PE-01-727 Physical and Environmental Protection Policies and Procedures

Physical and Environmental Protection Policies and Procedures

Control ID

PE-01-727

Control Name

Physical and Environmental Protection Policies and Procedures

Control Category

Physical and Environmental Protection

Functional Areas

Protect

Sub-Areas

Physical and Environmental Protection

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

January 29, 2016

Agency Implementation

Information resource owners are responsible for establishing a physical and environmental protection policy that covers all information resources under their control. Information resource custodians are responsible for developing procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental controls.

Information resource owners shall review their policies and procedures annually to ensure they remain appropriate to the resources under their control.

Risk Statement

Unauthorized parties have access to facilities due to security flaws in physical layout.

Control Description

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and b. Reviews and updates the current: 1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and 2. Physical and environmental protection procedures [Assignment: organization-defined frequency].

Control Example

The organization has documented policies and supporting procedures to protect organizational facilities based on their criticality, and has implemented physical access safeguards to appropriate granting, controlling, and monitoring of physical access to organizational facilities.

State Implementation

The state organization head or his or her designated representative(s) shall document and manage physical access to mission critical information resources facilities to ensure the protection of information resources from unlawful or unauthorized access, use, modification or destruction.

Testing Procedures

Obtain physical and environmental protection policy and procedures and ascertain if : (I)the organization develops and documents physical and environmental protection policy and procedures. (ii)the organization disseminates physical and environmental protection policy and procedures to appropriate elements within the organization. (iii)responsible parties within the organization periodically review physical and environmental protection policy and procedures. (iv)the organization updates physical and environmental protection policy and procedures when organizational review indicates updates are required. (v)the physical and environmental protection policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance (vi)the physical and environmental protection policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance. (vii)the physical and environmental protection procedures address all areas identified in the physical and environmental protection policy and address achieving policy-compliant implementations of all associated physical and environmental protection controls.