Identify all access points and document the control entry measures.

UCF ID: 01637

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Ensure all facilities are physically secured. [UCF Control ID 00711]

This control has the following supporting controls:

Maintain an inventory of all locks and access mechanisms (keys, combinations, or cards) for all access points. [UCF Control ID 00748]

Post signs at all access points stating the organization's right to inspect upon entry. [UCF Control ID 02204]

Ensure all access points have adequate security lighting. [UCF Control ID 02205]

Manage access to loading docks, unloading docks, and mailrooms. [UCF Control ID 02210]

Protect access to the facility's mechanical systems areas. [UCF Control ID 02212]

Ensure disabled individuals have physical access to facilities. [UCF Control ID 02230]

Establish security measures for elevators. [UCF Control ID 02232]

Establish security measures for stairwells. [UCF Control ID 02233]

Establish security measures for glass openings. [UCF Control ID 02234]

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Exam Tier II Obj 1.3; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-006-1 R1.2; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-10.h, § 2-10.i; Protection of Assets Manual, ASIS International, Pg 1-I-A1, Pg 6-I-14, Pg 8-II-2, Pg 13-I-7, Pg 41-I-8, Revised Volume 4 1-I-17; Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001, § 106(c); Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27, § 27.230(a)(3), § 27.230(a)(4)(i); Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria, Employees; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 5-306, § 5-313, § 5-313.j, § 5-314.e; DOT Physical Security Survey Checklist, Perimeter Barriers; Guidance for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks, NIOSH, May 2002, DHHS (NIOSH) Publication No. 2002-139, May 2002, Pg 13; TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001, § 44903(g)(2)(G), § 44903(g)(4)(E); Transportation Security Administration (TSA) Security Guidelines for General Aviation Airports, Information Publication A-001, May 2004, Version 1.0, § 3.3.3; 49 CFR Part 1542 - Airport Security, § 1542.203, § 1542.207; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.3.1, § 4.3.2, Exhibit 4 PE-3; The Standard of Good Practice for Information Security, NW3.4.2(c); ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 9.1.2; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.9.1.6; ISO/IEC 27002 Code of practice for information security management, 2005, § 9.1.2; Italy Personal Data Protection Code, Annex B.29; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.3.5, § 6.12.1; Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress, § 302(a)(4)(B)(i)

Banking and Finance Guidance

[Exam Tier II Obj 1.3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

Energy Guidance

The organization establish processes to identify all access points through each Physical Security Perimeter and measures to control entry at those access points. [CIP-006-1 R1.2, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

US Federal Security Guidance

The organization should provide procedures for the physical security of the facility; the physical security should include the use of barriers. The physical and access controls used to deter unauthorized entry into the facility should be commensurate with the classification level of processing taking place in the facility. [§ 2-10.h, § 2-10.i, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The Under Secretary must work with airport operators to help strengthen the access control points to secured areas. Biometric technologies should be considered for use to verify the identity of individuals entering secured areas of the airport. [§ 106(c), Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001]

Vehicles must be deterred from penetrating the facility perimeter and gaining unauthorized access to restricted areas. Access to the facility and restricted areas must be controlled by screening and/or inspecting individuals and vehicles entering the area. [§ 27.230(a)(3), § 27.230(a)(4)(i), Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27]

All employees must be positively identified and only have access to secure areas when required for their jobs. The issuance and removal of all employee identification badges must be controlled by security personnel. Documented procedures must exist for the issuance, removal, and changing of access control devices. [Employees, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria]

When closed areas are unattended, they must be secured by an approved lock. Automated access control mechanisms used to protect classified areas must identify and authenticate the individual entering the area. When personnel enter or leave an area, they are required to secure the door immediately. [§ 5-306, § 5-313, § 5-313.j, § 5-314.e, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

All openings, such as manholes, tunnels, and culverts, that permit access to the facility should be secured. [Perimeter Barriers, DOT Physical Security Survey Checklist]

Access to the building from the lobby should be controlled by security checks of individuals and packages. [Pg 13, Guidance for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks, NIOSH, May 2002, DHHS (NIOSH) Publication No. 2002-139, May 2002]

The Under Secretary must work with airport operators to help strengthen the access control points to secured areas. Biometric technologies should be considered for use to verify the identity of individuals entering secured areas of the airport. [§ 44903(g)(2)(G), § 44903(g)(4)(E), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001]

Security areas should be protected by security fencing or other physical barrier. [§ 3.3.3, Transportation Security Administration (TSA) Security Guidelines for General Aviation Airports, Information Publication A-001, May 2004, Version 1.0]

Access to controlled areas must be controlled to ensure only individuals authorized for unescorted access can gain entry; to ensure individuals are immediately denied access when their authority is removed; and to differentiate between individuals with access to the entire area and those with access to only a portion of the area. [§ 1542.203, § 1542.207, 49 CFR Part 1542 - Airport Security]

US Federal Privacy Guidance

Business entities must implement measures to control access to facilities and systems that contain sensitive personally identifiable information, including authentication controls to permit access only to authorized individuals. The measures must be commensurate with the data's sensitivity and the complexity, size, and scope of activities. [§ 302(a)(4)(B)(i), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress]

US Internal Revenue Guidance

The number of entrances to restricted areas should be kept to a minimum, and all restricted area entrances must have some form of controlled access, such as electronic access control or keyed locked. [§ 4.3.1, § 4.3.2, Exhibit 4 PE-3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

ISO Guidance

Only authorized personnel should be allowed access to secure areas. The following guidelines should be considered when securing areas: A visitor log should be kept; authentication controls should be used to authorized and validate entry into controlled areas; visible identification should be worn at all times; access rights should be reviewed regularly; and support service personnel should be granted restricted access and should be monitored. [§ 9.1.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

All access points to the facility should be identified. Any access points where unauthorized personnel may enter the premises, such as delivery and loading areas, should be controlled. If possible, these areas should be isolated from the rest of the facilities. [Annex A.9.1.6, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Only authorized personnel should be allowed access to secure areas. The following guidelines should be considered when securing areas: A visitor log should be kept; authentication controls should be used to authorized and validate entry into controlled areas; visible identification should be worn at all times; access rights should be reviewed regularly; and support service personnel should be granted restricted access and should be monitored. [§ 9.1.2, ISO/IEC 27002 Code of practice for information security management, 2005]

The service provider should establish formal procedures and policies for controlling entry into its facilities, to ensure personnel only enter at designated entrances and their identities, including visitors, are verified. The facilities should have restricted rooms that are to be used for designated purposes only, have restricted access, and have the appropriate level of protection. These rooms include rooms that house servers, other computers, archived data media, environmental control plants, main communications switches, UPS's, batteries, power switches/generator set areas, other telecommunications, and MDF/meet-me rooms. [§ 6.3.5, § 6.12.1, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

Access points should have appropriate physical controls implemented. Locks are the simplest access control form for physically restricting access to sensitive areas. Card, token, and biometric access systems should be updated prior to a strike to remove access by all striking employees. Automated access controls should be used to control large numbers of personnel entering an area because the access database can be easily changed when changes to a user's access occur. For special events, the type of access control used will depend on the venue for the event, and all forbidden items should be spelled out. High-rise structures should be divided into 3 classes of spaces: public access; tenant spaces; and maintenance spaces. The security requirements of the building will decide which type of access control should be implemented for each class. The organization should ensure all exits are monitored. [Pg 1-I-A1, Pg 6-I-14, Pg 8-II-2, Pg 13-I-7, Pg 41-I-8, Revised Volume 4 1-I-17, Protection of Assets Manual, ASIS International]

Critical areas of the facility should be protected at all access points to prevent unauthorized personnel from gaining access. [NW3.4.2(c), The Standard of Good Practice for Information Security]

Other European and African Guidance

The access to archives that contain sensitive or judicial data must be controlled. Persons who are authorized to access these archives after hours must be identified and registered. If the archives are not equipped with electronic devices for access control or not under surveillance, persons who access the archive must have prior authorization. [Annex B.29, Italy Personal Data Protection Code]