Physical and environmental protection

Table of Contents

On this page

 

The controls and activities in the Physical and environmental protection (PE) family support the control of physical access to systems, equipment, and the respective operating environments to authorized individuals. They enable the protection of the physical plant and support infrastructure for systems, and the protection of systems against environmental hazards and provide appropriate environmental controls in facilities containing systems.

PE-01 Physical and environmental protection policy and procedures

Activity

  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]
    1. [Selection (1 or more): Organization-level; Mission/business process-level; System-level] physical and environmental protection policy that
      1. addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
      2. is consistent with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines
    2. procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls
  2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures
  3. Review and update the current physical and environmental protection
    1. policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]
    2. procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]

Discussion

Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures.

In general, security and privacy program policies and procedures at the organization level are preferable and may remove the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations.

Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents.

Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

Related controls and activities

AT-03, PM-09, PS-08, SI-02, SI-12.

Enhancements

None.

References

Top of page 
 

PE-02 Physical access authorizations

Control

  1. Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides
  2. Issue authorization credentials for facility access
  3. Review the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]
  4. Remove individuals from the facility access list when access is no longer required

Discussion

Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include identification badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.

Related controls and activities

AT-03, AU-09, IA-04, MA-05, MP-02, PE-03, PE-04, PE-05, PE-08, PM-12, PS-03, PS-04, PS-05, PS-06.

Enhancements

  • (01) Physical access authorizations: Access by position or role
    • Authorize physical access to the facility where the system resides based on position or role.
    • Discussion: Role-based facility access includes access by authorized permanent and regular/routine maintenance personnel, duty officers, and emergency medical staff.
    • Related controls and activities: AC-02, AC-03, AC-06.
  • (02) Physical access authorizations: Two forms of identification
    • Require 2 forms of identification from the following forms of identification for visitor access to the facility where the system resides: [Assignment: organization-defined list of acceptable forms of identification].
    • Discussion: Examples of acceptable forms of identification include passports, federal, provincial, or territorial issued identification cards, and military identification cards. To gain access to facilities using automated mechanisms, organizations may use radio frequency identification (RFID) key cards, PINs, and biometrics. Organizations should recognize that these forms of identification are considered personal information and should be protected accordingly.
    • Related controls and activities: IA-02, IA-04, IA-05.
  • (03) Physical access authorizations: Restrict unescorted access
    • Restrict unescorted access to the facility where the system resides to personnel with [Selection (1 or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined physical access authorizations]].
    • Discussion: Individuals without required security clearances, access approvals, or need to know are escorted by individuals with appropriate physical access authorizations to ensure that information is not exposed or otherwise compromised.
    • Related controls and activities: PS-02, PS-06.
  • (400) Physical access authorizations: Identification card requirements
    • Ensure identification cards meet requirements prior to issuance.
    • Discussion: None.
    • GC discussion: The organization issues an identification card to all personnel, which as a minimum includes the name of the organization, the bearer’s name and photo, a unique card number, and an expiry date. Identification cards may contain personal information and should be protected accordingly.
    • Related controls and activities: None.

References

Top of page 
 

PE-03 Physical access control

Control

  1. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by
    1. verifying individual access authorizations before granting access to the facility
    2. controlling ingress and egress to the facility using [Selection (1 or more): [Assignment: organization-defined physical access control systems or devices]; guards]
  2. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points]
  3. Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: organization-defined physical access controls]
  4. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity]
  5. Secure keys, access cards, combinations, safes, cipher locks, and other physical access devices
  6. Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]
  7. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, or combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated
  1. Remove the access card identifier from the access list or database [Assignment: organization-defined frequency] when the access card is lost, misplaced, stolen, or when the individual possessing the card is transferred or terminated

Discussion

Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers.

Physical access control systems comply with applicable laws, Orders in Council, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.

Related controls and activities

AT-03, AU-02, AU-06, AU-09, AU-13, CP-10, IA-03, IA-08, MA-05, MP-02, MP-04, PE-02, PE-04, PE-05, PE-08, PS-02, PS-03, PS-06, PS-07, RA-03, SC-28, SI-04, SR-03.

Enhancements

  • (01) Physical access control: System access
    • Enforce physical access authorizations to the system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the system].
    • Discussion: Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components.
    • Related controls and activities: None.
  • (02) Physical access control: Facility and systems
    • Perform security checks [Assignment: organization-defined frequency] at the physical perimeter of the facility or system for exfiltration of information or removal of system components.
    • Discussion: Organizations determine the extent, frequency, and/or randomness of security checks to adequately mitigate risk associated with exfiltration.
    • Related controls and activities: AC-04, SC-07.
  • (03) Physical access control: Continuous guards
    • Employ guards to control [Assignment: organization-defined physical access points] to the facility where the system resides 24 hours per day, 7 days per week.
    • Discussion: Employing guards at selected physical access points to the facility provides a more rapid response capability for organizations. Guards also provide the opportunity for human surveillance in areas of the facility not covered by video surveillance.
    • Related controls and activities: CP-06, CP-07, PE-06.
  • (04) Physical access control: Lockable casings
    • Use lockable physical casings to protect [Assignment: organization-defined system components] from unauthorized physical access.
    • Discussion: The greatest risk from the use of portable devices — such as smart phones, tablets, and notebook computers — is theft. Organizations can employ lockable, physical casings to reduce or eliminate the risk of equipment theft or tampering. Such casings come in a variety of sizes, from units that protect a single notebook computer to full cabinets that can protect multiple servers, computers, and peripherals. Lockable physical casings can be used in conjunction with cable locks or lockdown plates to prevent the theft of the locked casing containing the computer equipment.
    • Related controls and activities: None.
  • (05) Physical access control: Tamper protection
    • Employ [Assignment: organization-defined anti-tamper technologies] to [Selection (1 or more): detect; prevent] physical tampering or alteration of [Assignment: organization-defined hardware components] within the system.
    • Discussion: Organizations can implement tamper detection and prevention in selected hardware components or implement tamper detection in some components and tamper prevention in other components. Detection and prevention activities can employ many types of anti-tamper technologies, including tamper-detection seals and anti-tamper coatings. Anti-tamper programs help to detect hardware alterations through counterfeiting and other supply chain-related risks.
    • Related controls and activities: SA-16, SR-09, SR-11.
  • (06) Physical access control: Facility penetration testing
    • Withdrawn: Incorporated into CA-08.
  • (07) Physical access control: Physical barriers
    • Limit access using physical barriers.
    • Discussion: Physical barriers include bollards, concrete slabs, jersey walls, and hydraulic active vehicle barriers.
    • Related controls and activities: None.
  • (08) Physical access control: Access control vestibules
    • Employ access control vestibules at [Assignment: organization-defined locations within the facility].
    • Discussion: An access control vestibule is part of a physical access control system that typically provides a space between 2 sets of interlocking doors. Vestibules are designed to prevent unauthorized individuals from following authorized individuals into facilities with controlled access. This activity, also known as piggybacking or tailgating, results in unauthorized access to the facility. Interlocking door controllers can be used to limit the number of individuals who enter controlled access points and to provide containment areas while authorization for physical access is verified.
      Interlocking door controllers can be fully automated (i.e., controlling the opening and closing of the doors) or partially automated (i.e., using security guards to control the number of individuals entering the containment area).
    • Related controls and activities: None.
  • (400) Physical access control: Security inspections
    • Conduct security inspections in facilities where sensitive or valuable information or assets are handled or stored, or in facilities supporting critical services or activities.
    • Discussion: None.
    • GC discussion: Security inspections are conducted to verify compliance with departmental security practices. They must be conducted by authorized personnel and in accordance with defined processes and timelines. In emergency or heightened threat situations, the frequency or depth of security inspections is increased to achieve a higher readiness level. Non-compliance shall be reported in accordance with defined processes to enable the implementation of corrective actions and, when applicable, to report to the responsible authorities.
    • Related controls and activities: None.

References

Top of page 
 

PE-04 Access control for transmission

Control

Control physical access to [Assignment: organization-defined system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security controls].

Discussion

Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors.

Related controls and activities

AT-03, IA-04, MP-02, MP-04, PE-02, PE-03, PE-05, PE-09, SC-07, SC-08.

Enhancements

None.

References

RCMP GCPSG-006 Access Management Guide (restricted to GC)

Top of page 
 

PE-05 Access control for output devices

Control

Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output.

Discussion

Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.

Related controls and activities

PE-02, PE-03, PE-04, PE-18.

Enhancements

  • (01) Access control for output devices: Access to output by authorized individuals
    • Withdrawn: Incorporated into PE-05.
  • (02) Access control for output devices: Link to individual identity
    • Link individual identity to receipt of output from output devices.
    • Discussion: Methods for linking individual identity to the receipt of output from output devices include installing security functionality on facsimile machines, copiers, and printers. Such functionality allows organizations to implement authentication on output devices prior to the release of output to individuals.
    • Related controls and activities: None.
  • (03) Access control for output devices: Marking output devices
    • Withdrawn: Incorporated into PE-22.

References

RCMP GCPSG-015 Guide to the Application of Physical Security Zones (restricted to GC) (PDF)

Top of page 
 

PE-06 Monitoring physical access

Control

  1. Monitor physical access to the facility where the system resides to detect and respond to physical security incidents
  2. Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]
  3. Coordinate results of reviews and investigations with the organizational incident response capability

Discussion

Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include employing guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as AU-02, if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.

Related controls and activities

AU-02, AU-06, AU-09, AU-12, CA-07, CP-10, IR-04, IR-08.

Enhancements

  • (01) Monitoring physical access: Intrusion alarms and surveillance equipment
    • Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.
    • Discussion: Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached.
      Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility. In the event that surveillance videos are recorded, this may constitute personal information and should be protected appropriately.
    • Related controls and activities: None.
  • (02) Monitoring physical access: Automated intrusion recognition and response
    • Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms].
    • Discussion: Response actions can include notifying selected organizational personnel or law enforcement personnel. Automated mechanisms implemented to initiate response actions include system alert notifications, email and text messages, and activating door locking mechanisms. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide integrated threat coverage for the organization. Care should be taken to ensure the least amount of personal information is both collected and communicated for intrusion recognition and response.
    • Related controls and activities: SI-04.
  • (03) Monitoring physical access: Video surveillance
      1. Employ video surveillance of [Assignment: organization-defined operational areas]
      2. Review video recordings [Assignment: organization-defined frequency]
      3. Retain video recordings for [Assignment: organization-defined time period]
    • Discussion: Video surveillance focuses on recording activity in specified areas for the purposes of subsequent review, if circumstances so warrant. Video recordings are typically reviewed to detect anomalous events or incidents. Monitoring the surveillance video is not required, although organizations may choose to do so. A threat and risk assessment (TRA) will assist in determining specifics of video retention, storage, use, or release. Prior to installing closed circuit TV or video equipment (CCTV/CCVE), research into local laws and regulations should be considered. Video recordings may collect and store personal information and should be protected appropriately.
    • Related controls and activities: None.
  • (04) Monitoring physical access: Monitoring physical access to systems
    • Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system].
    • Discussion: Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centres. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization.
    • Related controls and activities: None.

References

 

PE-07 Visitor control

Withdrawn: Incorporated into PE-02 and PE-03.

Top of page 
 

PE-08 Visitor access records

Control

  1. Maintain visitor access records to the facility where the system resides for [Assignment: organization-defined time period].
  2. Review visitor access records [Assignment: organization-defined frequency].
  3. Report anomalies in visitor access records to [Assignment: organization-defined personnel].

Discussion

Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas. Visitor signatures and identification, along with (at times) the purpose of the visit may be considered personal information and should be protected accordingly. Organizations should contact their appropriate privacy senior official or executive for information.

GC discussion

Where appropriate, access records can include the entry and exit of specific facilities, zones, or sensitive areas. These activities are recorded in accordance with departmental security practices and with records retention and disposition schedules.

Related controls and activities

PE-02, PE-03, PE-06.

Enhancements

  • (01) Visitor access records: Automated records maintenance and review
    • Maintain and review visitor access records using [Assignment: organization-defined automated mechanisms].
    • Discussion: Visitor access records may be stored and maintained in a database that is accessible by organizational personnel with a documented need to know. Automated access to such records facilitates record reviews on a regular basis to determine if access authorizations are current and still required to support organizational mission and business functions. This database should be reviewed periodically for compliance to the organization’s approved retention schedule.
    • Related controls and activities: None.
  • (02) Visitor access records: Physical access records
    • Withdrawn: Incorporated into PE-02.
  • (03) Visitor access records: Limit personal information elements
    • Limit personal information contained in visitor access records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements].
    • Discussion: Organizations may have requirements that specify the contents of visitor access records. Care should be taken to ensure the least amount of personal information is collected and stored for visitor access records when such information is not needed for operational purposes. This will help reduce the level of privacy risk created by such a system.
    • Related controls and activities: RA-03, SA-08.

References

Top of page 
 

PE-09 Power equipment and cabling

Control

Protect power equipment and power cabling for the system from damage and destruction.

Discussion

Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptible power sources in offices or data centres, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems.

Related controls and activities

PE-04.

Enhancements

  • (01) Power equipment and cabling: Redundant cabling
    • Employ redundant power cabling paths that are physically separated by [Assignment: organization-defined distance].
    • Discussion: Physically separate and redundant power cables ensure that power continues to flow in the event that one of the cables is cut or otherwise damaged.
    • Related controls and activities: None.
  • (02) Power equipment and cabling: Automatic voltage controls
    • Employ automatic voltage controls for [Assignment: organization-defined critical system components].
    • Discussion: Automatic voltage controls can monitor and control voltage. Such controls include voltage regulators, voltage conditioners, and voltage stabilizers.
    • Related controls and activities: None.

References

None.

Top of page 
 

PE-10 Emergency shutoff

Control

  1. Provide the capability of shutting off power to [Assignment: organization-defined system or individual system components] in emergency situations
  2. Place emergency shutoff switches or devices in [Assignment: organization-defined location by system or system component] to facilitate access for authorized personnel
  3. Protect emergency power shutoff capability from unauthorized activation

Discussion

Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centres, mainframe computer rooms, server rooms, and areas with computer-controlled machinery.

Related controls and activities

PE-15.

Enhancements

  • (01) Emergency shutoff: Accidental and unauthorized activation
    • Withdrawn: Incorporated into PE-10.

References

None.

Top of page 
 

PE-11 Emergency power

Control

Provide an uninterruptible power supply to facilitate [Selection (1 or more): an orderly shutdown of the system; transition of the system to long-term alternate power] in the event of a primary power source loss.

Discussion

An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centres, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or to properly shut down the system.

Related controls and activities

AT-03, CP-02, CP-07.

Enhancements

  • (01) Emergency Power: Alternate power supply — minimal operational capability
    • Provide an alternate power supply for the system that is activated [Selection (1): manually; automatically] and that can maintain minimally required operational capability in the event of an extended loss of the primary power source.
    • Discussion: Provision of an alternate power supply with minimal operating capability can be satisfied by accessing a secondary commercial power supply or other external power supply.
    • Related controls and activities: None.
  • (02)  Emergency power: Alternate power supply — self-contained
    • Provide an alternate power supply for the system that is activated [Selection (1): manually; automatically] and that is:
      1. self-contained
      2. not reliant on external power generation
      3. capable of maintaining [Selection (1): minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source
    • Discussion: The provision of a long-term, self-contained power supply can be satisfied by using one or more generators with sufficient capacity to meet the needs of the organization.
    • Related controls and activities: None.

References

Top of page 
 

PE-12 Emergency lighting

Control

Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

Discussion

The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centres, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies.

Related controls and activities

CP-02, CP-07.

Enhancements

  • (01) Emergency lighting: Essential mission and business functions
    • Provide emergency lighting for all areas within the facility supporting essential mission and business functions.
    • Discussion: Organizations define their essential missions and functions.
    • Related controls and activities: None.

References

RCMP GCPSG-004 Security Lighting Considerations Guide

Top of page 
 

PE-13 Fire protection

Control

Employ and maintain fire detection and suppression systems that are supported by an independent energy source.

Discussion

The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centres, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate or can be separated from the energy sources providing power for the other parts of the facility.

Related controls and activities

AT-03.

Enhancements

  • (01) Fire protection: Detection systems — automatic activation and notification
    • Employ fire detection systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.
    • Discussion: Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire.
    • Related controls and activities: None.
  • (02) Fire protection: Suppression systems — automatic activation and notification
      1. Employ fire suppression systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]
      2. Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis
    • Discussion: Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and/or clearances (e.g., to enter to facilities where access is restricted due to the impact level or classification of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire.
    • Related controls and activities: None.
  • (03) Fire protection: Automatic fire suppression
    • Withdrawn: Incorporated into PE-13(02).
  • (04) Fire protection: Inspections
    • Ensure that the facility undergoes [Assignment: organization-defined frequency] fire protection inspections by authorized and qualified inspectors and that identified deficiencies are resolved within [Assignment: organization-defined time period].
    • Discussion: Authorized and qualified personnel within the jurisdiction of the organization include provincial and municipal fire inspectors and fire marshals. Organizations provide escorts during inspections in situations where the systems that reside within the facilities contain sensitive information.
    • Related controls and activities: None.
  • (400) Fire protection: Emergency services
    • Ensure that firefighting water capacity and effective response times of emergency services are considered when developing safeguarding strategies.
    • Discussion: Firefighting water capacity and the effective response times of firefighters and police need to be considered during the development of safeguarding strategies, based on the principles of protection, detection, and response. It applies to site selection, facilities, and assets. If emergency response times are inadequate, alternative or additional measures for life safety and asset protection may be required.
    • Related controls and activities: None.

References

Top of page 
 

PE-14 Environmental controls

Control

  1. Maintain [Selection (1 or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]
  2. Monitor environmental control levels [Assignment: organization-defined frequency]

Discussion

The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centres, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions.

Related controls and activities

AT-03, CP-02.

Enhancements

  • (01) Environmental controls: Automatic controls
    • Employ the following automatic environmental controls in the facility to prevent potentially harmful fluctuations to the system: [Assignment: organization-defined automatic environmental controls].
    • Discussion: The implementation of automatic environmental controls provides an immediate response to environmental conditions that can damage, degrade, or destroy organizational systems or systems components.
    • Related controls and activities: None.
  • (02) Environmental controls: Monitoring with alarms and notifications
    • Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to [Assignment: organization-defined personnel or roles].
    • Discussion: The alarm or notification may be an audible alarm or a visual message in real time to personnel or roles defined by the organization. Such alarms and notifications can help minimize harm to individuals and damage to organizational assets by facilitating a timely incident response.
    • Related controls and activities: None.

References

None.

Top of page 
 

PE-15 Water damage protection

Control

Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

Discussion

The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centres, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations.

Related controls and activities

AT-03, PE-10.

Enhancements

  • (01) Water damage protection: Automation support
    • Detect the presence of water near the system and alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms].
    • Discussion: Automated mechanisms include notification systems, water detection sensors, and alarms.
    • Related controls and activities: None.

References

None.

Top of page 
 

PE-16 Delivery and removal

Control

  1. Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility
  2. Maintain records of the system components

Discussion

Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.

Related controls and activities

CM-03, CM-08, MA-02, MA-03, MP-05, PE-20, SR-02, SR-03, SR-04, SR-06.

Enhancements

None.

References

RCMP GCPSG-006 Access Management Guide (restricted to GC)

Top of page 
 

PE-17 Alternate work site

Control

  1. Determine and document the [Assignment: organization-defined alternate work sites] allowed for use by employees
  2. Employ the following controls at alternate work sites: [Assignment: organization-defined controls]
  3. Assess the effectiveness of controls at alternate work sites
  4. Provide a means for employees to communicate with information security and privacy personnel in case of incidents

Discussion

Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.

Related controls and activities

AC-17, AC-18, CP-07.

Enhancements

None.

References

RCMP GCPSG-008 Physical Security Considerations for Remote and Telework Environments

Top of page 
 

PE-18 Location of system components

Control

Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access.

Discussion

Physical and environmental hazards include floods, tsunami, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, electromagnetic pulse (EMP), electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers, microphones, or unauthorized disclosure of information.

Related controls and activities

CP-02, PE-05, PE-19, PE-20, RA-03.

Enhancements

  • (01) Location of system components: Facility site
    • Withdrawn: Moved to PE-23.

References

Top of page 
 

PE-19 Information leakage

Control

Protect the system from information leakage due to electromagnetic signals emanations.

Discussion

Information leakage is the intentional or unintentional release of data or information to an untrusted environment from electromagnetic signals emanations. The security categories or classifications of systems (with respect to confidentiality), organizational security policies, and risk tolerance guide the selection of controls employed to protect systems against information leakage due to electromagnetic signals emanations.

Related controls and activities

AC-18, PE-18, PE-20.

Enhancements

  • (01) Information leakage: National emissions policies and procedures
    • Protect system components, associated data communications, and networks in accordance with national emissions security (EMSEC) policies and procedures based on the security category or classification of the information.
    • Discussion: EMSEC policies include the former TEMPEST policies.
    • Related controls and activities: None.

References

Top of page 
 

PE-20 Asset monitoring and tracking

Control

Employ [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas].

Discussion

Asset location technologies can help ensure that critical assets — including vehicles, equipment, and system components — remain in authorized locations. Organizations consult with the appropriate privacy senior officials or executives or their legal services regarding the deployment and use of asset location technologies to address potential privacy concerns.

GC discussion

Location tracking of GC employees using GC assets in the exercise of their duties is not considered personal information. While this information may be sensitive, protected, or classified depending on the nature of their duties, it would not be considered personal information if it was created while the employee was exercising their official duties. In the case where an employee decides to use their GC asset (e.g., vehicle, cell phone) for personal purposes, it might be considered personal information, but also an inappropriate use of GC assets. In all cases, a notice given to employees that their GC assets are being tracked and monitored would mitigate privacy concerns regarding the creation of personal information associated with an improper use of such assets.

Related controls and activities

CM-08, PE-16, PM-08.

Enhancements

None.

References

Top of page 
 

PE-21 Electromagnetic pulse protection

Control

Employ [Assignment: organization-defined protective measures] against electromagnetic pulse (EMP) damage for [Assignment: organization-defined systems and system components].

Discussion

An EMP is a short, intense burst of electromagnetic energy that is spread over a range of frequencies. Such energy bursts may be natural or man-made. EMP interference may be disruptive or damaging to electronic equipment. Protective measures used to mitigate EMP risk include shielding, surge suppressors, ferro-resonant transformers, and earth grounding. EMP protection may be especially significant for systems and applications that are part of Canadian critical infrastructure.

Related controls and activities

PE-18, PE-19.

Enhancements

None.

References

None.

Top of page 
 

PE-22 Component marking

Activity/Control: Mark [Assignment: organization-defined system hardware components] indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.

Discussion

Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smartphones. Output devices include printers, monitors/video displays, facsimile machines, scanners, copiers, and audio devices. Permissions controlling output to the output devices are addressed in AC-03 or AC-04. Components are marked to indicate the impact level or classification level of the system to which the devices are connected, or the impact level or classification level of the information permitted to be output.

Security marking refers to the use of human-readable security attributes. Security labeling refers to the use of security attributes for internal system data structures. Security marking is generally not required for hardware components that process, store, or transmit information determined by organizations to be in the public domain or to be publicly releasable. However, organizations may require markings for hardware components that process, store, or transmit public information in order to indicate that such information is publicly releasable. Marking of system hardware components reflects applicable laws, Orders in Council, directives, policies, regulations, and standards.

Related controls and activities

AC-03, AC-04, AC-16, MP-03.

Enhancements

None.

References

Top of page 
 

PE-23 Facility location

Control

  1. Plan the location or site of the facility where the system resides considering physical and environmental hazards
  2. For existing facilities, consider the physical and environmental hazards in the organizational risk management strategy

Discussion

Physical and environmental hazards include floods, tsunami, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an EMP, electrical interference, and other forms of incoming electromagnetic radiation. Land and environmental surveys can help inform the optimal site location(s) for facilities to reduce as many environmental threats as practicable. Where such threats cannot be avoided, such surveys will identify what, if any, mitigation factors to employ to minimize damage to assets and disruption to services. The location of system components within the facility is addressed in PE-18.

Related controls and activities

CP-02, PE-18, PE-19, PM-08, PM-09, RA-03.

Enhancements

None.

References

None.

Top of page 
 

PE-400 Remote and telework environments

Control

  1. Assess physical security of remote or telework environments
  2. Apply appropriate protection and storage requirements for information and assets
  3. Use approved security equipment and electronic devices in accordance with the categorization of material

Discussion

None.

GC discussion

Security considerations should be addressed in remote or telework locations for GC departments, agencies and employees. Remote/telework can increase the likelihood of compromise of an organization’s sensitive information. Information can be targeted by threat actors through different methods such as physical access to information and devices, theft of information or devices, eavesdropping during meetings and telephone conversations, and overviewing of information and devices.

When working in a location other than the designated work site, employees should assess physical security and apply appropriate protection and storage requirements for GC information and assets. A risk assessment needs to be completed for all remote and telework situations and associated work solutions.

Protected A and B material may be processed and stored at remote and telework locations outside a designated GC workplace when physical protections are employed. The processing of Secret and Top Secret (TS) information originating from allies is only permitted in the appropriate zone of a designated GC security zone. TS Sensitive compartmented information (SCI) cannot be processed, stored, or discussed in a telework environment. It is recommended to prevent or limit the use of hard-copy material as much as practicable.

Employees should be provided equipment that supports and promotes secure processing, storage, and transport of GC information. Employees should complete appropriate security awareness training as a condition to being granted their remote/telework request. Appropriate security controls need to be available and in place.

Tracking data for employees on remote/telework agreements should be maintained and should include the names, locations, issued equipment, and assets, as well as registries of information taken to the remote/telework location, when appropriate. Employees are responsible for understanding and implementing all remote/telework security control measures that contribute to the secure processing of GC information at their location.

Related controls and activities

AT-02, PE-17, PE-23, RA-02, RA-03.

Enhancements

  • (01) Remote and telework environments: Physical information and assets storage
    • Store physical information and assets in accordance with RCMP guidance and departmentally established security practices.
    • Discussion: None.
    • GC discussion: Effort should be made to limit the need to process or store hard-copy documents of any categorization in locations outside a GC controlled facility. The RCMP does not recommend that Confidential and Secret information or assets be processed in remote/telework environments, but in cases where it cannot be avoided, requirements set out in the RCMP G1-001 Security Equipment Guide should be followed.
      The processing and storage of Protected C or Top Secret information outside approved GC facilities is considered an extremely high risk and is not recommended by the RCMP. If unavoidable, departmental physical security shall perform a full site security assessment, including a complete Threat and Risk Assessment (TRA). All security controls required for High Secure Zones in GC facilities should be used as a minimum standard for location fit-up.
    • Related controls and activities: RA-02, RA-03.
  • (02) Remote and telework environments: International remote/telework
    • Allow requests for remote/telework from international locations only under exceptional circumstances.
    • Discussion: None.
    • GC discussion: This enhancement does not apply to already assigned positions of employees working abroad as part of their regular operational duties, such as those attached to Canadian Embassies and High Commissions or military deployments. The RCMP does not recommend allowing remote/telework from international locations. Departments that may allow international remote/telework should develop a process with considerations given for all security controls, risk assessments, approvals, and briefings.
      Requests for international remote/telework should only be considered under exceptional circumstances; be limited to a specific defined period of time; require a complete TRA for the employee, country, and city of work; and require additional approval from Deputy Head, department Chief Security Officer (CSO), Chief Human Resources Officer (CHRO) and Chief Information Officer (CIO) as well as Shared Services Canada (SSC).
      International remote/telework carries increased security risks for the individual and the GC, since the Vienna Convention on Diplomatic Relations (1963) would not apply to those GC employees. As such, these employees are subject to all local and state laws and are not afforded diplomatic protections for information, assets, or property, including GC information and assets. Additionally, it carries increased physical security risks, and, in some countries, physical security controls may be cost prohibitive or difficult to maintain without a departmental security presence.
    • Related controls and activities: RA-03.

References

Top of page 
 

PE-401 Security operations centre

Control

Establish and maintain a Security Operations Centre (SOC) to protect the organization’s people, property, assets, and information, through physical and technical surveillance and monitoring.

Discussion

A SOC combines people, processes, and technology to deliver operational and other security services to organizations, including the protection of people, property, assets, and information. The SOC usually provides the facilities to support security personnel in the monitoring, surveillance, display, control, and management of security-related events, including insider threats. The SOC enables system operators to collect the information related to the physical or cyber environment, to analyze it, to detect and assess alerts notifications, and to dispatch the appropriate personnel to properly respond to events. A SOC increases situational awareness of the organization’s environment, enabling effective decision-making and response during an event.

The SOC can assist multidisciplinary teams, including physical security, IT and operational technology (OT) security, analysts, engineers, architects, and other service providers. Indeed, the convergence of IT and OT instigates new requirements to assess the risk posed by both information and physical security. For example, the proper functioning of control systems, such as those seen in building automation that can control temperature, lightning, access, etc., could be impacted if the software/application was compromised.

IR-04(14) provides information on a SOC meant to protect an organization’s technical infrastructure, which is comprised of systems and networks.

Related controls and activities

IR-04.

Enhancements

None.

    References

     
    Table of Contents
    Date modified: