SP 800-53Ar1 FPD Assessment Procedure Catalog, with SP 800-53r3 Security Controls
PHYSICAL AND ENVIRONMENTAL PROTECTION
PE-1
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-1 |
PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
|
| PE-1.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization develops and formally documents physical and environmental protection policy;
- (ii) the organization physical and environmental protection policy addresses:
- (iii) the organization disseminates formal documented physical and environmental protection policy to elements within the organization having associated physical and environmental protection roles and responsibilities;
- (iv) the organization develops and formally documents physical and environmental protection procedures;
- (v) the organization physical and environmental protection procedures facilitate implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
- (vi) the organization disseminates formal documented physical and environmental protection procedures to elements within the organization having associated physical and environmental protection roles and responsibilities.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy and procedures; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with physical and environmental protection responsibilities].
|
| PE-1.2 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the frequency of physical and environmental protection policy reviews/updates;
- (ii) the organization reviews/updates physical and environmental protection policy in accordance with organization-defined frequency; and
- (iii) the organization defines the frequency of physical and environmental protection procedure reviews/updates;
- (iv) the organization reviews/updates physical and environmental protection procedures in accordance with organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy and procedures; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with physical and environmental protection responsibilities].
|
PE-2
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-2 |
PHYSICAL ACCESS AUTHORIZATIONS
|
| PE-2.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization identifies areas within the facility that are publicly accessible;
- (ii) the organization develops and keeps current lists of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); and
- (iii) the organization issues authorization credentials (e.g., badges, identification cards, smart cards).
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; authorized personnel access list; authorization credentials; list of areas that are publicly accessible; other relevant documents or records].
|
| PE-2.2 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the frequency for review and approval of the physical access list and authorization credentials for the facility;
- (ii) organization reviews and approves the access list and authorization credentials in accordance with the organization-defined frequency; and
- (iii) the organization removes from the access list personnel no longer requiring access.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; other relevant documents or records].
|
| PE-2(1) |
PHYSICAL ACCESS AUTHORIZATIONS
|
| PE-2(1).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization identifies personnel positions or roles authorized for physical access to the facility where the information system resides; and
- (ii) the organization authorizes physical access to the facility where the information system resides based on position or role.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; physical access control logs or records; information system entry and exit points; other relevant documents or records].
|
| PE-2(2) |
PHYSICAL ACCESS AUTHORIZATIONS
|
| PE-2(2).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization requires two forms of identification to gain access to the facility where the information system resides.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; physical access control logs or records; information system entry and exit points; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility].
|
| PE-2(3) |
PHYSICAL ACCESS AUTHORIZATIONS
|
| PE-2(3).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization identifies authorized personnel with appropriate clearances and access authorizations for gaining physical access to the facility containing an information system that processes classified information; and
- (ii) the organization restricts physical access to the facility containing an information system that processes classified information to authorized personnel with appropriate clearances and access authorizations.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; authorized personnel access list; physical access control logs or records; information system entry and exit points; other relevant documents or records].
|
PE-3
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-3 |
PHYSICAL ACCESS CONTROL
|
| PE-3.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where the information system resides (excluding those areas within the facility officially designated as publicly accessible);
- (ii) the organization verifies individual access authorizations before granting access to the facility;
- (iii) the organization controls entry to the facility containing the information system using physical access devices (e.g., keys, locks, combinations, card readers) and/or guards;
- (iv) the organization controls access to areas officially designated as publicly accessible in accordance with the organization's assessment of risk; and
- (v) the organization secures keys, combinations, and other physical access devices.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; information system entry and exit points; storage locations for physical access devices; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with physical access control responsibilities].
- Test: [SELECT FROM: Physical access control capability; physical access control devices].
|
| PE-3.2 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the frequency for conducting inventories of physical access devices;
- (ii) the organization inventories physical access devices in accordance with the organization-defined frequency;
- (iii) the organization defines the frequency of changes to combinations and keys; and
- (iv) the organization changes combinations and keys in accordance with the organization-defined frequency, and when keys are lost, combinations are compromised, or individuals are transferred or terminated.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; security plan; physical access control logs or records; inventory records of physical access devices; records of key and lock combination changes; storage locations for physical access devices; other relevant documents or records].
- Test: [SELECT FROM: Physical access control devices].
|
| PE-3(1) |
PHYSICAL ACCESS CONTROL
|
| PE-3(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization enforces physical access authorizations to the information system independent of the physical access controls for the facility.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; information system entry and exit points; list of areas within the facility containing high concentrations of information system components or information system components requiring additional physical protection; other relevant documents or records].
|
| PE-3(2) |
PHYSICAL ACCESS CONTROL
|
| PE-3(2).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization performs security checks at the physical boundary of the facility or information system for unauthorized exfiltration of information or information system components.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; records of security checks; facility layout documentation; information system entry and exit points; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with physical access control responsibilities].
|
| PE-3(3) |
PHYSICAL ACCESS CONTROL
|
| PE-3(3).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization guards, alarms, and monitors every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; facility surveillance records; facility layout documentation; information system entry and exit points; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with physical access control responsibilities].
|
| PE-3(4) |
PHYSICAL ACCESS CONTROL
|
| PE-3(4).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines information system components to be protected from unauthorized physical access using lockable physical casings; and
- (ii) the organization uses lockable physical casings to protect organization-defined information system components from unauthorized physical access.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; security plan; list of information system components requiring protection through lockable physical casings; lockable physical casings; other relevant documents or records].
|
| PE-3(5) |
PHYSICAL ACCESS CONTROL
|
| PE-3(5).1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system detects/prevents physical tampering or alteration of hardware components within the system.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; information system design documentation; other relevant documents or records].
- Test: [SELECT FROM: Physical access control capability].
|
| PE-3(6) |
PHYSICAL ACCESS CONTROL
|
| PE-3(6).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the frequency of unannounced attempts to be included in a penetration testing process to bypass or circumvent security controls associated with physical access points to the facility; and
- (ii) the organization employs a penetration testing process that includes unannounced attempts, in accordance with the organization-defined frequency, to bypass or circumvent security controls associated with physical access points to the facility.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; procedures addressing penetration testing; rules of engagement and associated documentation; penetration test results; security plan; other relevant documents or records].
|
PE-4
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-4 |
ACCESS CONTROL FOR TRANSMISSION MEDIUM
|
| PE-4.1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization controls physical access to information system distribution and transmission lines within organizational facilities.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing access control for transmission medium; information system design documentation; facility communications and wiring diagrams; other relevant documents or records].
|
PE-5
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-5 |
ACCESS CONTROL FOR OUTPUT DEVICES
|
| PE-5.1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing access control for display medium; facility layout of information system components; actual displays from information system components; other relevant documents or records].
|
PE-6
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-6 |
MONITORING PHYSICAL ACCESS
|
| PE-6.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization monitors physical access to the information system to detect and respond to physical security incidents;
- (ii) the organization defines the frequency to review physical access logs;
- (iii) the organization reviews physical access logs in accordance with the organization-defined frequency; and
- (iv) the organization coordinates results of reviews and investigations with the organization's incident response capability.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; security plan; physical access logs or records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with physical access monitoring responsibilities].
- Test: [SELECT FROM: Physical access monitoring capability].
|
| PE-6(1) |
MONITORING PHYSICAL ACCESS
|
| PE-6(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization monitors real-time physical intrusion alarms and surveillance equipment.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; physical intrusion alarm/surveillance equipment logs or records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with physical access monitoring responsibilities].
- Test: [SELECT FROM: Physical access monitoring capability].
|
| PE-6(2) |
MONITORING PHYSICAL ACCESS
|
| PE-6(2).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization employs automated mechanisms to recognize potential intrusions and initiate designated response actions.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; information system design documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing physical access monitoring capability].
|
PE-7
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-7 |
VISITOR CONTROL
|
| PE-7.1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing visitor access control; visitor access control logs or records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with visitor access control responsibilities].
- Test: [SELECT FROM: Visitor access control capability].
|
| PE-7(1) |
VISITOR CONTROL
|
| PE-7(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization escorts visitors and monitors visitor activity, when required.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing visitor access control; visitor access control logs or records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with visitor access control responsibilities].
|
| PE-7(2) |
VISITOR CONTROL
|
| PE-7(2).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization requires two forms of identification for visitor access to the facility.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing visitor access control; visitor access control logs or records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with visitor access control responsibilities].
|
PE-8
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-8 |
ACCESS RECORDS
|
| PE-8.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible);
- (ii) the organization defines the frequency to review visitor access records;
- (iii) the organization reviews the visitor access records in accordance with the organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing facility access records; security plan; facility access control records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing physical access records].
|
| PE-8(1) |
ACCESS RECORDS
|
| PE-8(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization employs automated mechanisms to facilitate the maintenance and review of access records.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing facility access records; automated mechanisms supporting management of access records; facility access control logs or records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing physical access records].
|
| PE-8(2) |
ACCESS RECORDS
|
| PE-8(2).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization maintains a record of all physical access, both visitor and authorized individuals.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing facility access records; facility access control logs or records; other relevant documents or records].
|
PE-9
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-9 |
POWER EQUIPMENT AND POWER CABLING
|
| PE-9.1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization protects power equipment and power cabling for the information system from damage and destruction.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing power equipment and cabling protection; facility housing power equipment and cabling; other relevant documents or records].
|
| PE-9(1) |
POWER EQUIPMENT AND POWER CABLING
|
| PE-9(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization employs redundant and parallel power cabling paths.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing power equipment and cabling protection; facility housing power equipment and cabling; other relevant documents or records].
|
| PE-9(2) |
POWER EQUIPMENT AND POWER CABLING
|
| PE-9(2).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the critical information system components that require automatic voltage controls; and
- (ii) the organization employs automatic voltage controls for organization-defined critical information system components
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing voltage control; security plan; list of critical information system components requiring automatic voltage controls; other relevant documents or records].
|
PE-10
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-10 |
EMERGENCY SHUTOFF
|
| PE-10.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization provides the capability of shutting off power to the information system or individual system components in emergency situations;
- (ii) the organization defines the location of emergency shutoff switches or devices by information system or system component;
- (iii) the organization places emergency shutoff switches or devices in an organization-defined location by information system or system component to facilitate safe and easy access for personnel; and
- (iv) the organization protects the emergency power shutoff capability from unauthorized activation.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing power source emergency shutoff; security plan; emergency shutoff controls or switches; other relevant documents or records].
|
| PE-10(1) |
EMERGENCY SHUTOFF
[Withdrawn: Incorporated into PE-10].
|
| PE-10(1).1 |
ASSESSMENT OBJECTIVE:
- [Withdrawn: Incorporated into PE-10].
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- [Withdrawn: Incorporated into PE-10].
|
PE-11
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-11 |
EMERGENCY POWER
|
| PE-11.1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency power; uninterruptible power supply documentation; uninterruptible power supply test records; other relevant documents or records].
- Test: [SELECT FROM: Uninterruptible power supply].
|
| PE-11(1) |
EMERGENCY POWER
|
| PE-11(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency power; alternate power supply documentation; alternate power test records; other relevant documents or records].
- Test: [SELECT FROM: Alternate power supply].
|
| PE-11(2) |
EMERGENCY POWER
|
| PE-11(2).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization provides a long-term alternate power supply for the information system that is self-contained and not reliant on external power generation.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency power; alternate power supply documentation; alternate power test records; other relevant documents or records].
- Test: [SELECT FROM: Alternate power supply].
|
PE-12
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-12 |
EMERGENCY LIGHTING
|
| PE-12.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization employs automatic emergency lighting for the information system that activates in the event of a power outage or disruption;
- (ii) the organization employs automatic emergency lighting for the information system that covers emergency exits and evacuation routes within the facility; and
- (iii) the organization maintains the automatic emergency lighting for the information system.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency lighting; emergency lighting documentation; emergency lighting test records; emergency exits and evacuation routes; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with emergency planning responsibilities].
- Test: [SELECT FROM: Emergency lighting capability].
|
| PE-12(1) |
EMERGENCY LIGHTING
|
| PE-12(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization provides emergency lighting for all areas within the facility supporting essential missions and business functions.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency lighting; emergency lighting documentation; emergency lighting test records; emergency exits and evacuation routes; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with emergency planning responsibilities].
- Test: [SELECT FROM: Emergency lighting capability].
|
PE-13
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-13 |
FIRE PROTECTION
|
| PE-13.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization employs fire suppression and detection devices/systems for the information system that are supported by an independent energy source; and
- (ii) the organization maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; fire suppression and detection devices/systems; fire suppression and detection devices/systems documentation; test records of fire suppression and detection devices/systems; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].
|
| PE-13(1) |
FIRE PROTECTION
|
| PE-13(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization employs fire detection devices/systems for the information system that, without manual intervention, activate automatically and notify the organization and emergency responders in the event of a fire.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; facility housing the information system; alarm service level agreements; test records of fire suppression and detection devices/systems; fire suppression and detection devices/systems documentation; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].
- Test: [SELECT FROM: Simulated activation of fire detection devices/systems and automated notifications].
|
| PE-13(2) |
FIRE PROTECTION
|
| PE-13(2).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to the organization and emergency responders.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; fire suppression and detection devices/systems documentation; facility housing the information system; alarm service level agreements; test records of fire suppression and detection devices/systems; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].
- Test: [SELECT FROM: Simulated activation of fire suppression devices/systems and automated notifications].
|
| PE-13(3) |
FIRE PROTECTION
|
| PE-13(3).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; facility housing the information system; alarm service level agreements; facility staffing plans; test records of fire suppression and detection devices/systems; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].
- Test: [SELECT FROM: Simulated activation of fire suppression devices/systems and automated notifications].
|
| PE-13(4) |
FIRE PROTECTION
|
| PE-13(4).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the frequency of fire marshal inspections for the facility;
- (ii) the facility undergoes fire marshal inspections in accordance with the organization-defined frequency; and
- (iii) the organization promptly resolves deficiencies identified by fire marshal inspections.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; security plan; facility housing the information system; fire marshal inspection results; test records of fire suppression and detection devices/systems; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].
|
PE-14
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-14 |
TEMPERATURE AND HUMIDITY CONTROLS
|
| PE-14.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the acceptable temperature and humidity levels within the facility where the information system resides;
- (ii) the organization maintains temperature and humidity levels within the facility where the information system resides in accordance with organization-defined acceptable levels;
- (iii) the organization defines the frequency to monitor temperature and humidity levels; and
- (iv) the organization monitors the temperature and humidity levels within the facility where the information system resides in accordance with the organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing temperature and humidity control; security plan; temperature and humidity controls; facility housing the information system; temperature and humidity controls documentation; temperature and humidity records; other relevant documents or records].
|
| PE-14(1) |
TEMPERATURE AND HUMIDITY CONTROLS
|
| PE-14(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing temperature and humidity controls; facility housing the information system; automated mechanisms for temperature and humidity; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing temperature and humidity controls].
|
| PE-14(2) |
TEMPERATURE AND HUMIDITY CONTROLS
|
| PE-14(2).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing temperature and humidity monitoring; facility housing the information system; logs or records of temperature and humidity monitoring; records of changes to temperature and humidity levels that generate alarms or notifications; other relevant documents or records].
- Test: [SELECT FROM: Temperature and humidity monitoring capability].
|
PE-15
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-15 |
WATER DAMAGE PROTECTION
|
| PE-15.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization protects the information system from damage resulting from water leakage by providing master shutoff valves that are accessible and working properly; and
- (ii) key personnel within the organization have knowledge of the master water shutoff values.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing water damage protection; facility housing the information system; master shutoff valves; list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system; master shutoff valve documentation; other relevant documents or records].
- Interview: [SELECT FROM: Organization personnel with physical and environmental protection responsibilities].
- Test: [SELECT FROM: Master water-shutoff valves; process for activating master water-shutoff].
|
| PE-15(1) |
WATER DAMAGE PROTECTION
|
| PE-15(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization employs mechanisms that, without the need for manual intervention, protect the information system from water damage in the event of a water leak.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing water damage protection; facility housing the information system; automated mechanisms for water shutoff valves; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing master water shutoff valve activation].
|
PE-16
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-16 |
DELIVERY AND REMOVAL
|
| PE-16.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the types of information system components to be authorized, monitored, and controlled as such components are entering or exiting the facility;
- (ii) the organization authorizes, monitors, and controls organization-defined information system components entering and exiting the facility; and
- (iii) the organization maintains records of information system components entering and exiting the facility.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing delivery and removal of information system components from the facility; security plan; facility housing the information system; records of items entering and exiting the facility; other relevant documents or records].
- Interview: [SELECT FROM: Organization personnel with responsibilities for controlling information system components entering and exiting the facility].
- Test: [SELECT FROM: Process for controlling information system-related items entering and exiting the facility].
|
PE-17
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-17 |
ALTERNATE WORK SITE
|
| PE-17.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the management, operational, and technical information system security controls to be employed at alternate work sites;
- (ii) the organization employs organization-defined management, operational, and technical information system security controls at alternate work sites;
- (iii) the organization assesses, as feasible, the effectiveness of security controls at alternate work sites; and
- (iv) the organization provides a means for employees to communicate with information security personnel in case of security incidents or problems.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing alternate work sites for organizational personnel; security plan; list of management, operational, and technical security controls required for alternate work sites; assessments of security controls at alternate work sites; other relevant documents or records].
- Interview: [SELECT FROM: Organization personnel using alternate work sites].
|
PE-18
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-18 |
LOCATION OF INFORMATION SYSTEM COMPONENTS
|
| PE-18.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization positions information system components within the facility to minimize potential damage from physical and environmental hazards; and
- (ii) the organization positions information system components within the facility to minimize the opportunity for unauthorized access.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing positioning of information system components; documentation providing the location and position of information system components within the facility; other relevant documents or records].
|
| PE-18(1) |
LOCATION OF INFORMATION SYSTEM COMPONENTS
|
| PE-18(1).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards; and
- (ii) the organization, for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; physical site planning documents; organizational assessment of risk, contingency plan; other relevant documents or records].
- Interview: [SELECT FROM: Organization personnel with site selection responsibilities for the facility housing the information system].
|
PE-19
| FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
|
CLASS: OPERATIONAL
|
| ASSESSMENT PROCEDURE
|
| PE-19 |
INFORMATION LEAKAGE
|
| PE-19.1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization protects the information system from information leakage due to electromagnetic signals emanations.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing information leakage due to electromagnetic signals emanations; mechanisms protecting the information system against electronic signals emanation; facility housing the information system; records from electromagnetic signals emanation tests; other relevant documents or records].
- Test: [SELECT FROM: Information system for information leakage due to electromagnetic signals emanations].
|
| PE-19(1) |
INFORMATION LEAKAGE
|
| PE-19(1).1 |
ASSESSMENT OBJECTIVE:
Determine if the information system components, associated data communications, and networks are protected in accordance with:
- national emissions and TEMPEST policies and procedures; and
- the sensitivity of the information being transmitted.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing information leakage that comply with national emissions and TEMPEST policies and procedures; information system component design documentation; information system configuration settings and associated documentation other relevant documents or records].
- Test: [SELECT FROM: Information system components for compliance with national emissions and TEMPEST policies and procedures].
|
Source
