3.10.4—Physical Protection - Derived
Derived Requirement
>Control Description
Maintain audit logs of physical access.
>Discussion
Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both.
System components (e.g., workstations, notebook computers) may be in areas designated as publicly accessible with organizations safeguarding access to such devices.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern maintaining audit logs of physical access?
- •What procedures define physical access audit requirements?
- •Who reviews physical access logs and how often?
- •What retention period applies to physical access logs?
- •What governance ensures physical access accountability?
Technical Implementation:
- •What systems log physical access events?
- •How do access control systems capture entry/exit records?
- •What centralized logging aggregates physical access data?
- •How do you protect physical access logs from tampering?
- •What reporting tools analyze physical access patterns?
Evidence & Documentation:
- •Can you provide physical access audit logs?
- •What evidence shows logs are retained per policy?
- •Can you demonstrate log review and analysis activities?
- •What reports identify physical access anomalies?
- •What audit findings verify physical access logging compliance?
Ask AI
Configure your API key to use AI features.