9.3 Control physical access for onsite personnel to sensitive areas as follows:
• Access must be authorized and based on individual job function.
• Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
9.3.a For a sample of onsite personnel with physical access to sensitive areas, interview responsible personnel and observe access control lists to verify that:
- Access to the sensitive area is authorized.
- Access is required for the individual’s job function.
9.3.b Observe personnel accessing sensitive areas to verify that all personnel are authorized before being granted access.
9.3.c Select a sample of recently terminated employees and review access control lists to verify the personnel do not have physical access to sensitive areas.
Controlling physical access to sensitive areas helps ensure that only authorized personnel with a legitimate business need are granted access.
When personnel leave the organization, all physical access mechanisms should be returned or disabled promptly (as soon as possible) upon their departure, to ensure personnel cannot gain physical access to sensitive areas once their employment has ended.