Level 1


Individuals with permanent physical access authorization credentials are not considered visitors. Audit logs can be used to monitor visitor activity. 

Priority: High   


CategoryPhysical Security 

Services Associated with AWS:   

  • AWS CloudTrail (for monitoring access events)

Services Associated with Azure:

  • Azure Active Directory (Azure AD)  
  • Azure Monitor  
  • Azure Security Center  

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Physical Role Based Access Control (P-RBAC) is implemented
  • Administrative: supporting documentation to demonstrate visitor management practices

Possible Technology Considerations : 

  • Physical Access Control (PAC) 

What needs to be answered :  

Are all visitors to sensitive areas always escorted by an authorized employee? Are visitors escorted and monitored as required in security policies and procedures? 

Checks for AWS 

  • Visitor Escorting and Activity Monitoring
    Description: This check ensures that visitors to organizational facilities are properly escorted and their activities are monitored. It applies to individuals who do not possess permanent physical access authorization credentials.

Checks for Azure 

  • Visitor Escorting Policy
    Description: This Azure policy ensures that visitors to Azure-hosted facilities, such as data centers or other sensitive areas, are properly escorted at all times. The policy applies to individuals who do not possess permanent physical access authorization credentials. An authorized employee must accompany visitors during their presence within these sensitive areas.
  • Activity Monitoring Policy for Visitors
    Description: This policy mandates that all visitor activities within Azure-hosted facilities are adequately monitored and recorded. It ensures that audit logs and relevant monitoring tools are set up to track and record the actions performed by visitors while they are present in restricted areas.
  • Role-Based Access Control (RBAC) for Physical Access
    Description: This policy requires implementing Physical Role-Based Access Control (P-RBAC) for individuals accessing Azure facilities physically. It entails documenting and enforcing a clear RBAC system that dictates which employees are authorized to accompany and monitor visitors in specific sensitive areas.

More Details:   

No CUI stored in company facilities. All CUI storage done via AWS services.