PR.PO-P4: Policy and regulations regarding the physical operating environment for organizational assets are met
CSF v1.1 References:
[csf.tools Note: Subcategories do not have detailed descriptions.]
Note: This Privacy Framework Subcategory is identical to the Cybersecurity Framework Subcategory.
NIST Special Publication 800-53 Revision 5
PE-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] physical and environmental protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate…
Cloud Controls Matrix v3.0.1
BCR-03: Datacenter Utilities / Environmental Conditions
Data center utilities services and environmental conditions (e.g., water, power, temperature and humidity controls, telecommunications, and internet connectivity) shall be secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorized interception or damage, and designed with automated fail-over or other redundancies in the event of planned or unplanned disruptions.
BCR-05: Environmental Risks
Physical protection against damage from natural causes and disasters, as well as deliberate attacks, including fire, flood, atmospheric electrical discharge, solar induced geomagnetic storm, wind, earthquake, tsunami, explosion, nuclear accident, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, and other forms of natural or man-made disaster shall be anticipated, designed, and have countermeasures applied.
BCR-06: Equipment Location
To reduce the risks from environmental threats, hazards, and opportunities for unauthorized access, equipment shall be kept away from locations subject to high probability environmental risks and supplemented by redundant equipment located at a reasonable distance.
BCR-08: Equipment Power Failures
Protection measures shall be put into place to react to natural and man-made threats based upon a geographically-specific business impact assessment.
DSI-04: Handling / Labeling / Security Policy
Policies and procedures shall be established for the labeling, handling, and security of data and objects which contain data. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.
DCS-01: Asset Management
Assets must be classified in terms of business criticality, service-level expectations, and operational continuity requirements. A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time shall be maintained and updated regularly, and assigned ownership by defined roles and responsibilities.
DCS-02: Controlled Access Points
Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) shall be implemented to safeguard sensitive data and information systems.
Policies and procedures shall be established, and supporting business processes implemented, for maintaining a safe and secure working environment in offices, rooms, facilities, and secure areas storing sensitive information.
DCS-07: Secure Area Authorization
Ingress and egress to secure areas shall be constrained and monitored by physical access control mechanisms to ensure that only authorized personnel are allowed access.
DCS-08: Unauthorized Persons Entry
Ingress and egress points such as service areas and other points where unauthorized personnel may enter the premises shall be monitored, controlled and, if possible, isolated from data storage and processing facilities to prevent unauthorized data corruption, compromise, and loss.
DCS-09: User Access
Physical access to information assets and functions by users and support personnel shall be restricted.
NIST Special Publication 800-53 Revision 4
PE-1: Physical And Environmental Protection Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and Reviews and…