PE 8 VISITOR ACCESS RECORDS - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control:

• a. Maintain visitor access records to the facility where the system resides for [ Assignment: organization-defined time period ];
• b. Review visitor access records [ Assignment: organization-defined frequency ]; and
• c. Report anomalies in visitor access records to [ Assignment: organization-defined personnel ].

Discussion: Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.

Related Controls: PE-2, PE-3, PE-6.

Control Enhancements:

• (1) VISITOR ACCESS RECORDS | AUTOMATED RECORDS MAINTENANCE AND REVIEW
  Maintain and review visitor access records using [ Assignment: organization-defined automated mechanisms ].

  Discussion: Visitor access records may be stored and maintained in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on a regular basis to determine if access authorizations are current and still required to support organizational mission and business functions.

  Related Controls: None.

• (2) VISITOR ACCESS RECORDS | PHYSICAL ACCESS RECORDS
  [Withdrawn: Incorporated into PE-2.]

• (3) VISITOR ACCESS RECORDS | LIMIT PERSONALLY IDENTIFIABLE INFORMATION ELEMENTS
  Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: [ Assignment: organization-defined elements ].

  Discussion: Organizations may have requirements that specify the contents of visitor access records. Limiting personally identifiable information in visitor access records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system.

  Related Controls: RA-3, SA-8.

References: None.