Physical access privileges that pose higher risk to the function receive additional scrutiny and monitoring
Context and Guidance: Facilities or areas of facilities where assets that pose a higher risk to the function reside may have additional or stricter physical access controls. Additional scrutiny might mean that access requests are approved by more than one person or an individual with a higher level of authority than standard access requests. Additional monitoring might entail additional access logging requirements, additional surveillance of the environment, additional badging and escorting requirements for visitors. This may be implemented via an additional access factor(s), additional logging, or active monitoring by security guards. As an example, an organisation may have a general badging system for facility access but also require a PIN to be entered for physical access to a portion of the facility. Additionally, it is important to note that the word risk is being used in this practice in the general sense of the word and not intended to refer to any specific risks identified in the Risk Management domain of the C2M2. However, organisations should consider access to IT and OT assets and the sufficiency of controls to manage access as potential sources of risk that should be considered in the risk identification, analysis and response activities discussed in the Risk Management domain.
Related Practices • Input From: Implementing ARCHITECTURE-3a provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ACCESS-3b, ACCESS-3h, ACCESS-3i.