If organizations are not able to account for individuals in their buildings or offices at any given time, it will likely result in an audit or exam finding. More importantly, this could potentially impact the safety of personnel, along with the physical entry security of information systems.
An organization’s physical location is very unlikely to protect against this vulnerability, even in a low-crime area. Bad actors are everywhere and are perpetually getting better at their craft. These vulnerabilities, and physical entry controls that can protect them, are the focus of pitfall #41 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Secure areas should be protected by appropriate physical entry controls to ensure that only authorized personnel are permitted access. Physical access to facilities where information systems reside should be monitored using physical intrusion alarms and surveillance equipment to detect potential physical security incidents. Appropriate procedures for responding to physical security incidents should be developed, documented, and communicated to appropriate personnel responsible for incident response.
Physical access logs should be reviewed at least quarterly. Reviews should also be performed when potential events are identified. The results of physical access log reviews, and any corresponding investigations, should be coordinated with your organization’s incident response capability. If a physical security incident is identified, incident response reports should include all response actions taken. All incident reports should be retained in accordance with your organization’s record retention schedule.
Video cameras or other access control mechanisms should be implemented and secured in order to monitor individual physical access to sensitive areas. These devices should be protected from tampering or disabling. The results obtained from these access control mechanisms should be reviewed regularly and coordinated with other entries and access control information (e.g., audit trails, visitor logs, authorization levels, and maintenance logs). The information from cameras or any other access control mechanisms should be stored for at least three months, or in accordance with the organization’s record retention schedule.
To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASCENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.