Has your organization implemented enhanced physical security controls for areas containing high-risk assets?
Explanation
High-risk assets (such as critical servers, sensitive data storage, financial systems, or intellectual property) require additional layers of physical protection beyond standard security measures. These enhanced controls might include biometric access systems, mantrap entries, 24/7 security personnel, CCTV monitoring, motion sensors, or reinforced physical barriers.
Evidence of compliance could include: a documented physical security policy specific to high-risk assets, photographs of enhanced security measures, access control logs showing restricted permissions, floor plans indicating security zones, or security assessment reports that evaluate the effectiveness of these additional controls.
Implementation Example
Employ additional physical security controls for areas that contain high-risk assets
ID: PR.AA-06.212
Context
- Function
- PR: PROTECT
- Category
- PR.AA: Identity Management, Authentication, and Access Control
- Sub-Category
- Physical access to assets is managed, monitored, and enforced commensurate with risk
Related questions
- Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?
- Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?
- Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?
- Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?
- Does your organization verify individuals' identities during enrollment using government-issued credentials?
- Does your organization issue unique credentials to each individual user and prohibit credential sharing?

