Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
pe-3 |
physical access control |
||||||
|
assessment objective: Determine if the organization: |
||||||
pe-3(a) |
pe-3(a)[1] |
defines entry/exit points to the facility where the information system resides; |
|||||
pe-3(a)[2] |
enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by: |
||||||
pe-3(a)[2](1) |
verifying individual access authorizations before granting access to the facility; |
||||||
pe-3(a)[2](2) |
pe-3(a)[2](2)[a] |
defining physical access control systems/devices to be employed to control ingress/egress to the facility where the information system resides; |
|||||
pe-3(a)[2](2)[b] |
using one or more of the following ways to control ingress/egress to the facility: |
||||||
pe-3(a)[2](2)[b][1] |
organization-defined physical access control systems/devices; and/or |
||||||
pe-3(a)[2](2)[b][2] |
guards; |
||||||
pe-3(b) |
pe-3(b)[1] |
defines entry/exit points for which physical access audit logs are to be maintained; |
|||||
pe-3(b)[2] |
maintains physical access audit logs for organization-defined entry/exit points; |
||||||
pe-3(c) |
pe-3(c)[1] |
defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible; |
|||||
pe-3(c)[2] |
provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible; |
||||||
pe-3(d) |
pe-3(d)[1] |
defines circumstances requiring visitor: |
|||||
pe-3(d)[1][a] |
escorts; |
||||||
pe-3(d)[1][b] |
monitoring; |
||||||
pe-3(d)[2] |
in accordance with organization-defined circumstances requiring visitor escorts and monitoring: |
||||||
pe-3(d)[2][a] |
escorts visitors; |
||||||
pe-3(d)[2][b] |
monitors visitor activities; |
||||||
pe-3(e) |
pe-3(e)[1] |
secures keys; |
|||||
pe-3(e)[2] |
secures combinations; |
||||||
pe-3(e)[3] |
secures other physical access devices; |
||||||
pe-3(f) |
pe-3(f)[1] |
defines physical access devices to be inventoried; |
|||||
pe-3(f)[2] |
defines the frequency to inventory organization-defined physical access devices; |
||||||
pe-3(f)[3] |
inventories the organization-defined physical access devices with the organization-defined frequency; |
||||||
pe-3(g) |
pe-3(g)[1] |
defines the frequency to change combinations and keys; and |
|||||
pe-3(g)[2] |
changes combinations and keys with the organization-defined frequency and/or when: |
||||||
pe-3(g)[2][a] |
keys are lost; |
||||||
pe-3(g)[2][b] |
combinations are compromised; |
||||||
pe-3(g)[2][c] |
individuals are transferred or terminated. |
||||||
potential assessment methods and objects: Examine: [select from: Physical and environmental protection policy; procedures addressing physical access control; security plan; physical access control logs or records; inventory records of physical access control devices; information system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility; other relevant documents or records]. Interview: [select from: Organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities]. Test: [select from: Organizational processes for physical access control; automated mechanisms supporting and/or implementing physical access control; physical access control devices]. |
|||||||
