1. Identify the level of security controls that would be appropriate to meet PE-3.
Refer to
Appendix D of NIST SP 800-53 Rev. 5 for control baselines. For this discussion, consider controls
appropriate for a brick and mortar location (physical building) and a non-brick and mortar
location (temporary location). Please consider both in your discussion.
2. Are the controls you identified consistent with the categorization of risk you applied in
Module 2?
3. How would this change if your system or product/component were located in the desert,
which could potentially be compromised by other than corporate employees or foreign
nationals?
For this case study, I have chosen a laptop as my device. I will be selecting security controls for
a laptop as it relates to a physical brick and mortar location as well as a temporary location.
For module 2 I gave the following security categorizations:
SC information = {(confidentiality, HIGH), (integrity, HIGH), (availability, LOW)}
Table 1
Location Type
Control Implementation
Perm/Temp/Both
Badge Activated Turnstile Prem
Enforce physical access authorizations Badge Activated Door Both
Security to sign in visitors Both
All Badge Access logged in
access system server Both
Maintain physical access audit logs
Visitor Access maintained in
paper log at front desk Both
Public areas are accessible
within the building once
secure access is granted Both
Control access to areas within the facility Badge terminals will restrict
designated as publicly accessible access to private areas or
floors of the building Both
CCTV cameras in public
areas. Both
Visitors will be issued
temporary badges that provide
Escort visitors and monitor visitor
public only access. Both
activity
Visitors will be escorted by
employees at all times Both
� Employees will be provided
Secure keys, combinations, and other safe locations such as lockers,
physical access devices desk storage, bolted safes,
and others to safeguard keys,
combinations, or devices. Both
Inventory Management at the
Network level, devices
monitored for activity to be
Inventory devices weekly concerned in inventory Both
Change combinations and keys randomly Badge Access control by
at least once a year and/or when keys or access system that
badges are lost, combinations are automatically grants/revokes
compromised, or individuals are access Both
transferred or terminated Keys/locks changed randomly Temp
Note: Table 1 we derived from the NIST Special Publication 800-53 Revision 5
The security controls for brick and mortar (permanent) and temporary facilities is very similar,
the differences and based on cost and different use cases. For the most part, the facilities would
be secured the same. Brick and mortar locations generally are designed to control ingress and
egress better than temporary locations, so the security presence would need to be adjusted for the
environment. Strategic placement of guards and cameras would be employed at all locations to
ensure the best monitoring. If the location were in a desert, the facility would require less
security due to less visitors and other risks.
References
National Institute of Standards and Technology. (2020, September). Security and Privacy
Controls for Federal Information System Organizations (NIST SP 800-53 Revision 5
ed.). National Institute of Standards and Technology.
https://doi.org/10.6028/NIST.SP.800-53r5
