3.10.4 has a weight of -1 points

(Physical Protection Family 4/6

Maintain audit logs of physical access.

Video

Example of Sysytem Security Plan (SSP):

    System Security Plan (SSP) for Control 3.10.4

    Maintain audit logs of physical access

    Purpose: To maintain comprehensive audit logs of physical access to the facility and ensure security through systematic monitoring, timely reporting, and continuous enhancement of protocols.

    Implementation Details:

    1. Visitor Management:

      • All visitors are required to register their presence in a designated logbook upon entering the facility.
      • Visitors are continuously escorted throughout their stay in the building, ensuring adherence to security protocols.

    2. Employee Access Monitoring:

      • All employees are issued unique key fobs, facilitating the electronic tracking of their entries and exits from the building.
      • These fobs ensure that only authorized personnel gain access to the premises.

    3. Video Surveillance:

      • Video cameras are strategically placed to capture and record activities within the facility, acting as an additional layer of security and monitoring.

    4. Coverage of Physical Access Points:

      • Comprehensive audit logs are kept for all physical access points, both external and internal.
      • This includes key facility entry and exit points, as well as specific areas housing critical system components.

    5. Monitoring Publicly Accessible Areas:

      • System components placed in publicly accessible areas, such as workstations and notebook computers, are also audited.
      • Strict access controls are implemented to safeguard these components.

    6. Training and Awareness:

      • Dedicated personnel assigned the duty of maintaining and reviewing audit logs undergo systematic training.
      • This ensures they are equipped with the latest procedures and protocols for access record management.

    7. Retention and Protection of Audit Logs:

      • Audit logs are retained in accordance with the organization’s established policies.

    8. Incident Reporting and Response:

      • Incidents highlighting unauthorized physical access or any security concerns originating from the audit logs are immediately reported.
      • These concerns are swiftly addressed following the organization’s incident response procedures.

    9. Continuous Improvement:

      • Periodic reviews of the audit log management procedures are carried out.

    Example of Plan of Action and Milestones ( POA & M):

    Plan of Action & Milestones (POA&M) for Control 3.10.4

    1. Visitor Management:

    Milestone: Design and implement an electronic visitor management system.

    • Actions:
      • Research and procure an electronic visitor management system.
      • Train front-desk personnel on its use.
      • Transition from the logbook system to the electronic system.
    • Timeline: 3 months
    • Responsible Party: Facility Manager

    2. Employee Access Monitoring:

    Milestone: Update and enhance the key fob system.

    • Actions:
      • Perform an audit of all issued key fobs.
      • Replace any outdated or malfunctioning key fobs.
      • Conduct a session to re-educate employees about security protocols associated with fob use.
    • Timeline: 2 months
    • Responsible Party: Security Manager

    3. Video Surveillance:

    Milestone: Upgrade video surveillance systems.

    • Actions:
      • Assess current camera placements and identify blind spots.
      • Install additional cameras as necessary.
      • Upgrade existing cameras to higher resolution models, if required.
    • Timeline: 4 months
    • Responsible Party: Surveillance Team

    4. Coverage of Physical Access Points:

    Milestone: Comprehensive review of audit logs for all access points.

    • Actions:
      • Conduct a thorough audit of current logs.
      • Identify and address any inconsistencies or missing data.
      • Implement additional logging mechanisms if gaps are identified.
    • Timeline: 3 months
    • Responsible Party: Audit Team

    5. Monitoring Publicly Accessible Areas:

    Milestone: Enhance auditing for publicly accessible systems.

    • Actions:
      • Catalog all workstations and devices in public areas.
      • Install additional monitoring mechanisms, like intrusion detection on these devices.
      • Periodically review logs specific to these devices.
    • Timeline: 3 months
    • Responsible Party: IT Department

    6. Training and Awareness:

    Milestone: Conduct a refresher training session.

    • Actions:
      • Organize a training schedule.
      • Update training materials to reflect the latest procedures.
      • Ensure all personnel undergo this training.
    • Timeline: 2 months
    • Responsible Party: Training Coordinator
    RELEVANT INFORMATION:

    Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both. System components (e.g., workstations, notebook computers) may be in areas designated as publicly accessible with organizations safeguarding access to such devices.



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.