PE-3—Physical Access Control

Control of access to restricted-access areas and other organizational space is to be provided in a manner which does not contravene the life safety requirements of the 2010 National Building Code (NBC) [Reference 19], 2010 National Fire Code (NFC) [Reference 20] and related codes, standards and guidelines. Refer to RCMP G1-010, Security Connotations of the 1995 National Building Code [Reference 21] for more informationThis control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors.

Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas.

Physical access control systems comply with applicable GC legislation and TBS policies, directives, and standards. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof.

Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3.