3.10.2 has a weight of -5 points

(Physical Protection Family) 2/6

Protect and monitor the physical facility and support infrastructure for organizational systems.

Video

Example of Sysytem Security Plan (SSP):

    Control 3.10.2 System Security Plan (SSP)

    Title: Protect and Monitor Physical Facilities and Support Infrastructures

    Purpose: To ensure the safety and security of organizational systems, equipment, and assets, by guarding against unauthorized access, damage, and theft.

    Implementation Details:

    1. Alarm System:
      • The building is equipped with a alarm system.
      • Monitored 24/7 by ADT to immediately respond to any alerts or breaches.
    2. IT Infrastructure:
      • The IT closet, which houses critical organizational systems, is locked at all times to prevent unauthorized access.
    3. Monitoring:
      • Camera Systems: Integrated camera systems have been installed throughout the facility. 
    4. Protection:
      • Access Control: Advanced door access systems have been set up, requiring key fobs or codes for entry, ensuring only authorized personnel can access restricted areas.
      • Personnel Training: Employees are trained to recognize and report any suspicious activities or individuals. This training promotes a culture of awareness and vigilance, reinforcing the “if you see something, say something” mantra.
    5. Support Infrastructure:
      • Besides the IT closets, the facility also has power generators, power meters, and other infrastructure essentials. These too are safeguarded against unauthorized access or tampering.
    6. Additional Measures:
      • Fire Safety: The building is equipped with a comprehensive fire alarm and safety system.
      • Security Personnel: Trained security personnel monitor and guard the facility. If a location doesn’t have dedicated security staff, the existing personnel are trained with basic security measures.
      • Personnel Awareness Training: Regular training sessions are conducted to keep staff updated about security protocols and to foster a proactive security culture.
      • Monitoring Systems: The facility employs a closed-loop camera system, along with the alarm and fire system. These tools work in conjunction with trained personnel to offer robust protection.

    Example of Plan of Action and Milestones ( POA & M):

    Plan of Action and Milestones (POA&M) for Control 3.10.2

    Title: POA&M for Protecting and Monitoring Physical Facilities and Support Infrastructures

    1. Objective: Implement a comprehensive system to protect and monitor the organization’s physical facilities and support infrastructures in line with Control 3.10.2.

    Milestones:

    1. Assessment & Gap Identification:

      • Target Date: [Insert Date]
      • Activities:
        • Conduct a comprehensive assessment of current security and monitoring systems.
        • Identify areas of improvement and vulnerabilities.
      • Responsibility: Security Assessment Team

    2. Camera System Upgrade & Integration:

      • Target Date: [Insert Date]
      • Activities:
        • Source and integrate advanced camera systems.
        • Ensure they cover blind spots identified during the assessment.
      • Responsibility: IT and Infrastructure Team

    3. Access Control Enhancement:

      • Target Date: [Insert Date]
      • Activities:
        • Upgrade door access systems.
        • Implement multi-factor authentication where necessary.
      • Responsibility: Facility Management Team

    4. Personnel Training & Awareness:

      • Target Date: [Insert Date]
      • Activities:
        • Organize security awareness training sessions for all staff.
        • Introduce regular refresher courses.
      • Responsibility: HR and Security Training Team

    5. Infrastructure Safeguarding:

      • Target Date: [Insert Date]
      • Activities:
        • Ensure physical safeguards for IT closets, power generators, and other support infrastructures.
        • Regularly inspect and maintain these safeguards.
      • Responsibility: Infrastructure Maintenance Team

    6. Monitoring & Response Strategy:

      • Target Date: [Insert Date]
      • Activities:
        • Formulate a strategy for real-time monitoring and instant response to alerts.
        • Ensure ADT and in-house security personnel coordinate seamlessly.
      • Responsibility: Security Operations Team

    7. Review & Continuous Improvement:

      • Target Date: [Insert Date]
      • Activities:
        • Review the effectiveness of all implemented measures.
        • Identify areas for continuous improvement based on new challenges or technological advancements.
      • Responsibility: Security Assessment Team

    Resourcing:

    • Budget Allocation: [Insert Budget Estimate]
    • Technology Vendors: [Insert Names/List of Vendors]
    • Personnel Allocation: Define the number of personnel required for each task.

    Monitoring & Reporting:

    • Frequency: Quarterly
    • Responsibility: Security Operations Team
    • Communication: Updates to be communicated to Senior Management and relevant stakeholders.

    Sign Off:

    • Prepared by: [Your Name]
    • Date: [Insert Date]
    • Reviewed by: [Reviewer’s Name]
    • Date: [Insert Date]
    RELEVANT INFORMATION:

    Monitoring of physical access includes publicly accessible areas within organizational facilities. This can be accomplished, for example, by the employment of guards; the use of sensor devices; or the use of video surveillance equipment such as cameras. Examples of support infrastructure include system distribution, transmission, and power lines. Security controls applied to the support infrastructure prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Physical access controls to support infrastructure include locked wiring closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors.



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.