Level 2

Description:   

Monitoring of physical access includes publicly accessible areas within organizational facilities. This can be accomplished, for example, by the employment of guards; the use of sensor devices; or the use of video surveillance equipment such as cameras. Examples of support infrastructure include system distribution, transmission, and power lines. Security controls applied to the support infrastructure prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Physical access controls to support infrastructure include locked wiring closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors.


Priority: Medium

Domain:PHYSICAL PROTECTION (PE) 

Category: Physical Security 


Services Associated with AWS:   

  • AWS Identity and Access Management (IAM), AWS GuardDuty, AWS CloudTrail (for monitoring access events) 


Services Associated with Azure:

  • Physical access control (PAC) systems 
  • Azure Active Directory (Azure AD) 
  • Azure Security Center 
  • Azure Video Analyzer 


Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Physical Role Based Access Control (P-RBAC) is implemented
  • Administrative: supporting documentation to demonstrate visitor management practices
  • Administrative: supporting documentation to demonstrate physical security practices


Possible Technology Considerations : 

  • Physical Access Control (PAC) 


What needs to be answered :  


Has the facility/building manager reviewed the location and type of physical security in use  and evaluated its suitability for the company’s needs? Is physical access monitored to detect and respond to physical security incidents? 

Checks for AWS 

  • Physical Facility and Support Infrastructure Protection and Monitoring
    Description: This check ensures that the physical facility and support infrastructure for organizational systems are protected and monitored to prevent unauthorized access, damage, disruption, tampering, and eavesdropping. Security controls are applied to both publicly accessible areas within the facility and the support infrastructure, including distribution, transmission, and power lines.
     

Checks for Azure 

  • Physical Facility and Support Infrastructure Protection:
    Description: This check verifies that the physical facilities and support infrastructure used by organizational systems in the Azure environment are adequately protected to prevent unauthorized access, damage, disruption, tampering, and eavesdropping. It ensures that security controls are applied to publicly accessible areas within the facility and the support infrastructure, including distribution, transmission, and power lines.

  • Physical Access Monitoring:
    Description: This check ensures that physical access to the Azure facility is actively monitored to detect and respond to potential physical security incidents. The goal is to have measures in place to identify any unauthorized attempts to gain access to the facility and respond promptly to such incidents.

  • Physical Role-Based Access Control (P-RBAC) Implementation:
    Description: This check verifies that documented policies, standards, and procedures are in place for Physical Role-Based Access Control (P-RBAC) within the Azure environment. P-RBAC ensures that access to physical areas and assets is granted based on job roles and responsibilities, limiting access to only those individuals who require it to perform their duties.

  • Visitor Management Practices:
    Description: This check ensures that there are supporting documentation and procedures in place to demonstrate effective visitor management practices within the Azure facility. This includes protocols for registering and tracking visitors, providing them with appropriate access permissions, and ensuring that they are accompanied by authorized personnel during their visit.

  • Physical Security Practices:
    Description: This check confirms that there are supporting documentation and procedures to demonstrate the implementation of physical security practices within the Azure environment. These practices may include surveillance camera systems, sensor devices, guards, or other measures to safeguard the facility from physical threats.

More Details:   

No CUI stored in company facilities. All CUI storage done via AWS services.