AuditRubric
de-cm-2 medium Detect / Continuous Monitoring

The physical environment is monitored to detect potential cybersecurity events

Physical access is one of the most overlooked attack vectors in cybersecurity. An attacker who can walk into your server room, plug in a rogue device, or tailgate through a secure door bypasses every logical control you have. Monitoring physical spaces with cameras, access logs, and badge readers lets you detect unauthorized entry, correlate physical access with digital anomalies, and satisfy audit requirements for facilities controls.

Estimated effort: 4h
physical-securitycamerasaccess-controlvisitor-logs

Implementation steps

  1. 1

    Inventory and review physical access points

    Document all locations that house critical systems or sensitive data: server rooms, network closets, data centers, and offices with privileged workstations. Identify which entry points have badge readers, cameras, and visitor logs today.

  2. 2

    Enable access logging on all critical area entry points

    Ensure every badge reader or keypad entry logs who accessed each area and when. Forward these logs to your central logging platform so physical access events can be correlated with network and system activity.

    splunkdatadogelastic
  3. 3

    Deploy or audit camera coverage

    Confirm that cameras cover entry points to server rooms and sensitive areas. Review camera retention settings to ensure footage is stored for at least 30 days. Document camera locations and gaps.

  4. 4

    Implement a visitor log process

    Require sign-in for all visitors to secure areas, including contractor and vendor access. Capture name, company, host, time in, and time out. Review visitor logs weekly for anomalies.

Evidence required

Physical access log export

Export from badge reader or access control system showing entry events for critical areas.

  • · Badge reader access log from server room for the past 30 days
  • · Access control system report showing user, door, and timestamp
  • · Centralized SIEM showing ingested physical access events

Camera coverage documentation

Map or list of camera locations relative to critical physical areas, with confirmation of retention settings.

  • · Floor plan with camera positions marked
  • · Screenshot of camera management system showing retention policy
  • · Vendor invoice or installation record for cameras

Visitor log

Sample of completed visitor logs from the past 30 to 90 days showing consistent use of the process.

  • · Physical sign-in sheet or digital visitor log export
  • · Visitor management software report

Related controls

de-cm-1 high

Networks and network services are monitored to detect adverse events

Continuous Monitoring
de-cm-3 high

Personnel activity and technology usage are monitored to detect potentially adverse events

Continuous Monitoring
de-cm-4 critical

Malicious code is detected

Continuous Monitoring
de-cm-5 high

Unauthorized network connections are detected

Continuous Monitoring