Skip to contentCYBERINFO
|

Control 7.4 : Physical Security Monitoring

Summary

The organization should continuously monitor physical areas for unauthorized access or suspicious activity. This involves the use of surveillance systems, alarms, and human oversight to provide real-time situational awareness.

Applicability

In-Scope: Necessary for the early detection of physical breaches and providing evidence for post-incident forensic investigations. It is vital for maintaining the integrity of the physical environment.

Out-of-Scope: Only partially reducible for small, low-risk offices where the building owner provides 100% of the monitoring, provided the organization formally verifies the service.

Implementation Guidance

Microsoft 365 / Entra ID

  • Surveillance Data: Store critical CCTV footage in Azure Blob Storage with immutable Object Lock policies to ensure that evidence cannot be deleted or altered during an investigation.

  • Incident Integration: Integrate physical alarm systems with Microsoft Sentinel to trigger an office security incident alert if a perimeter is breached or an alarm is triggered after hours.

  • Guard Communication: Utilize Microsoft Teams Walkie Talkie for real-time, encrypted communication between physical security personnel and the IT operations center.

Evidence Checklist

  • Monitoring Procedures: Documented instructions for how alarms and surveillance systems are monitored and the required response for different alerts.

  • Surveillance Logs: Evidence that cameras are functional, covering key areas, and that footage is retained for the period defined in the policy.

  • Alarm Test Records: Logs showing that intruder alarms, panic buttons, and fire alarm systems are tested on a regular schedule.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How do you ensure that there are no blind spots in the surveillance coverage of your most sensitive entry and exit points?

  • What is the expected response time for the security team or local authorities when a high-priority physical alarm is triggered?

  • How is the surveillance footage protected from unauthorized access, modification, or tampering by internal staff?

  • Can you demonstrate that the physical monitoring systems operate 24/7, including during power outages or network failures?