Requirement:
The cybersecurity requirements for physical protection of information and technology assets must include at least the following:
Sub-Controls:
2-14-3-1:
Requirement:
Authorized access to sensitive areas within the organization (e.g., data center, disaster recovery center, sensitive information processing facilities, security surveillance center, network cabinets).
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Identify the scope of the organization's critical areas, including (but not limited to):
- Data centers
- Disaster Recovery Center
- Sensitive information processing facilities
- Security Control Center
- Network communication rooms
- Supply areas for hardware and technology hardware
- Develop access request form for critical areas, including (but not limited to):
- Name of the concerned person
- Reason for requesting access
- Access duration
- Develop approval procedures for the access request by administrators
- Identify access mechanism to critical areas (e.g., card access, fingerprint access, face access, etc.)
- Restrict the authority of managing the physical access system to individuals with specific authorities that can be audited and reviewed
- Create a periodic schedule to review and update physical access authorities for critical areas
- Review access authorities based on the established periodic table
- Revoke access authorities after the expiry of the period documented in the application form approved by the representative
- Ensure that third parties are not granted physical access to the organization's facilities until security requirements are met, provided that their arrival is monitored in the places where this is required
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- An approved user access request form
- Schedule of visit to a critical area (data center but not limited to) to assess access
- Evidence of revoking access authorities after the expiry of the period documented on the approved application form (e.g., by email)
2-14-3-2:
Requirement:
Facility entry/exit records and CCTV monitoring.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Define the scope of access and monitoring logs including (but not limited to):
- All organization's buildings, including the main building and all its branches
- Critical areas based on risk assessment, which include data centers and communication rooms
- Provide monitoring records for all buildings at the organization in several aspects, including:
- Inside the building
- Outside the building
- Building corridors
- Entry and exit doors
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Schedule of a visit to CCTV log room to assess the monitoring process and the devices used
- Schedule of visit to the organization's buildings that contain surveillance cameras to assess their effectiveness, locations and monitoring
2-14-3-3:
Requirement:
Protection of facility entry/exit and surveillance records.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Adopt a separate location that includes access and monitoring logs to ensure their protection
- Take the necessary measures to avoid loss of records (e.g., backups)
- Protect logs, information sources, and DVR from unauthorized access
- Document and set a retention period for access and monitoring records
- Develop periodic plan to archive access and monitoring records
- Archive access and monitoring logs as per the periodic plan in a secure storage room containing CCTV monitoring devices
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Schedule of a visit to the CCTV log room to ensure that access and monitoring logs are protected in a separate location and secure access
- Schedule of a visit to the secure storage room containing archived records
2-14-3-4:
Requirement:
Secure destruction and re-use of physical assets that hold classified information (including documents and storage media).
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Identify the scope of physical assets containing classified information, including (but not limited to):
- Paper documents
- Storage media
- Develop methodology and procedures for the destruction of physical assets containing classified information
- Provide the necessary devices for the destruction of physical assets containing classified information, including (but not limited to):
- Shredder machine
- Hard Disk Destruction Machine
- Develop methodology and procedures for the reuse of physical assets containing classified information, including methods to erase and delete information such as degaussing and zero filling
- Document and approve procedures for reusing physical assets with classified information
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Sample of the paper document destruction implementation (e.g., an email addressed to stakeholders confirming the destruction of the sample)
- Sample of the digital media destruction implementation (e.g., email)
- Procedures for reusing physical assets containing classified information documented and approved by the representative
- Sample of the implementation of a physical asset reuse procedure containing classified information (e.g., a copy of the paper documents that have been destroyed and shared)
2-14-3-5:
Requirement:
Security of devices and equipment inside and outside the organization's facilities.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Identify the scope of devices and equipment inside and outside the organization's buildings, including (but not limited to):
- Data centers
- Disaster Recovery Center
- Sensitive information processing facilities
- Security Control Center
- Network communication rooms
- Supply areas for hardware and technology hardware
- Develop procedures for the security of devices and equipment inside and outside the organization's premises
- Develop documented and approved plan for the maintenance of devices and equipment inside and outside the organization's premises
- Utilize technical solutions and equipment protection programs inside and outside buildings
- Maintain equipment and devices inside and outside buildings periodically
- Develop and approve physical security and safety regulations and procedures in the organization to include a precise definition of duties and tasks to serve as a general safety service framework to protect lives, assets and information
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Documented and approved procedures for the security of devices and equipment inside and outside the organizations facilities approved by the representative
- Sample of the implementation of the security of devices and equipment inside and outside the organization's buildings (e.g., maintenance schedule with review dates)
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.