Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
====MP-1 Media protection policy and procedures====
====PE-1 Physical and environmental protection policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update media protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of media protection action but also to address how those policies and procedures will be implemented, reviewed, and updated.  
This control recommends the organization develop, document, disseminate, review, and update physical and environmental protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of physical and environmental protection action but also to address how those policies and procedures will be implemented, reviewed, and updated.  


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 65
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 66
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]


====MP-2 Media access====
====PE-2 Physical access authorizations====
This control recommends the organization implement and enforce restrictions on specified digital and non-digital media, limiting access to only authorized personnel or roles within the organization. This will likely relate to controls on media containing sensitive, protected, or confidential data contained on the media.
This control recommends the organization develop, approve, and maintain a list of individuals who are vetted and authorized to access the facilities where the system physically resides. Those individuals should be issued credentials to access the facility, and those credentials should be reviewed at a defined frequency. Those individuals who no longer require access to the facility should be removed from the physical access list promptly.


'''Additional resources''':
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems LIMSpec30.9] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.7]
* No LIMSpec comp (organizational policy rather than system specification)
 
====PE-3 Physical access control====
This control recommends the organization enact physical access controls through the facility where the system physically resides. Those controls include verifying individual access authorization before allowing admittance, using access control devices or personnel, maintaining physical access audit logs, providing security safeguards for accessing controlled areas from public areas, escorting visitors, monitoring visitor activity, securing keys and passwords controls, inventorying physical access devices regularly, and changing keys and password controls when circumstances require.
 
'''Additional resources''':
* [https://www.idmanagement.gov/sell/fips201/ GSA FIPS 201 Evaluation Program]
* [https://pacs.idmanagement.gov/ GSA Physical Access Control System Guide]
* [https://csrc.nist.gov/publications/detail/sp/800-73/4/final NIST Special Publications 800-73-4]
* [https://csrc.nist.gov/publications/detail/sp/800-76/2/final NIST Special Publications 800-76-2]
* [https://csrc.nist.gov/publications/detail/sp/800-78/4/final NIST Special Publications 800-78-4]
* [https://csrc.nist.gov/publications/detail/sp/800-116/rev-1/final NIST Special Publications 800-116, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.7]
 
====PE-3 (1) Physical access control: Information system access====
This control enhancement recommends the organization provide, in addition to overall facility access control, a mechanism for physically securing areas within the facility that house critical information system components.
 
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.7]
 
====PE-6 Monitoring physical access====
This control recommends the organization monitor the areas within the facility that house critical information system components for detecting and responding to physical security incidents. The organization should also review physical access logs at a determined frequency or when a security event (or possibility of a security event) is identified. Individuals with responsibility for monitoring the system's physical locations should also coordinate with the incident response team in reviews and investigations.
 
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.7]
 
====PE-6 (1) Monitoring physical access: Intrusion alarms and surveillance equipment====
This control enhancement recommends the organization monitor physical intrusion alarms and surveillance equipment.
 
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems LIMSpec 30.9] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.7]
 
====PE-6 (4) Monitoring physical access: Monitoring physical access to information systems====
This control enhancement recommends the organization provide, in addition to overall facility monitoring, a means of monitoring areas within the facility that house critical information system components.
 
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.7]
 
====PE-8 Visitor access recorded====
This control recommends the organization retain visitor access records to the facility housing the physical information system for a designated period of time, reviewing those records at a defined frequency.
 
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
 
====PE-12 Emergency lighting====
This control recommends the organization ensure the facility housing the physical information system employs and maintains automatic emergency lighting capable of activating off of its own independent power supply during a power outage or other type of disruption.
 
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
 
====PE-13 Fire protection====
This control recommends the organization ensure the facility housing the physical information system employs and maintains fire suppression and detection systems capable of activating off of its own independent power supply during a fire incident.
 
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
 
====PE-14 Temperature and humidity controls====
This control recommends the organization maintain temperature and humidity in the facility housing the physical information system at a defined set of acceptable levels, monitoring those levels at a defined frequency.
 
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)


====MP-6 Media sanitization====
====PE-15 Water damage protection====
This control recommends the organization sanitize specified system media using authorized techniques prior to being disposed, released out of organizational control, or released for reuse. The techniques used should match the security or classification level assigned to the information contained on the media.
This control recommends the organization ensure the facility housing the physical information system has emergency water shutoff or isolation valves that are accessible, functional, and clearly marked and known to personnel, with the goal of protecting the system components from water leakage.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-1-rev-1/final NIST Special Publications 800-60, Vol. 1, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final NIST Special Publications 800-60, Vol. 2, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1]
* [https://www.nsa.gov/resources/everyone/media-destruction/ NSA/CSS Media Destruction Guidance]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====MP-7 Media use====
====PE-16 Delivery and removal====
This control recommends the organization determine which, if any, digital and non-digital media should be prohibited from being used on which systems or system components. Note that "[i]n contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives" on the system or its subsystems.
This control recommends the organization ensure any pick-up or drop-off activities of information system components at the facility housing the physical information system are authorized, monitored, and controlled, preferably isolating such activities outside of areas where critical system components or media are located.


'''Additional resources''':
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)

Revision as of 20:57, 16 February 2022

PE-1 Physical and environmental protection policy and procedures

This control recommends the organization develop, document, disseminate, review, and update physical and environmental protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of physical and environmental protection action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources:

PE-2 Physical access authorizations

This control recommends the organization develop, approve, and maintain a list of individuals who are vetted and authorized to access the facilities where the system physically resides. Those individuals should be issued credentials to access the facility, and those credentials should be reviewed at a defined frequency. Those individuals who no longer require access to the facility should be removed from the physical access list promptly.

Additional resources:

  • No LIMSpec comp (organizational policy rather than system specification)

PE-3 Physical access control

This control recommends the organization enact physical access controls through the facility where the system physically resides. Those controls include verifying individual access authorization before allowing admittance, using access control devices or personnel, maintaining physical access audit logs, providing security safeguards for accessing controlled areas from public areas, escorting visitors, monitoring visitor activity, securing keys and passwords controls, inventorying physical access devices regularly, and changing keys and password controls when circumstances require.

Additional resources:

PE-3 (1) Physical access control: Information system access

This control enhancement recommends the organization provide, in addition to overall facility access control, a mechanism for physically securing areas within the facility that house critical information system components.

Additional resources:

PE-6 Monitoring physical access

This control recommends the organization monitor the areas within the facility that house critical information system components for detecting and responding to physical security incidents. The organization should also review physical access logs at a determined frequency or when a security event (or possibility of a security event) is identified. Individuals with responsibility for monitoring the system's physical locations should also coordinate with the incident response team in reviews and investigations.

Additional resources:

PE-6 (1) Monitoring physical access: Intrusion alarms and surveillance equipment

This control enhancement recommends the organization monitor physical intrusion alarms and surveillance equipment.

Additional resources:

PE-6 (4) Monitoring physical access: Monitoring physical access to information systems

This control enhancement recommends the organization provide, in addition to overall facility monitoring, a means of monitoring areas within the facility that house critical information system components.

Additional resources:

PE-8 Visitor access recorded

This control recommends the organization retain visitor access records to the facility housing the physical information system for a designated period of time, reviewing those records at a defined frequency.

Additional resources:

  • No LIMSpec comp (organizational policy rather than system specification)

PE-12 Emergency lighting

This control recommends the organization ensure the facility housing the physical information system employs and maintains automatic emergency lighting capable of activating off of its own independent power supply during a power outage or other type of disruption.

Additional resources:

  • No LIMSpec comp (organizational policy rather than system specification)

PE-13 Fire protection

This control recommends the organization ensure the facility housing the physical information system employs and maintains fire suppression and detection systems capable of activating off of its own independent power supply during a fire incident.

Additional resources:

  • No LIMSpec comp (organizational policy rather than system specification)

PE-14 Temperature and humidity controls

This control recommends the organization maintain temperature and humidity in the facility housing the physical information system at a defined set of acceptable levels, monitoring those levels at a defined frequency.

Additional resources:

  • No LIMSpec comp (organizational policy rather than system specification)

PE-15 Water damage protection

This control recommends the organization ensure the facility housing the physical information system has emergency water shutoff or isolation valves that are accessible, functional, and clearly marked and known to personnel, with the goal of protecting the system components from water leakage.

Additional resources:

  • No LIMSpec comp (organizational policy rather than system specification)

PE-16 Delivery and removal

This control recommends the organization ensure any pick-up or drop-off activities of information system components at the facility housing the physical information system are authorized, monitored, and controlled, preferably isolating such activities outside of areas where critical system components or media are located.

Additional resources:

  • No LIMSpec comp (organizational policy rather than system specification)