T2.2.2 - PHYSICAL ENTRY CONTROLS Implementation Guidance
The entity shall protect secure areas by appropriate entry controls to ensure that only authorized personnel are allowed access.
Back to T2.2.2 - P2 - PHYSICAL ENTRY CONTROLS
The following guidelines should be considered:
- A. The date and time of entry and departure of visitors should be recorded, and all visitors should be supervised unless their access has been previously approved; they should only be granted access for specific, authorized purposes and should be issued with instructions on the security requirements of the area and on emergency procedures
- B. Access to areas where sensitive information is processed or stored should be controlled and restricted to authorized persons only; authentication controls, e.g. access control card plus PIN, should be used to authorize and validate all access; an audit trail of all access should be securely maintained
- C. All employees, contractors and third party users and all visitors should be required to wear some form of visible identification and should immediately notify security personnel if they encounter unescorted visitors and anyone not wearing visible identification
- D. Third party support service personnel should be granted restricted access to secure areas or sensitive information systems only when required; this access should be authorized and monitored
- E. Access rights to secure areas should be regularly reviewed and updated, and revoked when necessary
