3.10.5 has a weight of -1 points

System Security Plan (SSP) for Control 3.10.5

Title: Control and Management of Physical Access Devices

Purpose: To ensure the integrity, confidentiality, and availability of the organization’s physical resources by implementing strict controls and management measures for physical access devices.

Policy Statement: The organization is committed to maintaining robust controls over physical access devices, including but not limited to keys, locks, combinations, and card readers. These devices safeguard the organization’s assets and prevent unauthorized access to sensitive areas.

1. Inventory and Tracking:

• Description: All physical access devices are logged and tracked. This inventory assists in maintaining a clear record of all devices, their locations, and authorized users.
• Implementation: A centralized inventory system, managed by the Facility Security Officer (FSO), logs all physical access devices, their associated access points, and designated users.

2. Issuance and Authorization:

• Description: Physical access devices are issued following strict authorization procedures.
• Implementation: Human Resources (HR) provides directives on personnel authorized to receive physical access devices, which the FSO implements.

3. Key Management:

• Description: A comprehensive key management system ensures keys’ secure storage, issuance, and duplication prevention.
• Implementation: Keys are stored in a secured key cabinet. Their issuance and return are logged. Duplication is strictly prohibited without the FSO’s authorization.

4. Locks and Combinations:

• Description: Locks and combination systems are essential components of the physical security framework.
• Implementation: Regular inspections ensure their operational effectiveness. Combinations are changed periodically and after any security incidents.

5. Card Reader Access:

• Description: Electronic access controls, like card readers, provide enhanced security measures.
• Implementation: Access logs from card readers are periodically reviewed. Unauthorized access attempts trigger alerts to the security team.

6. Monitoring and Auditing:

• Description: Monitoring ensures that physical access devices function as intended and that anomalies are detected promptly.
• Implementation: Routine audits, spearheaded by the Audit Team, analyze access logs, device conditions, and user behaviors to identify potential security risks.

7. Replacement and Decommissioning:

• Description: The life cycle of physical access devices is managed to ensure security at all stages.
• Implementation: Lost, compromised, or outdated devices are promptly reported to the FSO and replaced. Decommissioned devices undergo secure disposal procedures.

8. Training and Awareness:

• Description: Continuous training ensures that all personnel are aware of their roles and responsibilities concerning physical access devices.
• Implementation: Regular training sessions, led by the Training Coordinator, cover device usage, security protocols, and incident reporting procedures.

9. Incident Reporting and Response:

• Description: Rapid response to incidents prevents potential security breaches.
• Implementation: Incidents related to physical access devices are reported to the Incident Response Team, which follows established response protocols to address and mitigate risks.

10. Continuous Improvement:

• Description: The organization is committed to adapting and enhancing its security measures over time.
• Implementation: Feedback loops, periodic reviews, and security assessments ensure that the control and management of physical access devices evolve with changing security landscapes.

Plan of Action & Milestones (POA&M) for Control 3.10.5

1. Control Title: Control and Management of Physical Access Devices

2. Overview:

The POA&M provides a strategic roadmap to ensure the proper control and management of physical access devices, with clear action steps, milestones, and responsibilities. This POA&M aids in addressing potential weaknesses and ensures continuous improvement in physical security measures.

3. Identified Weaknesses:

a. Inventory and Tracking:

• Issue: Incomplete inventory of physical access devices.
• Proposed Solution: Implement a centralized inventory system for all devices.

b. Issuance and Authorization:

• Issue: Inconsistent procedures for device issuance.
• Proposed Solution: Streamline the process with clear guidelines from HR and implementation by the FSO.

c. Monitoring and Auditing:

• Issue: Lack of routine audits for access logs.
• Proposed Solution: Initiate periodic audit schedules.

d. Training and Awareness:

• Issue: Outdated training material and sporadic sessions.
• Proposed Solution: Revamp training material and schedule regular sessions.

4. Action Items & Milestones:

a. Develop a Centralized Inventory System:

• Action: Design and deploy a system.
• Deadline: [Insert Date]
• Responsibility: Facility Security Officer (FSO)

b. Streamline Issuance Procedures:

• Action: Draft clear guidelines for device issuance.
• Deadline: [Insert Date]
• Responsibility: HR & FSO

c. Initiate Periodic Audit Schedules:

• Action: Set a calendar for routine audits.
• Deadline: [Insert Date]
• Responsibility: Audit Team

d. Revamp Training Material:

• Action: Update training content and delivery methods.
• Deadline: [Insert Date]
• Responsibility: Training Coordinator

5. Resources Required:

• Centralized inventory system software/hardware
• Training materials and tools
• Additional staff for audits (if necessary)

6. Estimated Costs:

• Inventory System: [Insert Cost]
• Training Materials: [Insert Cost]
• Audits: [Insert Cost]

7. Monitoring & Reporting:

Quarterly reviews will be conducted by the Oversight Committee to track progress and ensure the successful implementation of all action items.

8. Sign Off:

• Prepared by: [Your Name]
• Date: [Insert Date]
• Reviewed and Approved by: [Reviewer/Manager’s Name]
• Date: [Insert Date]