PES-06.4: Automated Records Management & Review
Automated mechanisms exist to facilitate the maintenance and review of visitor access records.
Control Question: Does the organization use automated mechanisms to facilitate the maintenance and review of visitor access records?
General (9)
| Framework | Mapping Values |
|---|---|
| GovRAMP High | PE-08(01) |
| NIST 800-53 R4 | PE-8(1) |
| NIST 800-53 R4 (high) | PE-8(1) |
| NIST 800-53 R5 (source) | PE-8(1) |
| NIST 800-53B R5 (high) (source) | PE-8(1) |
| NIST 800-82 R3 HIGH OT Overlay | PE-8(1) |
| PCI DSS 4.0.1 (source) | 9.3.4 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 9.3.4 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 9.3.4 |
US (4)
| Framework | Mapping Values |
|---|---|
| US FedRAMP R4 | PE-8(1) |
| US FedRAMP R4 (high) | PE-8(1) |
| US FedRAMP R5 (source) | PE-8(1) |
| US FedRAMP R5 (high) (source) | PE-8(1) |
APAC (1)
| Framework | Mapping Values |
|---|---|
| APAC New Zealand NZISM 3.6 | 9.4.9.C.01 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to facilitate the maintenance and review of visit or access records.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to facilitate the maintenance and review of visit or access records.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to facilitate the maintenance and review of visit or access records.
Level 3 — Well Defined
Physical & Environmental Security (PES) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Performs the centralized-management of physical security controls across the enterprise. o Maintains a current list of personnel with authorized access to organizational facilities and implements physical access management controls.
- A physical security team, or similar function:
- A facilities maintenance team, or similar function, manages the operation of environmental protection controls.
- Administrative processes exist to authorize physical access to facilities based on the position or role of the individual.
- Administrative processes and physical controls restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validated the need for access.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to facilitate the maintenance and review of visit or access records.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to facilitate the maintenance and review of visit or access records.
Assessment Objectives
- PES-06.4_A01 automated mechanisms used to maintain visitor access records are defined.
- PES-06.4_A02 automated mechanisms used to review visitor access records are defined.
- PES-06.4_A03 visitor access records are maintained using automated mechanisms.
- PES-06.4_A04 visitor access records are reviewed using automated mechanisms.
Evidence Requirements
- E-PES-02 Visitor Logbook
-
Documented evidence of a visitor management and logging visitor activities.
Physical Security