PES-04.1: Working in Secure Areas
Physical security mechanisms exist to allow only authorized personnel access to secure areas.
Control Question: Does the organization allow only authorized personnel access to secure areas?
General (14)
| Framework | Mapping Values |
|---|---|
| CSA CCM 4 | DCS-09 HRS-03 |
| ISO 27002 2022 | 5.15 7.2 7.3 7.6 |
| ISO 27017 2015 | 11.1.2 11.1.5 |
| MPA Content Security Program 5.1 | OP-3.2 PS-1.0 PS-1.2 |
| NIST Privacy Framework 1.0 | PR.AC-P2 |
| NIST 800-171 R3 (source) | 03.08.01 03.08.02 03.10.07.a.01 03.10.07.a.02 03.10.07.d |
| NIST 800-172 | 3.13.4e |
| PCI DSS 4.0.1 (source) | 9.3.1.1 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 9.3.1.1 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 9.3.1.1 |
| SWIFT CSF 2023 | 3.1 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | PES-04.1 |
| SCF CORE ESP Level 2 Critical Infrastructure | PES-04.1 |
| SCF CORE ESP Level 3 Advanced Threats | PES-04.1 |
US (10)
| Framework | Mapping Values |
|---|---|
| US CJIS Security Policy 5.9.3 (source) | 5.9.1.5 5.9.2 |
| US CMMC 2.0 Level 3 (source) | SC.L3-3.13.4E |
| US HIPAA Administrative Simplification 2013 (source) | 164.310(c) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.310(c) |
| US HIPAA HICP Medium Practice | 6.M.E |
| US HIPAA HICP Large Practice | 6.M.E |
| US IRS 1075 | 2.B.3 2.B.3.3 |
| US NNPI (unclass) | 11.1 11.2 11.3 |
| US - CA CCPA 2025 | 7123(c)(3)(D) |
| US - VT Act 171 of 2018 | 2447(b)(7) |
EMEA (4)
| Framework | Mapping Values |
|---|---|
| EMEA Israel CDMO 1.0 | 18.6 |
| EMEA Saudi Arabia ECC-1 2018 | 2-14-3-5 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-13-1-5 |
| EMEA Saudi Arabia SACS-002 | TPC-49 |
APAC (3)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0164 |
| APAC Japan ISMAP | 11.1.2 11.1.5 |
| APAC Singapore MAS TRM 2021 | 8.5.6(e) 5.5.6(f) |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.08.01 03.08.02 03.10.07.A.01 03.10.07.A.02 03.10.07.D |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to allow only authorized personnel access to secure areas.
Level 1 — Performed Informally
Physical & Environmental Security (PES) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Physical access control is decentralized.
- Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).
- Human Resources, or a similar function, maintains a current list of personnel and facilitates the implementation of physical access management controls.
- Facility security mechanisms exist to monitor physical access to business-critical information systems or sensitive/regulated data, in addition to the physical access monitoring of the facility.
Level 2 — Planned & Tracked
Physical & Environmental Security (PES) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Physical access control is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for physical access control.
- Human Resources, or a similar function, maintains a current list of personnel with authorized access to organizational facilities and facilitates the implementation of physical access management controls.
- Physical security controls are primarily administrative in nature (e.g., policies & standards).
- Physical controls, administrative processes and technologies are primarily designed and implemented for offices, rooms and facilities that focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
- A facilities maintenance team, or similar function, manages the operation of automated physical and environmental protection controls.
- Administrative processes, physical controls and technologies ensure that only authorized personnel are allowed access to secure areas.
Level 3 — Well Defined
Physical & Environmental Security (PES) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Performs the centralized-management of physical security controls across the enterprise. o Maintains a current list of personnel with authorized access to organizational facilities and implements physical access management controls.
- A physical security team, or similar function:
- A facilities maintenance team, or similar function, manages the operation of environmental protection controls.
- Administrative processes exist to authorize physical access to facilities based on the position or role of the individual.
- Administrative processes and physical controls restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validated the need for access.
- Administrative processes, physical controls and technologies ensure that only authorized personnel are allowed access to secure areas.
Level 4 — Quantitatively Controlled
Physical & Environmental Security (PES) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to allow only authorized personnel access to secure areas.
Assessment Objectives
- PES-04.1_A01 physical security access controls allow only authorized personnel access to secure areas.
Technology Recommendations
Micro/Small
- Visitor escorts
Small
- Visitor escorts
Medium
- Visitor escorts
Large
- Visitor escorts
Enterprise
- Visitor escorts