Individuals with permanent physical access authorization credentials are not considered visitors. Audit logs can be used to monitor visitor activity. 

Priority: High   

Category: Physical Security 

Services Associated with AWS:   

  • AWS CloudTrail (for monitoring access events)

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Physical Role Based Access Control (P-RBAC) is implemented
  • Administrative: supporting documentation to demonstrate visitor management practices

Possible Technology Considerations : 

  • Physical Access Control (PAC) 

What needs to be answered :  

Are all visitors to sensitive areas always escorted by an authorized employee? Are visitors escorted and monitored as required in security policies and procedures? 

  • Visitor Escorting and Activity Monitoring
    Description: This check ensures that visitors to organizational facilities are properly escorted and their activities are monitored. It applies to individuals who do not possess permanent physical access authorization credentials.

More Details:   

No CUI stored in company facilities. All CUI storage done via AWS services.