Skip to contentCYBERINFO
|

Control 7.2 : Physical Entry Controls

Summary

Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. This moves beyond the perimeter to the specific technical controls used to authenticate individuals at the point of entry.

Applicability

In-Scope: Critical for rooms containing IT infrastructure, network equipment, or sensitive paper records. It ensures that every entry event is authenticated, authorized, and recorded for accountability.

Out-of-Scope: Never out-of-scope for any physical location where sensitive assets are housed.

Implementation Guidance

Microsoft 365 / Entra ID

  • Biometric Integration: Where high security is required, integrate biometric hardware with identity providers to ensure multifactor authentication is part of the physical entry process.

  • Audit Trails: Ensure the physical entry system exports logs to Azure Monitor or Microsoft Sentinel to correlate physical entries with digital logins, aiding in the detection of impossible travel or credential sharing.

  • Management: Utilize Microsoft Teams notifications to alert facilities managers in real-time when a sensor detects that a restricted door has been left open for an extended period.

Evidence Checklist

  • Entry Authorization Records: A list of personnel formally authorized to enter specific high-security zones.

  • Maintenance Records: Logs showing that badge readers, biometric scanners, and electronic locks are tested and maintained.

  • Visitor Badge Logs: Records showing that visitors were issued temporary, restricted-access badges and were properly escorted.

Practical Audit Advice

Here are some questions the auditor might ask:

  • Are employees trained to challenge any individual in a restricted area who is not wearing a visible and valid ID badge?

  • What technical or procedural measures are in place to prevent or monitor for tailgating at secure entry points?

  • What is the process for reviewing entry logs to identify unusual patterns of access, such as entry during unauthorized hours?

  • How are physical master keys or administrative badges managed, inventoried, and secured when not in use?