Ensure visitors have been authorized prior to accessing areas containing restricted data or information.

UCF ID: 01330
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 9.3.1; Protection of Assets Manual, ASIS International, Pg 15-I-18, Pg 15-V-6; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 6-104, § 10-502, § 10-721; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 9.3.1; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.3.6(a)

Payment Card Guidance

The organization must ensure all visitors have been authorized prior to entering areas where cardholder data is maintained or processed.
Observe visitors to ensure they are all issued visitor badges. Attempt to gain access to areas with cardholder data to ensure a visitor badge does not permit unescorted access to these areas. [§ 9.3.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

The organization must ensure all visitors have been authorized prior to entering areas where cardholder data is maintained or processed. [§ 9.3.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

Visitor's employers must provide a visit authorization letter (VAL) to the organization its employee will be visiting when the employee requires access to classified information. The VAL must include the contractor's name, address, and telephone number; the visitor's name, citizenship, and date and place of birth; the visitor's clearance level; the name of the person being visited; and the date or period that the VAL is valid. [§ 6-104, § 10-502, § 10-721, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

ISO Guidance

Formal procedures and policies should be established for controlling the movement of personnel, other than the service provider staff, into and within the service provider's location to ensure that entry requests are predetermined and arranged. [§ 6.3.6(a), ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

All non-employees who enter the facility should sign a Conditions of Entry agreement. [Pg 15-I-18, Pg 15-V-6, Protection of Assets Manual, ASIS International]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.