DCS-09: Secure Area Authorization

Control Family:

Datacenter Security

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: DCS-07: Secure Area Authorization, DCS-09: User Access.

Control Statement

Allow only authorized personnel access to secure areas, with all ingress and egress points restricted, documented, and monitored by physical access control mechanisms. Retain access control records on a periodic basis as deemed appropriate by the organization.

Implementation Guidance

Monitor, control, and isolate data storage and processing facilities, including ingress and egress points to service and delivery areas and other points where unauthorized personnel may enter the premises. Organizations should retain access logs for authorized personnel for no less than six (6) months. Facilities owners should adopt the ISO/IEC_27001_2013-A.11.1.2 standard. Record the dates and times of visitor entries and departures, and supervise all visitors unless their access has been previously approved. Visitors should only be granted access for specific, authorized purposes and issued with instructions on area security requirements and emergency procedures. Authenticate visitor identities by any appropriate means (i.e., validation with government-issued identification (ID), such as an official identity document, driver's license, passport, etc.).

Auditing Guidance

  1. Examine the policy and procedures relating to access to secure areas.
  2. Determine if the policy includes ingress and egress points to service and delivery areas.
  3. Determine if procedures include activities and actions against unauthorized personnel in the premises.
  4. Confirm that existence, review, and retention of Access logs for secure areas are aligned with policy and procedures.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.