Previous SEC 501‐06 Control References: 7.2.5
Withdrawn from SEC501‐07 PORTIONS KEPT FOR DMV Control: The organization controls physical access to information system distribution and transmission lines within organizational
facilities.
Supplemental Guidance: None
Control Enhancements for Sensitive Systems: None
PCI compliance: The requirements specified in this security control meet the following PCI‐DSS requirements:
9.1.3 Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunications lines.
12.3.6 Acceptable network locations for the technologies.
PE‐5 ACCESS CONTROL FOR OUTPUT DEVICES Previous SEC 501‐06 Control
References: 7.2.5 Control: The organization controls physical access to information system output devices to prevent unauthorized individuals from
obtaining the output.
Supplemental Guidance: Monitors, printers, and audio devices are examples of information system output devices.
Control Enhancements for Sensitive Systems: None
PCI compliance: The requirements specified in this security control meet the following PCI‐DSS requirements:
9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
PE‐6 MONITORING PHYSICAL ACCESS Previous SEC 501‐06 Control
References: 7.2.6 Control: The organization:
a. Monitors physical access to the information system to detect and respond to physical security incidents;
b. Reviews physical access logs once every 60‐days at a minimum; and
c. Coordinates results of reviews and investigations with the organization’s incident response capability.
Supplemental Guidance: Investigation of and response to detected physical security incidents, including apparent security violations or suspicious physical access activities, are part of the organization’s incident response capability and must be reported to Commonwealth Security.
Control Enhancements for Sensitive Systems:
(1) The organization monitors real‐time physical intrusion alarms and surveillance equipment.
PCI compliance: The requirements specified in this security control meet the following PCI‐DSS requirements:
9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
9.1.1 Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.
PE‐7 VISITOR CONTROL Previous SEC 501‐06 Control
References: 8.2.2.2 Control: The organization controls physical access to the information system by authenticating visitors before authorizing access to
the facility where the information system resides other than areas designated as publicly accessible.
Supplemental Guidance: Individuals (to include organizational employees, contract personnel, and others) with permanent authorization credentials for the facility are not considered visitors.
Control Enhancements for Sensitive Systems:
(1) The organization escorts visitors and monitors visitor activity, when required.
PCI compliance: The requirements specified in this security control meet the following PCI‐DSS requirements:
9.2 Develop procedures to easily distinguish between onsite personnel and visitors, especially in areas where cardholder data is accessible.
9.3 Make sure all visitors are handled as follows:
9.3.1 Authorized before entering areas where cardholder data is processed or maintained.
9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as not onsite personnel.
9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration.
9.4 Use a visitor log to maintain a physical audit trail of visitor activity. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law.
PE‐8 ACCESS RECORDS (VISITOR) Previous SEC 501‐06 Control
References: 7.2.6/7.2.7 Control: The organization:
a. Maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); and
b. Reviews visitor access records once every 90‐days at a minimum.
Supplemental Guidance: Visitor access records include, for example, name/organization of the person visiting, signature of the visitor, form(s) of identification, date of access, time of entry and departure, purpose of visit, and name/organization of person visited.
Control Enhancements for Sensitive Systems:
(2) The organization maintains a record of all physical access, both visitor and authorized individuals.
PCI compliance: The requirements specified in this security control meet the following PCI‐DSS requirements:
9.2 Develop procedures to easily distinguish between onsite personnel and visitors, especially in areas where cardholder data is accessible.
9.4 Use a visitor log to maintain a physical audit trail of visitor activity. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law.
PE‐9 POWER EQUIPMENT AND POWER CABLING Previous SEC 501‐06 Control
References: 7.2 Control: The organization protects power equipment and power cabling for the information system from damage and destruction.
Supplemental Guidance: This control, to include any enhancements specified, may be satisfied by similar requirements fulfilled by another organizational entity other than the information security program. Organizations avoid duplicating actions already covered.
Control Enhancements for Sensitive Systems:
PCI compliance: PCI‐DSS has no requirement for this control.
PE‐10 EMERGENCY SHUTOFF Previous SEC 501‐06 Control
References: 7.2 Control: The organization:
a. Provides the capability of shutting off power to the information system or individual system components in emergency situations;
b. Places emergency shutoff switches or devices in organization‐defined location by information system or system component to facilitate safe and easy access for personnel; and
c. Protects emergency power shutoff capability from unauthorized activation.
Supplemental Guidance: This control applies to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms.
Control Enhancements for Sensitive Systems:
PCI compliance: PCI‐DSS has no requirement for this control.
PE‐11 EMERGENCY POWER Previous SEC 501‐06 Control
References: 7.2 Control: The organization provides a short‐term uninterruptible power supply to facilitate an orderly shutdown of the information
system in the event of a primary power source loss.
Supplemental Guidance: This control, to include any enhancements specified, may be satisfied by similar requirements fulfilled by another organizational entity other than the information security program. Organizations avoid duplicating actions already covered.
Control Enhancements for Sensitive Systems:
PCI compliance: PCI‐DSS has no requirement for this control.
PE‐13 FIRE PROTECTION Previous SEC 501‐06 Control
References: 7.2 Control: The organization employs and maintains fire suppression and detection devices/systems for the information system that are
supported by an independent energy source.
Supplemental Guidance: Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors. This control, to include any enhancements specified, may be satisfied by similar requirements fulfilled by another organizational entity other than the information security program. Organizations avoid duplicating actions already covered.
Control Enhancements for Sensitive Systems:
PCI compliance: PCI‐DSS has no requirement for this control.
PE‐14 TEMPERATURE AND HUMIDITY CONTROLS Previous SEC 501‐06 Control
References: 7.2 Control: The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at a temperature of 72 degrees F (+/‐ 2 F) and a relative humidity of 45% (+/‐ 5%); and
b. Monitors temperature and humidity levels on a daily basis.
Supplemental Guidance: This control, to include any enhancements specified, may be satisfied by similar requirements fulfilled by another organizational entity other than the information security program. Organizations avoid duplicating actions already covered.
Control Enhancements for Sensitive Systems:
PCI compliance: PCI‐DSS has no requirement for this control.