PES-06.1: Distinguish Visitors from On-Site Personnel

There is no evidence of a capability to easily distinguish between onsite personnel and visitors, especially in areas where sensitive/regulated data is accessible.

Physical & Environmental Security (PES) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Physical access control is decentralized.
• Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).
• Human Resources, or a similar function, maintains a current list of personnel and facilitates the implementation of physical access management controls.

Physical & Environmental Security (PES) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Physical access control is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
• IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for physical access control.
• Human Resources, or a similar function, maintains a current list of personnel with authorized access to organizational facilities and facilitates the implementation of physical access management controls.
• Physical security controls are primarily administrative in nature (e.g., policies & standards).
• Physical controls, administrative processes and technologies are primarily designed and implemented for offices, rooms and facilities that focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
• A facilities maintenance team, or similar function, manages the operation of automated physical and environmental protection controls.
• Administrative processes, physical controls and technologies easily distinguish between onsite personnel and visitors, especially in areas where sensitive/regulated data is accessible.

Physical & Environmental Security (PES) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Performs the centralized-management of physical security controls across the enterprise. o Maintains a current list of personnel with authorized access to organizational facilities and implements physical access management controls.

• A physical security team, or similar function:
• A facilities maintenance team, or similar function, manages the operation of environmental protection controls.
• Administrative processes exist to authorize physical access to facilities based on the position or role of the individual.
• Administrative processes and physical controls restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validated the need for access.
• Administrative processes, physical controls and technologies easily distinguish between onsite personnel and visitors, especially in areas where sensitive/regulated data is accessible.
• Administrative processes, physical controls and technologies identify, authorize and monitor visitors before allowing access to the facility (other than areas designated as publicly accessible).

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to easily distinguish between onsite personnel and visitors, especially in areas where sensitive/regulated data is accessible.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to easily distinguish between onsite personnel and visitors, especially in areas where sensitive/regulated data is accessible.