discuss the implementation of the Physical Security Control (PE3) as it relates to your system or

product/component:
How are they different, how are they the same?

• What is the cost to physically protect your physical location versus a temporary location?

• Is it worth going through the trouble of protecting your device in physical location versus a
temporary location (address both locations)?

There are three approaches to implementing controls (1) common or inheritable control
(2) system-specific control or (3) hybrid control (NIST, 2020). A common control is a control
that is inheritable from one control to another. An example of an inheritable control is security
guards. The security guards protect against entry and exit points, but they also could be
responsible for registering guests or in the case of the laptop, watching for them leaving the
building. A system-specific control is a control that is deployed and monitored by the group
who is responsible for protecting the asset. As an example, the IT team deploys encryption
software on the laptop, to lock the computer if the decryption password is not supplied. Hybrid
controls are controls that combine inherited controls and system specific controls.

When thinking of how to protect a laptop in a permanent location compared to a

temporary location. The controls would be similar; each location would have security guards,
cameras, and other physical protections. Each location would use hybrid controls, some
controls that cover multiple assets and controls that are system specific.

The costs to protect a permanent location and a temporary location are both high, but
in most cases permanent location contain more assets than temporary location, therefore in
most cases the permanent locations would have more expenses related to physical security.

To answer the question of “going through the trouble” of protecting a laptop, I am

would say no. By itself a laptop is not worth all of the physical security controls that are
deployed at any location. The data on the laptop is much more important that the hardware
itself. I could not justify all the costs of PE3 controls for laptops only. I would choose
encryption software over physical controls. If a criminal steals a laptop but can not access the
hard drive, it is basically useless to them.

References
‌National Institute of Standards and Technology. (2020, September). Security and Privacy
Controls for Federal Information System Organizations (NIST SP 800-53 Revision 5
ed.). National Institute of Standards and Technology.
https://doi.org/10.6028/NIST.SP.800-53r5