PES-03.3: Physical Access Logs
Physical access control mechanisms generate a log entry for each access attempt through controlled ingress and egress points.
Control Question: Does the organization generate a log entry for each access attempt through controlled ingress and egress points?
General (34)
US (21)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | ACCESS-3.C.MIL1 ACCESS-3.J.MIL3 |
| US CERT RMM 1.2 | ADM:SG1.SP1 EC:SG2.SP2 |
| US CMMC 2.0 Level 2 (source) | PE.L2-3.10.4 |
| US CMMC 2.0 Level 3 (source) | PE.L2-3.10.4 |
| US CMS MARS-E 2.0 | PE-8 |
| US FedRAMP R4 | PE-8 |
| US FedRAMP R4 (low) | PE-8 |
| US FedRAMP R4 (moderate) | PE-8 |
| US FedRAMP R4 (high) | PE-8 |
| US FedRAMP R4 (LI-SaaS) | PE-8 |
| US FedRAMP R5 (source) | PE-8 |
| US FedRAMP R5 (low) (source) | PE-8 |
| US FedRAMP R5 (moderate) (source) | PE-8 |
| US FedRAMP R5 (high) (source) | PE-8 |
| US FedRAMP R5 (LI-SaaS) (source) | PE-8 |
| US IRS 1075 | PE-8 |
| US NERC CIP 2024 (source) | CIP-006-6 1.4 CIP-006-6 1.8 |
| US - OR 646A | 622(2)(d)(C)(ii) |
| US - TX DIR Control Standards 2.0 | PE-8 |
| US - TX TX-RAMP Level 1 | PE-8 |
| US - TX TX-RAMP Level 2 | PE-8 |
EMEA (4)
| Framework | Mapping Values |
|---|---|
| EMEA EU NIS2 Annex | 13.3.2(d) |
| EMEA Israel CDMO 1.0 | 18.5 |
| EMEA Saudi Arabia ECC-1 2018 | 2-14-3-3 |
| EMEA UK DEFSTAN 05-138 | 1500 |
APAC (1)
| Framework | Mapping Values |
|---|---|
| APAC Japan ISMAP | 11.1.2 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.10.02.A 03.10.07.B |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to generate a log entry for each access attempt through controlled ingress and egress points.
Level 1 — Performed Informally
Physical & Environmental Security (PES) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Physical access control is decentralized.
- Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).
- Human Resources, or a similar function, maintains a current list of personnel and facilitates the implementation of physical access management controls.
Level 2 — Planned & Tracked
Physical & Environmental Security (PES) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Physical access control is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for physical access control.
- Human Resources, or a similar function, maintains a current list of personnel with authorized access to organizational facilities and facilitates the implementation of physical access management controls.
- Physical security controls are primarily administrative in nature (e.g., policies & standards).
- Physical controls, administrative processes and technologies are primarily designed and implemented for offices, rooms and facilities that focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
- A facilities maintenance team, or similar function, manages the operation of automated physical and environmental protection controls.
- Physical controls and technologies are configured to generate a log entry for each access attempt through controlled ingress and egress points.
Level 3 — Well Defined
Physical & Environmental Security (PES) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Performs the centralized-management of physical security controls across the enterprise. o Maintains a current list of personnel with authorized access to organizational facilities and implements physical access management controls.
- A physical security team, or similar function:
- A facilities maintenance team, or similar function, manages the operation of environmental protection controls.
- Administrative processes exist to authorize physical access to facilities based on the position or role of the individual.
- Administrative processes and physical controls restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validated the need for access.
- Physical controls and technologies are configured to generate a log entry for each access attempt through controlled ingress and egress points.
Level 4 — Quantitatively Controlled
Physical & Environmental Security (PES) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to generate a log entry for each access attempt through controlled ingress and egress points.
Assessment Objectives
- PES-03.3_A01 physical access audit logs for entry or exit points are maintained.
- PES-03.3_A02 time period for which to maintain visitor access records for the facility where the system resides is defined.
- PES-03.3_A03 visitor access records for the facility where the system resides are maintained for time period.
- PES-03.3_A04 the frequency at which to review visitor access records is defined.
- PES-03.3_A05 visitor access records are reviewed frequently.
- PES-03.3_A06 personnel to whom visitor access records anomalies are reported to is/are defined.
- PES-03.3_A07 visitor access records anomalies are reported to personnel.
- PES-03.3_A08 audit logs of physical access are maintained.
Evidence Requirements
- E-PES-02 Visitor Logbook
-
Documented evidence of a visitor management and logging visitor activities.
Physical Security
Technology Recommendations
Micro/Small
- Visitor logbook
- iLobby (https://goilobby.com)
- The Receptionist (https://thereceptionist.com)
- LobbyGuard (http://lobbyguard.com)
Small
- Visitor logbook
- iLobby (https://goilobby.com)
- The Receptionist (https://thereceptionist.com)
- LobbyGuard (http://lobbyguard.com)
Medium
- Visitor logbook
- iLobby (https://goilobby.com)
- The Receptionist (https://thereceptionist.com)
- LobbyGuard (http://lobbyguard.com)
Large
- Staffed lobby (receptionist)
- Visitor logbook
Enterprise
- Staffed lobby (receptionist)
- Visitor logbook