PE.L1-B.1.IX
Manage Visitors & Physical Access

FCI Data

Security Requirement

Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

USU Policy, Procedures, and Standards

University Policy 5200: Information Security and Appropriate Use

Policy refers to control of devices and accountability for protecting IT resources from unauthorized access.

University Policy 2402: Public Safety, Response, and Reporting

USU manages building access according to the building type and purpose and considers security in the maintenance of campus facilities.

NIST Cybersecurity Framework v2

  • Protect (PR): PR.PS-02 - Visitor access is managed, monitored, and logged.

Implementation Details

Documentation should include details to meet the Security Requirement for this control. Complete this list for each system or systems that process or access FCI data:

  • List the procedures in place to ensure that visitors are properly identified, signed in, and escorted.
  • List how visitor access is controlled in areas where FCI systems are used or stored.
  • List any monitoring or logging used to track visitor presence or activities.
  • List any additional safeguards used to protect FCI during or after visitor presence.

Document How

  • visitors are escorted
  • visitor activity is monitored
  • audit logs of physical access are maintained
  • physical access devices are identified
  • physical access devices are controlled
  • physical access devices are managed

Example

quote block

All visitors to secured IT areas must check in at the front desk and are issued a visitor badge. They are escorted at all times by an authorized staff member. Visitor logs are maintained at the point of entry and reviewed as needed. Any unescorted visitor observed in a restricted area must be reported to security immediately.

quote block

Building Access Monitoring Systems

What it does:
  • Monitors and records access to buildings and specific areas using electronic systems such as proximity card readers and access control panels.
  • Provides real-time data on who is entering and exiting secured areas.
How it helps a researcher:
  • Ensures that only authorized personnel and visitors can access areas where FCI data is stored or processed.
  • Creates an audit trail of physical access for compliance and investigation purposes.
Example:
  • Under USU Policy 2402, secure buildings require visitor check-in and escorting by authorized staff. Access logs are reviewed regularly by facility or security personnel.

Security Awareness Training

What it does:
  • Educates staff on security policies and best practices, including visitor access management.
  • Raises awareness about protecting sensitive information and physical security.
How it helps a researcher:
  • Trains researchers to properly identify, sign in, and escort visitors, reducing unauthorized access risks.
  • Promotes a culture of security awareness in daily research activities.
Example:
  • Researchers complete annual training that includes procedures for managing visitor access, escorting, and monitoring to ensure compliance with security policies.

USU Surveillance Cameras

What it does:
  • Monitors and records activity in and around campus facilities using video surveillance systems.
  • Provides high-resolution images for security and investigative purposes.
How it helps a researcher:
  • Enables centralized monitoring and faster response to incidents.
  • Provides evidence in case of security incidents or unauthorized access.
Example:
  • Research labs are equipped with surveillance cameras at entry points and sensitive areas. Footage is reviewed regularly for security purposes.

USU Services that could be leveraged to meet control requirements include*:

*List of services may not be complete or applicable for a given configuration. The use of a given service does not necessarily satisfy control requirements or may require specific configuration to meet control requirements. Documentation should include how the service is implemented to meet the control requirements.
Back to content

How might an auditor assess this control?

Method

  • Examine:
    • Review visitor logs, escort policies, and access control procedures.
  • Interview:
    • Ask staff how visitors are handled and what steps are taken to ensure they are escorted.
  • Test:
    • Observe whether visitors are actually escorted in secured areas or attempt to follow visitor procedures.

Objects (examples of items you could present to the auditor)

  • Visitor Log Sheets: Physical or digital records of visitors entering restricted areas.
  • Escort Policy: Written procedure outlining how visitors are managed.
  • Training Materials: Showing staff have been trained on escort and monitoring procedures.
  • Badge Logs: Records of issued visitor badges.
  • Incident Reports: Records of past visitor access violations or corrective actions.