NIST 800-171 - Physical Access Devices (3.10.5)

Overview:
Control and manage physical access devices.

Action Items:
3.10.5[a]
Determine if: physical access devices are identified.

3.10.5[b]
Determine if: physical access devices are controlled.

3.10.5[c]
Determine if: physical access devices are managed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: Physical and environmental protection policy; procedures addressing physical access control; system security plan; physical access control logs or records; inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility; other relevant documents or records].

2
Interview: Personnel with physical access control responsibilities; personnel with information security responsibilities].

3
Test: Organizational processes for physical access control; mechanisms supporting or implementing physical access control; physical access control devices].

Related Documents (document name and content will vary by organization):
1) Physical and environmental protection policy
2) procedures addressing physical access control
3) system security plan
4) physical access control logs or records
5) inventory records of physical access control devices
6) system entry and exit points
7) records of key and lock combination changes
8) storage locations for physical access control devices
9) physical access control devices
10) list of security safeguards controlling access to designated publicly accessible areas within facility
11) other relevant documents or records

Additional Guidance:
Physical access devices include, for example, keys, locks, combinations, and card readers.