ensure that all reportable cyber security incidents are reported to the ES ISAC either directly or through an intermediary.
4. Process for updating the cyber security incident response plan within 90 calendar days of any changes.
5. Process for ensuring that the cyber security incident response plan is reviewed at least annually.
6. Process for ensuring that the cyber security incident response plan is tested at least annually. A test of the incident response plan can range from a paper drill, to a full operational exercise, to the response to an actual incident.
Cyber Security Incident Documentation
The responsible entity must keep relevant documentation.
PHYSICAL SECURITY OF CRITICAL CYBER ASSETS
The implementation of a physical security program is intended to ensure the protection of critical cyber assets.
Physical Security Plan
The responsible entity must create and maintain a physical security plan, approved by a senior manager or delegate(s), that must address, at a minimum, the following:
1. Processes to ensure and document that all cyber assets within an electronic security perimeter also reside within an identified physical security perimeter. Where a completely enclosed (“six-wall”) border cannot be established, the responsible entity must deploy and document alternative measures to control physical access to the critical cyber assets.
2. Processes to identify all access points through each physical security perimeter and measures to control entry at those access points.
3. Processes, tools, and procedures to monitor physical access to the perimeter(s).
4. Procedures for the appropriate use of physical access controls, including visitor pass management, response to loss, and prohibition of inappropriate use of physical access controls.
5. Procedures for reviewing access authorization requests and revocation of access authorization.
6. Procedures for escorted access within the physical security perimeter of personnel not authorized for unescorted access.
7. Process for updating the physical security plan within 90 calendar days of any physical security system redesign or reconfiguration, including, but not limited to, addition or removal of access points through the physical security perimeter, physical access controls, monitoring controls, or logging controls.
8. Means for ensuring that cyber assets used in the access control and monitoring of the physical security perimeter(s) are afforded the same protective measures as other cyber assets.
9. Process for ensuring that the physical security plan is reviewed at least annually.
Physical Access Controls
The responsible entity must document and implement the operational and procedural controls to manage physical access at all access points to the physical security perimeter(s) 24 hours a day, 7 days a week. The responsible entity must implement one or more of the following physical access methods:
1. Card key. A means of electronic access whereby the access rights of the card holder are predefined in a computer database. Access rights may differ from one perimeter to another.
2. Special locks. These include, but are not limited to, locks with “restricted key” systems, magnetic locks that can be operated remotely, and “man-trap” systems.
3. Security personnel. Personnel who are responsible for controlling physical access and who might reside on-site or at a monitoring station.
4. Other authentication devices. Biometric, keypad, token, or other equivalent devices that control physical access to critical cyber assets.
Monitoring Physical Access
The responsible entity must document and implement the technical and procedural controls for monitoring physical access at all access points to the physical security perimeter(s) 24 hours a day, 7 days a week. Unauthorized access attempts must be reviewed immediately and handled in accordance with established procedures. One or more of the following monitoring methods must be used:
1. Alarm systems. Systems that alarm to indicate that a door, gate, or window has been opened without authorization. These alarms must provide for immediate notification to personnel responsible for response.
2. Human observation of access points. Monitoring of physical access points by authorized personnel.
Logging Physical Access
Logging must record sufficient information to uniquely identify individuals and the time of access 24 hours a day, 7 days a week. The responsible entity must implement and document the technical and procedural mechanisms for log-