9.3 Control physical access for onsite personnel to the sensitive areas as follows:
• Access must be authorized and based on individual job function.
• Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
9.3.a For a sample of onsite personnel with physical access to the CDE, interview responsible personnel and observe access control lists to verify that:
• Access to the CDE is authorized.
• Access is required for the individual’s job function.
9.3.b Observe personnel access the CDE to verify that all personnel are authorized before being granted access.
9.3.c Select a sample of recently terminated employees and review access control lists to verify the personnel do not have physical access to the CDE.
Controlling physical access to the CDE helps ensure that only authorized personnel with a legitimate business need are granted access.
When personnel leave the organization, all physical access mechanisms should be returned or disabled promptly (as soon as possible) upon their departure, to ensure personnel cannot gain physical access to the CDE once their employment has ended.