PE 6 MONITORING PHYSICAL ACCESS - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control:

• a. Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;
• b. Review physical access logs [ Assignment: organization-defined frequency ] and upon occurrence of [ Assignment: organization-defined events or potential indications of events ]; and
• c. Coordinate results of reviews and investigations with the organizational incident response capability.

Discussion: Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as AU-2, if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.

Related Controls: AU-2, AU-6, AU-9, AU-12, CA-7, CP-10, IR-4, IR -8.

Control Enhancements:

• (1) MONITORING PHYSICAL ACCESS | INTRUSION ALARMS AND SURVEILLANCE EQUIPMENT
  Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.

  Discussion: Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility.

  Related Controls: None.

• (2) MONITORING PHYSICAL ACCESS | AUTOMATED INTRUSION RECOGNITION AND RESPONSES
  Recognize [ Assignment: organization-defined classes or types of intrusions ] and initiate [ Assignment: organization-defined response actions ] using [ Assignment: organization-defined automated mechanisms ].

  Discussion: Response actions can include notifying selected organizational personnel or law enforcement personnel. Automated mechanisms implemented to initiate response actions include system alert notifications, email and text messages, and activating door locking mechanisms. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide integrated threat coverage for the organization.

  Related Controls: SI-4.

• (3) MONITORING PHYSICAL ACCESS | VIDEO SURVEILLANCE
  

  • (a) Employ video surveillance of [ Assignment: organization-defined operational areas ];
  • (b) Review video recordings [ Assignment: organization-defined frequency ]; and
  • (c) Retain video recordings for [ Assignment: organization-defined time period ].

  Discussion: Video surveillance focuses on recording activity in specified areas for the purposes of subsequent review, if circumstances so warrant. Video recordings are typically reviewed to detect anomalous events or incidents. Monitoring the surveillance video is not required, although organizations may choose to do so. There may be legal considerations when performing and retaining video surveillance, especially if such surveillance is in a public location.

  Related Controls: None.

• (4) MONITORING PHYSICAL ACCESS | MONITORING PHYSICAL ACCESS TO SYSTEMS
  Monitor physical access to the system in addition to the physical access monitoring of the facility at [ Assignment: organization-defined physical spaces containing one or more components of the system ].

  Discussion: Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization.

  Related Controls: None.

References: None.