System Security Plan (ssp) Categorization: Moderate-Low-Low


Physical and Environment Protection (PE)



Yüklə 1,92 Mb.
səhifə20/29
tarix16.05.2018
ölçüsü1,92 Mb.
#50588
1   ...   16   17   18   19   20   21   22   23   ...   29

10.17Physical and Environment Protection (PE)

10.17.1PE-1 – Physical and Environmental Protection Policy and Procedures


Program-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.

10.17.2PE-2 – Physical Access Authorizations


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. This control only applies to areas within facilities that have not been designated as publicly accessible. Ensure Support Systems are controlled within and managed by cleared individuals. Support Systems include card/badge creation systems, card reader systems, alarm systems, and music sound cover systems. These systems may be addressed in the Fixed Facility Checklist (FFC) or Facility SOP.

The organization:



Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides

Click here to enter text.



Issues authorization credentials for facility access

Click here to enter text.

Reviews the access list detailing authorized facility access by individuals [annually or as policy and procedures dictate changes are required

Click here to enter text.

Removes individuals from the facility access list when access is no longer required

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.2.1PE-2(3) – Physical Access Authorizations: Restrict Unescorted Access (+ Classified Overlay) – NEW


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization restricts unescorted access to the facility where the information system resides to personnel with security clearances and/or formal access approval as defined by the local security policy (i.e., Facility SOP).

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.3PE-3 – Physical Access Control





Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization:

Enforces physical access authorizations by: Verifying individual access authorizations before granting access to the facility; and Controlling ingress/egress to the facility;

Click here to enter text.



Maintains physical access audit logs

Click here to enter text.

Provides security safeguards to control access to areas within the facility officially designated as publicly accessible. Physical casings include for example, locking computer racks to protect mission critical servers, network routers, etc. As an alternative, these devices may be secured in a room (e.g., a server room) with access limited to privileged users.

Click here to enter text.

Escorts visitors and monitors visitor activity

Click here to enter text.

Secures keys, combinations, and other physical access devices

Click here to enter text.

Inventories physical access devices within as required

Click here to enter text.

Changes combinations and keys when first installed or used; if believed to have been subjected to compromise; and when considered necessary by the cognizant security authority (CSA) and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.3.1PE-3(1) – Physical Access Control: Information System Access – NEW BASELINE


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility for those areas where there is a concentration of IS components (e.g., server rooms, media storage areas, etc.)

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.3.2PE-3(2) – Physical Access Control: Facility/Information System Boundaries (+ Classified Overlay)


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization performs random security checks at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.3.3PE-3(3) – Physical Access Control: Continuous Guards/Alarms/Monitoring (+ Classified Overlay)


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.4PE-4 – Access Control for Transmission Medium (+ Classified Overlay) (- Standalone Overlay)


After a relevance determination, this control can be tailored out for standalone IS.

Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization controls physical access to information system distribution and transmission lines within organizational facilities. Security safeguards include locked wiring closets, disconnected or locked spare jacks, and protection of cabling by conduit or cable trays.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.5PE-5 – Access Control for Output Devices


.

Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. Output devices, such as printers and fax machines of differing security classifications, should not be placed in close proximity to one another. Fax machines shall be kept in a separate area from printers, since they are both input and output devices. If Foreign Nationals are, output devices of US-only systems must be under constant observation by cleared US personnel.

See the DAA PM for additional information on the use of KVM Switches.



Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.5.1PE-5(3) – Access Control for Output Devices: Marking Output Devices (+ Classified Overlay) – NEW


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization marks all output devices in facilities containing information systems that store, process or transmit classified information indicating the appropriate security marking of the information permitted to be output from the device.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.6PE-6 – Monitoring Physical Access


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization:

Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents

Click here to enter text.



Reviews physical access logs at least every 90 days or as required by the and upon occurrence of physical access incidents

Click here to enter text.

Coordinates results of reviews and investigations with the organizational incident response capability

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.6.1PE-6(1) – Monitoring Physical Access: Intrusion Alarms/Surveillance Equipment – NEW BASELINE


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization monitors physical intrusion alarms and surveillance equipment.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.7PE-7 – Visitor Control includes PE-7(1) – Visitor Control: Visitor Escort and PE-7(2) – Visitor Control: Visitor Identification – WITHDRAWN Incorporated into PE-2 and PE-3

10.17.8PE-8 – Access Records


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization:

Maintains visitor access records to the facility where the information system resides for the period required by NISPOM (at least 2 years).

Click here to enter text.



Reviews visitor access records at least every 90 days.

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.9PE-12 – Emergency Lighting


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization employs and maintains automatic emergency lighting for the IS that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.10PE-13 – Fire Protection


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization employs and maintains fire suppression and detection devices/systems for the IS that are supported by an independent energy source. As described in DoDM 5205.07-V3 fire detection systems shall not be tied into the facility’s IDS. The fire suppression and detection devices/systems, with the exception of tactical environments, shall activate automatically and notify the organization and emergency responders in the event of a fire. Automatic fire suppression capability is required when the facility is not staffed on a continuous basis. Additionally, organizations shall ensure the facility undergoes, in accordance with local regulations, fire marshal inspections and promptly resolves identified deficiencies.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.11PE-14 – Temperature and Humidity Controls


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



Organizations shall maintain temperature and humidity levels within the facility where the information systems reside at acceptable levels, as defined by the organization, and shall continuously monitor these levels. In addition, organizations shall ensure that temperature and humidity controls with remote maintenance and testing (RMAT) capability are properly configured for use by disabling automatic or remote connection capability. When remote connection capability is required for central management of the HVAC system, it shall be identified on the FFC and approved by the CSA.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.12PE-15 – Water Damage Protection


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization protects the information system from damage resulting from water leakage by providing master shutoff r isolation valves that are accessible, working properly, and known to key personnel. This control applies primarily to facilities containing concentrations of IS resources; for example, server rooms, data centers, etc.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.13PE-16 – Delivery and Removal


Recommended Continuous Monitoring Frequency: Semi-Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization authorizes, monitors, and controls all IS components entering and exiting the facility and maintains records of those items.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.14PE-17 – Alternate Work Site





Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization employs management, operational and technical information system security controls at the alternate work site equivalent to those applicable to the primary work site. These security controls shall be assessed as feasible to determine the effectiveness of these controls. The alternate work site shall provide a means for employees to communicate with information security personnel in case of security incidents or problems.

An alternate work site has not been established.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.15PE-19 – Information Leakage (+ Classified Overlay)


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization protects the information system from information leakage due to electromagnetic signals emanations. Information systems, peripherals, associated data communications, and networks (planned or installed) that may be used to process national security or security-related information may need to meet certain national TEMPEST policies and procedures. The objective is to minimize the risk of Foreign Intelligence Services (FIS) exploiting unintentional emanations from intelligence systems. TEMPEST is a short name referring to investigations and studies of compromising emanations. Please refere to CNSSI 7003.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.17.15.1PE-19(1) – Information Leakage: National Emissions/TEMPEST Policies and Procedures (+ Classified Overlay)


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization ensures that IS component, associate data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.



Yüklə 1,92 Mb.

Dostları ilə paylaş:
1   ...   16   17   18   19   20   21   22   23   ...   29




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin