confidentiality Disposal of confidential information Shared The customer is responsible for implementing this recommendation. Identifies Confidential Information for Destruction — Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached. • Destroys Confidential Information — Procedures are in place to erase or otherwise destroy confidential information that has been identified for destruction 3
SOC_2 CC2.1 SOC_2_CC2.1 SOC 2 Type 2 CC2.1 Communication and Information COSO Principle 13 Shared The customer is responsible for implementing this recommendation. Identifies Information Requirements — A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity’s objectives. • Captures Internal and External Sources of Data — Information systems capture internal and external sources of data. • Processes Relevant Data Into Information — Information systems process and transform relevant data into information. • Maintains Quality Throughout Processing — Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components. 3
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 80
SOC_2 CC6.4 SOC_2_CC6.4 SOC 2 Type 2 CC6.4 Logical and Physical Access Controls Restricted physical access Shared The customer is responsible for implementing this recommendation. • Creates or Modifies Physical Access — Processes are in place to create or modify physical access to facilities such as data centers, office spaces, and work areas, based on authorization from the system's asset owner. • Removes Physical Access — Processes are in place to remove access to physical resources when an individual no longer requires access. • Reviews Physical Access — Processes are in place to periodically review physical access to ensure consistency with job responsibilities 1
SOC_2 PI1.3 SOC_2_PI1.3 SOC 2 Type 2 PI1.3 Additional Criteria For Processing Integrity System processing Shared The customer is responsible for implementing this recommendation. • Defines Processing Specifications — The processing specifications that are necessary to meet product or service requirements are defined. • Defines Processing Activities — Processing activities are defined to result in products or services that meet specifications. • Detects and Corrects Production Errors — Errors in the production process are detected and corrected in a timely manner. • Records System Processing Activities — System processing activities are recorded completely and accurately in a timely manner. • Processes Inputs — Inputs are processed completely, accurately, and timely as authorized in accordance with defined processing activities 5
SOC_2 PI1.4 SOC_2_PI1.4 SOC 2 Type 2 PI1.4 Additional Criteria For Processing Integrity System output is complete, accurate, and timely Shared The customer is responsible for implementing this recommendation. • Protects Output — Output is protected when stored or delivered, or both, to prevent theft, destruction, corruption, or deterioration that would prevent output from meeting specifications. • Distributes Output Only to Intended Parties — Output is distributed or made available only to intended parties. • Distributes Output Completely and Accurately — Procedures are in place to provide for the completeness, accuracy, and timeliness of distributed output. • Creates and Maintains Records of System Output Activities — Records of system output activities are created and maintained completely and accurately in a timely manner. 3
SOC_2 PI1.5 SOC_2_PI1.5 SOC 2 Type 2 PI1.5 Additional Criteria For Processing Integrity Store inputs and outputs completely, accurately, and timely Shared The customer is responsible for implementing this recommendation. • Protects Stored Items — Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications. • Archives and Protects System Records — System records are archived and archives are protected against theft, corruption, destruction, or deterioration that would prevent them from being used. • Stores Data Completely and Accurately — Procedures are in place to provide for the complete, accurate, and timely storage of data. • Creates and Maintains Records of System Storage Activities — Records of system storage activities are created and maintained completely and accurately in a timely manner 10
SWIFT_CSCF_v2022 3.1 SWIFT_CSCF_v2022_3.1 SWIFT CSCF v2022 3.1 3. Physically Secure the Environment Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. Shared n/a Physical security controls are in place to protect access to sensitive equipment, hosting sites, and storage. link 8
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add 55a7f9a0-6397-7589-05ef-5ed59a8149e7
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
JSON
changes

JSON