PES-11: Alternate Work Site
Physical security mechanisms exist to utilize appropriate management, operational and technical controls at alternate work sites.
Control Question: Does the organization utilize appropriate management, operational and technical controls at alternate work sites?
General (21)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | A1.2 |
| GovRAMP Low+ | PE-17 |
| GovRAMP Moderate | PE-17 |
| GovRAMP High | PE-17 |
| NIST 800-53 R4 | PE-17 |
| NIST 800-53 R4 (moderate) | PE-17 |
| NIST 800-53 R4 (high) | PE-17 |
| NIST 800-53 R5 (source) | PE-17 |
| NIST 800-53B R5 (moderate) (source) | PE-17 |
| NIST 800-53B R5 (high) (source) | PE-17 |
| NIST 800-82 R3 MODERATE OT Overlay | PE-17 |
| NIST 800-82 R3 HIGH OT Overlay | PE-17 |
| NIST 800-161 R1 | PE-17 |
| NIST 800-161 R1 Level 3 | PE-17 |
| NIST 800-171 R2 (source) | 3.10.6 |
| NIST 800-171A (source) | 3.10.6[a] 3.10.6[b] |
| NIST 800-171 R3 (source) | 03.10.06.a 03.10.06.b |
| NIST 800-171A R3 (source) | A.03.10.06.ODP[01] A.03.10.06.a A.03.10.06.b |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | PES-11 |
| SCF CORE ESP Level 2 Critical Infrastructure | PES-11 |
| SCF CORE ESP Level 3 Advanced Threats | PES-11 |
US (13)
| Framework | Mapping Values |
|---|---|
| US CERT RMM 1.2 | EC:SG2.SP1 |
| US CMMC 2.0 Level 2 (source) | PE.L2-3.10.6 |
| US CMMC 2.0 Level 3 (source) | PE.L2-3.10.6 |
| US CMS MARS-E 2.0 | PE-17 |
| US FedRAMP R4 | PE-17 |
| US FedRAMP R4 (moderate) | PE-17 |
| US FedRAMP R4 (high) | PE-17 |
| US FedRAMP R5 (source) | PE-17 |
| US FedRAMP R5 (moderate) (source) | PE-17 |
| US FedRAMP R5 (high) (source) | PE-17 |
| US IRS 1075 | PE-17 |
| US - TX DIR Control Standards 2.0 | PE-17 |
| US - TX TX-RAMP Level 2 | PE-17 |
EMEA (3)
| Framework | Mapping Values |
|---|---|
| EMEA Germany C5 2020 | PS-02 |
| EMEA Israel CDMO 1.0 | 18.21 |
| EMEA UK DEFSTAN 05-138 | 2312 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.10.06.A 03.10.06.B |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to utilize appropriate management, operational and technical controls at alternate work sites.
Level 1 — Performed Informally
Physical & Environmental Security (PES) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Physical access control is decentralized.
- Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).
- Human Resources, or a similar function, maintains a current list of personnel and facilitates the implementation of physical access management controls.
Level 2 — Planned & Tracked
Physical & Environmental Security (PES) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Physical access control is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for physical access control.
- Human Resources, or a similar function, maintains a current list of personnel with authorized access to organizational facilities and facilitates the implementation of physical access management controls.
- Physical security controls are primarily administrative in nature (e.g., policies & standards).
- Physical controls, administrative processes and technologies are primarily designed and implemented for offices, rooms and facilities that focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
- A facilities maintenance team, or similar function, manages the operation of automated physical and environmental protection controls.
- Administrative processes, physical controls and technologies are employed at alternate work sites to provide “equal protection” of physical and digital assets.
Level 3 — Well Defined
Physical & Environmental Security (PES) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Performs the centralized-management of physical security controls across the enterprise. o Maintains a current list of personnel with authorized access to organizational facilities and implements physical access management controls.
- A physical security team, or similar function:
- A facilities maintenance team, or similar function, manages the operation of environmental protection controls.
- Administrative processes exist to authorize physical access to facilities based on the position or role of the individual.
- Administrative processes and physical controls restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validated the need for access.
- Administrative processes, physical controls and technologies are employed at alternate work sites to provide “equal protection” of physical and digital assets.
Level 4 — Quantitatively Controlled
Physical & Environmental Security (PES) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to utilize appropriate management, operational and technical controls at alternate work sites.
Assessment Objectives
- PES-11_A01 alternate work sites allowed for use by employees are defined.
- PES-11_A02 security requirements to be employed at alternate work sites are defined.
- PES-11_A03 alternate work sites allowed for use by employees are determined.
- PES-11_A04 organization-defined security requirements are employed at alternate work sites.
- PES-11_A05 the effectiveness of controls at alternate work sites is assessed.
- PES-11_A06 a means for employees to communicate with cybersecurity / data privacy personnel in case of incidents is provided.
- PES-11_A07 safeguarding measures for sensitive / regulated data are defined for alternate work sites.
- PES-11_A08 safeguarding measures for sensitive / regulated data are enforced for alternate work sites.
- PES-11_A09 the following security requirements are employed at alternate work sites: <A.03.10.06.ODP[01]: security requirements>.
Technology Recommendations
Micro/Small
- Formally-designated alternate work sites
Small
- Formally-designated alternate work sites
Medium
- Formally-designated alternate work sites
Large
- Formally-designated alternate work sites
Enterprise
- Formally-designated alternate work sites