3.10.3 has a weight of -1 points

(Physical Protection Family) 3/6

Escort visitors and monitor visitor activity.

Video

Example of Sysytem Security Plan (SSP):

    System Security Plan: Escorting Visitors and Monitoring Visitor Activity

    1. Policy Statement: The organization employs procedures to escort visitors and monitor their activity within the facility. Individuals with permanent physical access authorization credentials are exempt from visitor status. The organization uses audit logs to monitor visitor activity to ensure security and accountability.
    2. Visitor Escort Procedures:
    3. Visitors are escorted while within the facility to ensure they are accompanied by authorized personnel at all times.
    4. Exemption for Authorized Personnel:
    5. Individuals with permanent physical access authorization credentials, who are not considered visitors, are allowed unrestricted access to designated areas.
    6. Monitoring Visitor Activity:
    7. Visitor activity within the facility is monitored to track their movements and actions while on-site.
    8. Use of Audit Logs:
    9. Audit logs are utilized to record and track visitor activities, providing a comprehensive record for security and accountability purposes.
    10. Visitor Registration and Identification:
    11. Visitors are required to register their presence at the facility and provide identification to verify their identity and purpose of visit.
    12. Visitor Access Restrictions:
    13. Visitor access is limited to specific areas based on the purpose of their visit and the need-to-know principle.
    14. Training and Awareness:
    15. Personnel responsible for escorting visitors and monitoring their activities receive training on proper procedures and protocols.
    16. Incident Reporting and Response:
    17. Any incidents related to visitor activities that raise security concerns are promptly reported and addressed through the organization’s incident response procedures.
    18. Continuous Improvement:
    19. The organization periodically reviews and enhances its visitor escort and monitoring procedures to adapt to changing security needs and improve overall effectiveness.

    Example of Plan of Action and Milestones ( POA & M):

    Plan of Action and Milestones (POA&M) for Control 3.10.3

    Objective: Enhance the visitor management system and streamline protocols to improve security and facility integrity.

    Milestones:

    1. Review Current Visitor Management Protocols:

      • Description: Conduct a comprehensive review of the existing visitor management protocols to identify any gaps or weaknesses.
      • Completion Date: [Specify Date]
      • Responsibility: Security Team

    2. Purchase Identification Badges:

      • Description: Acquire high-quality, tamper-proof identification badges for visitors.
      • Completion Date: [Specify Date]
      • Responsibility: Procurement Team

    3. Implement Visitor Registration and Identification System:

      • Description: Establish a digital registration and identification system to replace or supplement the manual logbook.
      • Completion Date: [Specify Date]
      • Responsibility: IT & Security Team

    4. Enhance Training and Awareness:

      • Description: Roll out a refresher training for personnel responsible for escorting visitors. This will ensure updated procedures are understood and followed.
      • Completion Date: [Specify Date]
      • Responsibility: HR & Training Department

    5. Review and Upgrade Incident Reporting System:

      • Description: Ensure that the incident reporting system is efficient, user-friendly, and aligns with visitor security concerns.
      • Completion Date: [Specify Date]
      • Responsibility: Security Team

    6. Install Additional Security Measures:

      • Description: Based on the review in Milestone 1, implement any additional recommended security measures, such as cameras in key areas.
      • Completion Date: [Specify Date]
      • Responsibility: Facility Management

    7. Conduct Periodic Audits:

      • Description: Organize quarterly audits of the visitor management system to ensure all protocols are being adhered to and identify areas for improvement.
      • Completion Date: [Specify Date for the first audit]
      • Responsibility: Internal Audit Team

    Budget Estimate:

    • Identification Badges: [Estimated Cost]
    • Digital Registration System: [Estimated Cost]
    • Training and Awareness Program: [Estimated Cost]
    • Additional Security Measures: [Estimated Cost]

    Total Estimated Cost: [Total]

    Sign Off:

    • Prepared by: [Your Name]
    • Date: [Insert Date]
    • Reviewed and Approved by: [Reviewer’s Name]
    • Date: [Insert Date]
    RELEVANT INFORMATION:

    Individuals with permanent physical access authorization credentials are not considered visitors. Audit logs can be used to monitor visitor activity.

    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.