PE.L1-B.1.VIII
Limit Physical Access

FCI Data

Security Requirement

Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

USU Policy, Procedures, and Standards

University Policy 5200: Information Security and Appropriate Use

Policy refers to control of devices and accountability for protecting IT resources from unauthorized access.

University Policy 2402: Public Safety, Response, and Reporting

USU manages building access according to the building type and purpose and considers security in the maintenance of campus facilities.

NIST Cybersecurity Framework v2

  • Protect (PR): PR.PS-01 - Physical access to assets is managed and protected.

Implementation Details

Documentation should include details to meet the Security Requirement for this control. Complete this list for each system or systems that process or access FCI data:

  • List how access to spaces housing FCI systems (e.g., servers, workstations) is physically restricted to authorized individuals.
  • List the mechanisms used to control physical access (e.g., key cards, locks, guards).
  • List how access rights are approved, managed, and reviewed.
  • List any additional measures taken to secure physical environments where FCI is accessed.

Document How

  • authorized individuals allowed physical access are identified
  • physical access to organizational systems is limited to authorized individuals
  • physical access to equipment is limited to authorized individuals
  • physical access to operating environments is limited to authorized individuals

Example

quote block

Server rooms and FCI work areas are secured by HID proximity card readers, and only authorized personnel have card access. Access requests must be submitted through USU Facilities and approved by departmental leadership. Logs of physical entry are reviewed quarterly. Visitors are escorted at all times, and keys are retrieved during offboarding.

quote block

HID Proximity Card System

What it does:
  • Provides secure physical access controls to sensitive areas using proximity cards.
  • Records entries and entry attempts for auditing purposes.
How it helps a researcher:
  • Ensures only authorized personnel can access sensitive areas where FCI data is stored.
  • Provides an audit trail of who accessed specific areas and when.
Example:
  • Server rooms and FCI work areas are secured by HID proximity card readers. Logs of physical entry are reviewed monthly to ensure compliance with security policies.

USU Facilities Access Control Program

What it does:
  • Manages building access based on building type and purpose.
  • Implements structured processes for approving and managing access to university areas.
How it helps a researcher:
  • Reduces the risk of unauthorized entry to research areas.
  • Enables tracking and auditing of access requests and approvals.
Example:
  • Access requests for research labs must be submitted through USU Facilities and approved by departmental leadership.

Departmental Key Management Procedures

What it does:
  • Manages issuance, retrieval, and auditing of physical keys and prox cards through USU’s Facilities Key Office.
How it helps a researcher:
  • Ensures only authorized and qualified personnel gain access to secured facilities.
Example:
  • A PI requests lab access for a new assistant. After training and departmental approval, the assistant picks up their prox card from the Facilities Key Office, ensuring accountability.

USU Video Surveillance

What it does:
  • Monitors and records activity in and around campus facilities using video surveillance systems.
How it helps a researcher:
  • Provides evidence in case of security incidents or unauthorized access.
  • Enables centralized monitoring and faster response to incidents.
Example:
  • Research labs are equipped with cameras monitoring entry points and sensitive areas. Footage is reviewed regularly for security purposes.

Security Awareness Training

What it does:
  • Educates staff on security policies and best practices.
  • Trains users to recognize and respond to threats like phishing and social engineering.
How it helps a researcher:
  • Reduces the risk of data breaches by promoting secure behavior.
  • Encourages a culture of security awareness in daily research activities.
Example:
  • Researchers complete annual training covering physical security and threat recognition, ensuring preparedness to protect sensitive information.

USU Services that could be leveraged to meet control requirements include*:

*List of services may not be complete or applicable for a given configuration. The use of a given service does not necessarily satisfy control requirements or may require specific configuration to meet control requirements. Documentation should include how the service is implemented to meet the control requirements.
Back to content

How might an auditor assess this control?

Method

  • Examine:
    • Review access control policies, physical entry logs, and building security configurations.
  • Interview:
    • Ask staff how physical access is approved, restricted, and monitored.
  • Test:
    • Attempt to enter restricted areas without authorization or observe access enforcement in practice.

Objects (examples of items you could present to the auditor)

  • Physical Access Policy: Documentation of who is allowed into sensitive areas and how that is enforced.
  • Access Logs: Reports showing who entered secure areas and when.
  • Badge Assignment Records: Lists of individuals with key card or physical key access.
  • Facility Diagrams: Highlighting physically protected areas and access points.
  • Visitor Procedures: Instructions or forms used to control and track temporary access.
  • Offboarding Checklist: Confirmation that physical access is removed when no longer required.