PES-19: Physical Access Device Inventories

There is no evidence of a capability to maintain an accurate inventory of all physical access devices (e.g., RFID cards, access fobs, door keys, etc.).

C|P-CMM1 is N/A, since a structured process is required to maintain an accurate inventory of all physical access devices (e.g., RFID cards, access fobs, door keys, etc.).

C|P-CMM2 is N/A, since a well-defined process is required to maintain an accurate inventory of all physical access devices (e.g., RFID cards, access fobs, door keys, etc.).

Physical & Environmental Security (PES) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Performs the centralized-management of physical security controls across the enterprise. o Maintains a current list of personnel with authorized access to organizational facilities and implements physical access management controls.

• A physical security team, or similar function:
• A facilities maintenance team, or similar function, manages the operation of environmental protection controls.
• Administrative processes exist to authorize physical access to facilities based on the position or role of the individual.
• Administrative processes and physical controls restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validated the need for access.
• Physical controls are designed and implemented for offices, rooms and facilities.

Physical & Environmental Security (PES) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
• Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
• Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
• Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
• Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
• Both business and technical stakeholders are involved in reviewing and approving proposed changes.

Physical & Environmental Security (PES) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
• Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.