Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

pe-2

physical access authorizations

assessment objective:

Determine if the organization:  

pe-2(a)

pe-2(a)[1]

develops a list of individuals with authorized access to the facility where the information system resides;

pe-2(a)[2]

approves a list of individuals with authorized access to the facility where the information system resides;

pe-2(a)[3]

maintains a list of individuals with authorized access to the facility where the information system resides;

pe-2(b)

issues authorization credentials for facility access;

pe-2(c)

pe-2(c)[1]

defines the frequency to review the access list detailing authorized facility access by individuals;

pe-2(c)[2]

reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; and

pe-2(d)

removes individuals from the facility access list when access is no longer required.

potential assessment methods and objects:

Examine: [select from: Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records].

Interview: [select from: Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations].