Standard | Controls Satisfied |
---|---|
TSC | CC9.9 |
This policy establishes the rules governing controls, monitoring, and removal of physical access to company’s facilities.
This policy applies to all staff, contractors, or third parties who require access to any physical location owned, operated, or otherwise occupied by the company. A separate policy exists for governing access to the company data center.
Management responsibilities
Management shall ensure:
appropriate entry controls are in place for secure areas
security personnel, identification badges, or electronic key cards should be used to validate employee access to facilities
confirm visitor & guest access procedure has been followed by host staff
management periodically reviews list of individuals with physical access to facilities
card access records and visitor logs are kept for a minimum of 90 days and are periodically reviewed for unusual activity
Key access & card systems
The following policies are applied to all facility access cards/keys:
Access cards/keys shall not be shared or loaned to others
Access cards/keys shall not have identifying information other than a return mail address
Access cards/keys shall be returned to Human Resources when they are no longer needed
Lost or stolen access cards/keys shall be reported immediately
If an employee changes to a role that no longer requires physical access or leaves the company, their access cards/keys will be suspended
Human Resources will regularly review physical security privileges and review access logs
Staff & contractor access procedure
Access to physical locations is granted to employees and contractors based on individual job function and will be granted by Human Resources.
Any individual granted access to physical spaces will be issued a physical key or access key card. Key and card issuance is tracked by Human Resources and will be periodically reviewed.
In the case of termination, Human Resources should ensure immediate revocation of access (i.e. collection of keys, access cards, and any other asset used to enter facilities) through the offboarding procedure.
Visitor & guest access procedure
The following policies are applied to identification & authorization of visitors and guests:
All visitors must request and receive written onsite authorization from a staff member.
Visitor access shall be tracked with a sign in/out log. The log shall contain:visitor’s name, firm represented, purpose of visit, and onsite personnel authorizing access
The log shall be retained for a minimum of 90 days
Visitors shall be given a badge or other identification that visibly distinguishes visitors from onsite personnel
Visitor badges shall be surrendered before leaving the facility
Audit controls & management
Documented procedures and evidence of practice should be in place for this policy. Acceptable controls and procedures include:
visitor logs
access control procedures
operational key-card access systems
video surveillance systems (with retrievable data)
ledgers if issuing physical keys
Enforcement
Employees, contractors, or third parties found in violation of this policy (whether intentional or accidental) may be subject to disciplinary action, including:
reprimand
loss of access to premises
termination