=====3.10 - Physical Protection===== ====Control Satisfaction Matrix==== ^ Standard ^ Category ^ Controls Satisfied ^ 800-53r4 Controls ^ ISO/SEC 27001 ^ A-lign Controls ^ | NIST 800-171 | Physical Protection | 3.10.1-3.10.6 | PE-2, PE-4, PE-5, PE-6, PE-3, PE-17 | A.11.1.2, A.11.2.3, A.11.1.3, A.11.1.1, A.6.2.2, A.11.2.6, A.13.2.1 |4.0, 27.0| ===Major Document History=== ^ Date ^ Comment ^ Who ^ | 5/13/2019 | Initial Doc | Tharp | | 6/21/2019 | CO's & Assertions updated with feedback from B&V CPA's | Tharp | | 7/24/2019 | A-lign Content Added | Tharp | |7/30/2019 | Strike thru control Objectives | Tharp | |8/12/2019 | Formatting Updates | Tharp | | 8/29/2019 | Copied Content For IS-1 SOC submission | Tharp | | 10/6/2021 | Policy's Reviewed for Audit | Tharp | ---- ==== Purpose and Scope ==== The purpose of this policy is to address physical IT processing environments such as data centers and to enforce access control to those systems. The Physical Security Policy applies to all individuals that have been granted access to DLZP Group facilities, property and equipment. ==== Background ==== DLZP Group uses 100% cloud based IT Processing Services. DLZP Group does not operate any Data Centers. We rely on services from Amazon Web Services and we inherit their data center centric policies through their compliance and 3rd party attestations. We are able to receive regular SOC Type 1, 2 and 3 reports from AWS under an NDA. [[https://aws.amazon.com/compliance/programs/|AWS Compliance Programs]] =====Policy===== ====3.10.1==== DLZP Staffing is comprised of 100% remote workers whom work out of their own domicile. All DLZP workers shall protect their work space and IT systems from family member and guests. DLZP provides cloud based tools and storage for all remote workers. They are directed to use the secure virtual systems from their provided work station. No files should be stored or printed locally. ====3.10.2==== Out of Scope See 3.10 ====3.10.3==== Out of Scope See 3.10 ====3.10.4==== Out of Scope See 3.10 ====3.10.5==== All DLZP staff is instructed to control both physical and logical access to their work IT systems and not use them for personal purposes. ====3.10.6==== Out of Scope See 3.10 ---- =====Response Plan===== ====4.0 Physical Security=== ====4.3 Physical Security Plan==== DLZP Group resources must be physically protected in proportion to the criticality, sensitivity, or business importance of their function(s). Due to DLZP's Cloud Only Infrastructure Policy physical security control plans are not required and therefore this category is out of scope. ===4.3 - All=== **Out of Scope See 3.10.1** ===4.4 Enforcement=== **Out of Scope See 3.10.1** ----