Control activities Control techniques Audit procedures
AC-6.1.7. Periodic monitoring and independent
evaluations of the physical security program are
conducted. Physical security incidents are effectively
monitored and appropriate countermeasures are
implemented.
Check if the entity evaluates its physical
security program and controls. Obtain and
review the entity’s most recent self
assessments and compliance review
report. Determine if security incidents are
recorded, effectively analyzed, and result in
appropriate countermeasures.
Coordinate with SM-5: Monitor the
effectiveness of the security program, and
AC-5: Implement an effective audit and
monitoring capability.
AC-6.1.8. When possible, do not co-locate high risk
operations with non-essential support organizations (for
example, cafeteria, day care, banks, news media). If not
possible, place appropriate security between such support
organizations and critical facilities.
Identify co-located operations and their
respective risk levels. Determine if the
entity co-locates high risk operations with
support operations and assess the security
impact.
AC-6.1.9. Visitors, contractors, and maintenance Review appointment and verification
personnel are authenticated through the use of procedures for visitors, contractors, and
preplanned appointments and identification checks. maintenance personnel. Compare actual
practices to procedures.
AC-6.2. Establish adequate AC-6.2.1. Control/restrict vehicle and pedestrian traffic
perimeter security based on around the facility based on the facility’s risk level.
risk. Specific measures include fences, gates, locks, guard
posts, perimeter patrols and inspections.
Determine if vehicle and pedestrian traffic
around the facility is adequately controlled
for the risk level. Inspect the perimeter for
physical security and access control
weaknesses. Assess the effectiveness of
perimeter guard procedures and practices
for controlling access to facility grounds.
AC-6.2.2. Control employee and visitor parking. For
example, restrict access to facility parking and parking
adjacent to the facility (including leases), use ID systems
and procedures for authorized parking (for example,
placard, decal, card key), have signs and arrangements
for towing of unauthorized vehicles and adequate lighting
for parking areas.
Observe parking area and related controls.
Check if identification systems and
procedures for authorized parking are in
place. Determine what is done about
unauthorized vehicles (e.g. towing).
AC-6.2.3. Monitor the perimeter with closed circuit
television (CCTV) including cameras with time lapse video
recording and warning signs advising of 24 hour video
surveillance.
Inspect the facility surveillance camera
system to assess its capacity and ability to
assist in protecting the facility’s perimeter.
AC-6.2.4. Lighting is adequate for effective surveillance
and evacuation operations. Emergency power backup
exists for lighting (as well as for alarm and monitoring
systems).
Observe perimeter and exterior building
lighting to determine its adequacy. Also,
determine if emergency power is available
for security systems. Request test results.
AC-6.2.5. Extend perimeter barriers (for example,
concrete, steel) and parking barriers, as needed, to
prevent unauthorized access and reduce exposure to
explosions.
Determine if perimeter barriers are used
and extended if appropriate.
AC-6.3. Establish adequate
security at entrances and
exits based on risk.
AC-6.3.1. All employee access is authorized and
credentials (for example, badges, identification cards,
smart cards) are issued to allow access.
Observe and document all access control
devices used to secure the facility.
Page 264 3.2. Access Controls (AC)