PES-18: On-Site Client Segregation
Mechanisms exist to ensure client-specific sensitive/regulated data is isolated from other data when client-specific sensitive/regulated data is processed or stored within multi-client workspaces.
Control Question: Does the organization ensure client-specific sensitive/regulated data is isolated from other data when client-specific sensitive/regulated data is processed or stored within multi-client workspaces?
General (3)
| Framework | Mapping Values |
|---|---|
| NIST 800-172 | 3.13.4e |
| TISAX ISA 6 | 5.3.4 8.1.8 |
| SCF CORE ESP Level 3 Advanced Threats | PES-18 |
US (1)
| Framework | Mapping Values |
|---|---|
| US CMMC 2.0 Level 3 (source) | SC.L3-3.13.4E |
EMEA (1)
| Framework | Mapping Values |
|---|---|
| EMEA Saudi Arabia SACS-002 | TPC-38 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to ensure client-specific sensitive/regulated data is isolated from other data when client-specific sensitive/regulated data is processed or stored within multi-client workspaces.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to ensure client-specific sensitive/regulated data is isolated from other data when client-specific sensitive/regulated data is processed or stored within multi-client workspaces.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to ensure client-specific sensitive/regulated data is isolated from other data when client-specific sensitive/regulated data is processed or stored within multi-client workspaces.
Level 3 — Well Defined
Physical & Environmental Security (PES) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Performs the centralized-management of physical security controls across the enterprise. o Maintains a current list of personnel with authorized access to organizational facilities and implements physical access management controls.
- A physical security team, or similar function:
- A facilities maintenance team, or similar function, manages the operation of environmental protection controls.
- Administrative processes exist to authorize physical access to facilities based on the position or role of the individual.
- Administrative processes and physical controls restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validated the need for access.
- Physical controls are designed and implemented for offices, rooms and facilities.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to ensure client-specific sensitive/regulated data is isolated from other data when client-specific sensitive/regulated data is processed or stored within multi-client workspaces.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to ensure client-specific sensitive/regulated data is isolated from other data when client-specific sensitive/regulated data is processed or stored within multi-client workspaces.
Assessment Objectives
- PES-18_A01 client-specific Intellectual Property (IP) is isolated from other data when client-specific IP is processed or stored within multi-client workspaces.