Level 2
Description:
Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both. System components (e.g., workstations, notebook computers) may be in areas designated as publicly accessible with organizations safeguarding access to such devices.
Priority: High
Domain: PHYSICAL PROTECTION (PE)
Category: Physical Security
Services Associated with AWS:
- AWS CloudTrail (for monitoring access events)
Services Associated with Azure:
- Azure Active Directory (Azure AD)
- Azure Monitor
- Azure Security Center
- Azure IoT Hub
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate visitor management practices
Possible Technology Considerations :
- Physical Access Control (PAC)
What needs to be answered :
Are logs of physical access to sensitive areas maintained per retention policies? Are visitor access records retained for as long as required by approved policy?
Checks for AWS
- Audit Logging of Physical Access
Description: This check ensures that organizations maintain audit logs of physical access to their facilities. The audit logs capture information about individuals accessing the facility, including entry and exit times, identification provided (such as PIV card), and any additional access controls used.
Organizations have flexibility in the types of audit logs employed for physical access monitoring. This can include procedural logs, where individuals manually record their access in a written log, automated logs that capture access events electronically (such as scanning identification cards), or a combination of both.
The audit logs for physical access serve as a record of who entered or exited the facility, providing valuable information for security monitoring, incident investigation, and compliance purposes. By maintaining these audit logs, organizations can track and review physical access activities, detect any unauthorized or suspicious entries, and ensure accountability for access to their facilities.
Checks for Azure
- Audit Logging of Physical Access
Description: This policy check ensures that organizations maintain audit logs of physical access to their facilities within the Azure environment. The audit logs should capture information about individuals accessing the facility, including entry and exit times, identification provided (such as access cards), and any additional access controls used. - Retention of Visitor Access Records
Description: This policy check ensures that organizations retain visitor access records for as long as required by their approved policy within the Azure environment. Visitor access records are essential for monitoring and managing visitor access to the organization's facilities, and it is crucial to retain them for the designated retention period specified in the organization's policy.
More Details:
No CUI stored in company facilities. All CUI storage done via AWS services.