Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

pe-2(3)

physical access authorizations  | restrict unescorted access

assessment objective:

Determine if the organization:  

pe-2(3)[1]

defines credentials to be employed to restrict unescorted access to the facility where the information system resides to authorized personnel;

pe-2(3)[2]

restricts unescorted access to the facility where the information system resides to personnel with one or more of the following:

pe-2(3)[2][a]

security clearances for all information contained within the system;

pe-2(3)[2][b]

formal access authorizations for all information contained within the system;

pe-2(3)[2][c]

need for access to all information contained within the system; and/or

pe-2(3)[2][d]

organization-defined credentials.

potential assessment methods and objects:

Examine: [select from: Physical and environmental protection policy; procedures addressing physical access authorizations; authorized personnel access list; security clearances; access authorizations; access credentials; physical access control logs or records; other relevant documents or records].

Interview: [select from: Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations].