![Integrating Physical Security Requirements](https://cvgstrategy.com/wp-content/uploads/2024/07/Integrating-Physical-Security-Requirements.jpeg)
Integrating physical security requirements is an area of growing concern for organizations of all sizes. Aside from insuring basic safety for personnel and physical assets, businesses are faced with security requirements for cybersecurity and export compliance. This necessitates a non-siloed approach to an often overlooked management function.
Basic Physical Security Measures
Every organization should ensure that basic security risks are addressed to protect personnel, assets, and property. This can include not only security against human instigated threat but plans and mechanisms to protect property and life against acts of nature such as tornadoes and earthquakes. To address these, management should create and implement security policies and procedures.
Security Measures for Export Compliance
Businesses involved with the export of products that are controlled under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR) are required to protect articles and associated technology from access from foreign persons. While details for required security is not specified, it is necessary that organizations perform risk assessments, document necessary controls, perform audits, and detect and report violations.
Cybersecurity Requirements for Physical Environmental Protection
Cybersecurity is a requirement for most businesses, especially for those involved in export controlled items. These requirements usually center on one or more NIST standards including NIST SP 800-171, NIST SP 800-161, and NIST SP 800-53. For many, CMMC which incorporates NIST SP-800-171, is a work in progress to meet Department of Defense contractual requirements for conducting business.
There are numerous provisions for physical and environmental security in these standards:
- Policy and Procedure – Policies and procedures must be in place that provide scope, security strategy, implementation, assignment of roles and responsibilities, and that define review and updates.
- Physical Access Authorizations – Documented list of persons with authorized access.
- Physical Access Control – Controlling ingress, egress, and sensitive areas to ensure that only authorized personnel can obtain access
- Access Control for Transmission – Control of physical access to system distribution and transmission lines on the facility
- Access Control for Output Devices – Prevention of unauthorized access to output of information.
- Monitoring for Physical Access – Monitor and review physical access.
- Monitoring Physical Access (Intrusion Alarms and Surveillance).
- Visitor Access Records
- Numerous controls for power, lighting, fire, environment, water, shipping, work sites, monitoring and tracing of assets, component marking, and electromagnetic pulse protection.
CISA Cybersecurity and Physical Security Convergence
The Cybersecurity & Infrastructure Security Agency (CISA) has released guidance on Cybersecurity and Physical Security Convergence. It cites a more resilient ability to reduce the risks to security threats and better respond to security incidents when Chief Information Security Officer (CISO) and Chief Security Officer (CSO) functions are converged.
Convergence case studies conducted between 2017 and 2020 showed improvements in communication, coordination, and collaboration when physical and cyber security functions were coordinated. This has been of special value in connected operating environments where Internet of Things (IoT), Industrial Internet of Things (IIoT) are in use.
The short term complications of enacting this convergence may seem daunting but integrated threat management can result in more flexible and sustainable strategies and practices to prevent exposure of proprietary information, economic damage, exposure of controlled articles and technology, and loss of life.
CVG Strategy Information Security Management System Consultants
Integrating physical security requirements is a concern for organizations of all sizes. While those in business leadership roles are increasing aware of the importance of cyber resilience, resources and necessary talent are often in short supply. To assist businesses to meet the challenges in adopting a variety of requirements, including NIST and CMMC 2.0, CVG Strategy has developed an approach that combines these requirements with ISO 27001 Information Security Management System. This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.
CVG Strategy Export Compliance Management Programs
Export compliance requirements are a growing in complexity for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.
Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization. They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation. They also ensure that training, auditing, and record keeping are maintained according to requirements.
CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program. We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.