pr-aa-6 medium Protect / Identity Management, Authentication, and Access Control

Physical access to assets is managed, monitored, and enforced commensurate with risk

Digital security controls mean little if an attacker can walk into your office or data center and plug into a network port or walk out with a server. Physical access must be controlled, logged, and reviewed just like logical access. The level of rigor should match the risk: a colocation rack demands tighter controls than an open-plan office.

Estimated effort: 4h

physical-securitybadge-accessdata-centeroffice-security

Implementation steps

1

Implement badge access control for sensitive areas

Use electronic badge readers on server rooms, network closets, and any area with production hardware. Every entry should be logged with the person's identity and timestamp. Guests should require escort.

brivogenetecopenpathavigilon
2

Maintain a physical access list and review it regularly

Keep a current list of who has badge access to each controlled area. Review and recertify this list at least quarterly. Revoke access when someone changes roles or leaves the organization.
3

Log and monitor physical access events

Configure your access control system to retain entry logs for at least 90 days. Set up alerts for after-hours access, failed entry attempts, or tailgating detected by sensors or cameras.

brivogenetecavigilon
4

Apply appropriate controls at colocation and cloud facilities

If you use a colocation facility, obtain the facility's physical security audit report (SOC 2 or equivalent) annually. Confirm your cage or cabinet is locked and access is restricted to your approved staff.