3.10.1 has a weight of -5 points

(Physical Protection Family) 1/6

Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

Video

Example of Sysytem Security Plan (SSP):

System Security Plan (SSP) for Control 3.10.3

Title: Visitor Management, Escort Protocol, and Incident Reporting

Purpose: To ensure the security and integrity of the facility by strictly monitoring and controlling the movements and activities of visitors within the premises.

Implementation Details:

  1. Visitor Registration and Identification:

    • All visitors are required to register their presence upon arrival at the facility.
    • Identification verification is a must to confirm the visitor’s identity and establish the purpose of their visit.

  2. Visitor Logging:

    • Upon registration, visitors are also required to sign a designated logbook.
    • The logbook captures details like the visitor’s full name, organization (if applicable), purpose of visit, and contact details.
    • The system further provides:
      • Proper visitor identification
      • U.S. person status verification (if applicable)
      • Entry and exit time stamping

  3. Visitor Access Restrictions:

    • Visitor access is strictly limited based on the purpose of their visit.
    • The principle of need-to-know governs access restrictions, ensuring visitors only access areas pertinent to their stated purpose.

  4. Escort Protocol:

    • All visitors are required to be escorted during their entire time in the facility.
    • Trained personnel are designated for this task to ensure adherence to access restrictions and security protocols.
    • Every visitor is assigned a single point of contact or person for their visit’s duration.

  5. Visitor Badge:

    • Visitors are provided with badges that detail both their name and their escort’s name.
    • This ensures visitors can be immediately questioned if found unaccompanied.

  6. Training and Awareness:

    • Personnel responsible for escorting and monitoring visitors undergo rigorous training on proper procedures and protocols.
    • This training ensures all security protocols are understood and followed meticulously.

  7. Incident Reporting and Response:

    • Any security concerns stemming from visitor activities are to be promptly reported.
    • The organization has a set incident response procedure in place to address and rectify any such issues.

Example of Plan of Action and Milestones ( POA & M):

Plan of Action and Milestones (POA&M) for Limiting Physical Access to Organizational Systems and Equipment

Control: Limiting Physical Access to Organizational Systems and Equipment

1. Identification of Gaps or Weaknesses:

  • Gap/Weakness: Occasional lapse in checking visitors’ credentials. Action Plan: Implement a mandatory double-check system for visitors’ credentials. Completion Date: MM/DD/YYYY Responsible Party: Front Desk Staff

  • Gap/Weakness: Inadequate training materials for new personnel regarding physical access protocols. Action Plan: Revise and improve training materials and conduct refresher courses for all personnel. Completion Date: MM/DD/YYYY Responsible Party: Training Department

2. Development of New Procedures or Enhancements:

  • New Procedure: Introduce biometric access systems for high-security zones. Completion Date: MM/DD/YYYY Responsible Party: Security Department

  • Enhancement: Upgrade video monitoring systems for clearer and more expansive coverage. Completion Date: MM/DD/YYYY Responsible Party: IT Department

3. Audits and Quality Assurance:

  • Audit: Conduct surprise security audits to ensure adherence to protocols. Frequency: Quarterly Responsible Party: Internal Audit Team

  • Quality Assurance: Regularly review incident reports to identify patterns and address systemic issues. Frequency: Monthly Responsible Party: Security Department

4. Training and Skill Enhancement:

  • Training: Organize monthly awareness programs about the importance of physical access control. Completion Date: MM/DD/YYYY Responsible Party: Training Department

  • Skill Enhancement: Provide advanced training on the use of new biometric systems. Completion Date: MM/DD/YYYY Responsible Party: IT and Training Departments

5. Monitoring and Tracking:

  • Tracking: Maintain a digital log of all access events, including unauthorized attempts. Frequency: Daily Responsible Party: Security Department

  • Monitoring: Ensure all video monitoring systems are operational and well-maintained. Frequency: Weekly Responsible Party: IT Department

6. Incident Reporting and Mitigation:

  • Mitigation: In case of unauthorized access incidents, immediately initiate incident response protocols. Frequency: As incidents occur Responsible Party: Security Department

7. Review and Revision:

  • Review: Conduct biannual reviews of the physical access control measures. Completion Date: MM/DD/YYYY and MM/DD/YYYY Responsible Party: Review Committee

  • Revision: Based on the reviews, make necessary changes to the security infrastructure and protocols. Completion Date: MM/DD/YYYY Responsible Party: Security Department

RELEVANT INFORMATION:

This requirement applies to employees, individuals with permanent physical access authorization credentials, and visitors. Authorized individuals have credentials that include badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, directives, policies, regulations, standards, procedures, and guidelines. This requirement applies only to areas within facilities that have not been designated as publicly accessible. Limiting physical access to equipment may include placing equipment in locked rooms or other secured areas and allowing access to authorized individuals only; and placing equipment in locations that can be monitored by organizational personnel. Computing devices, external disk drives, networking devices, monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of equipment.

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.