Policies Section
  1. Controls List
  2. Access Controls
  3. Training controls
  4. Audit Controls
  5. Certification
  6. Configuration Management
  7. Contingency Planning
  8. Authentication
  9. Incident Response
  10. Maintenance Controls
  11. Media Protection
  12. Physical Controls
  13. Security Planning
  14. Personnel Security
  15. Risk Assessment
  16. Acquisition
  17. Protection
  18. Integrity
  19. Actions and Controls
Policies Section

Physical and Environmental Protection Controls (from NIST)

This physical and environmental protection control list and description are meant to tie physical and environmental protection controls to an activity or behavior. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.

  • Physical and environmental protection policy and procedures - Created to define roles, responsibilities, scope, and compliance regarding physical security and access along with envirenmental controls and protections for systems. (low)
  • Physical access authorizations - Lists of staff members with authorized access to specific areas are kept. These lists may be kept in a database and computer controlled. Those who keep the lists must have the proper access level to either read the list or modify it. Controls must prevent unauthorized access to the list or its unauthorized modification. Proper officials should approve those to be on the list and periodically review the list. (low)
  • Physical access control - Physical access points to locations where sensitive information may be stored on systems or media must be controlled. Locks, card readers, and guards are used to control physical access. Access mechanisms such as keys, combinations, and access cards are controlled and possession or knowledge of combinations is logged. Access mechanisms are changed periodically or when an access mechanism is lost. Access mechanisms are changed as personnel leave of the type of access mechanism calls for it. (low)
  • Access control for transmission moderate - Physical access to transmission lines is controllet to prevent unauthorized eavesdropping. (high)
  • Access control for display moderate - Unauthorized persons are prevented from viewing display moderate of information system devices. (moderate)
  • Monitoring physical access - Physical access logs are kept and reviewed periodically or reviewed is a security incident investigation calls for it. (low)
  • Visitor control - Visitors are authenticated and their entry into facilities is logged. (low)
  • Access logs - There is a log kept for visitors who enter the facilities. Logs are kept for secure areas where staff members enter. Visitor logs include information about the name of the person visiting, the person being visited, the method of ID used to verify the visitor identity, the date and time of both entry and departure. (low)
  • Power equipment and power cabling - Power equipment and cabling are protected against damage from environmental conditions, accidental damage, or deliberate damage. (moderate)
  • Emergency shutoff - In some areas where there is a lot of equipment such as server rooms, an emergency shutoff method may be provided in the case of emergencies such as fire or water leakage. (moderate)
  • Emergency power - Short term emergency power is provided to allow for shutdown of systems when primary power is lost. Secondary power should be provided for systems that are critical and should be kept in operation. (moderate)
  • Emergency lighting - Automatic emergency lighting systems should be in place for use during times when primary power is lost. (low)
  • Fire protection - Fire protection and suppression devices are available and maintained in the organization. Devices may include smoke detectors, halon systems, sprinkler systems, and handheld fire suppressants. (low)
  • Temperature and humidity controls - Temperature and humidity of rooms containing information systems is properly regulated to keep the equipment operating optimally. (low)
  • Water damage protection - Master shutoff valves should be accessible in the event of water leakage or broken plumbing. (low)
  • Delivery and removal - There should be physical control and logging of computer systems and related hardware as they enter and exit all facilities. (low)
  • Alternate work site - An alternate work site should be considered and provided for in the case of a disaster to any particular site. This planning is part of a disaster recovery plan or a business continuity plan. (moderate)