Control and manage physical access devices.
DiscussionPhysical access devices include keys, locks, combinations, and card readers.
Further DiscussionIdentifying and controlling physical access devices (e.g., locks, badges, key cards) is just as important as monitoring and limiting who is able to physically access certain equipment. Physical access devices are only strong protection if you know who has them and what access they allow. Physical access devices can be managed using manual or automatic processes such a list of who is assigned what key, or updating the badge access system as personnel change roles.
ExampleYou are a facility manager. A team member retired today and returns their company keys to you. The project on which they were working requires access to areas that contain equipment with FCI. You receive the keys, check your electronic records against the serial numbers on the keys to ensure all have been returned, and mark each key returned [c].
Potential Assessment Considerations
- Are lists or inventories of physical access devices maintained (e.g., keys, facility badges, key cards) [a]?
- Is access to physical access devices limited (e.g., granted to, and accessible only by, authorized individuals) [b]?
- Are physical access devices managed (e.g., revoking key card access when necessary, changing locks as needed, maintaining access control devices and systems) [c]?