PE-8: Visitor Access Records
Control Family:
CSF v1.1 References:
Threats Addressed:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- PE-8: Visitor Access Records
Control Statement
- Maintain visitor access records to the facility where the system resides for [Assignment: organization-defined time period];
- Review visitor access records [Assignment: organization-defined frequency]; and
- Report anomalies in visitor access records to [Assignment: organization-defined personnel].
Supplemental Guidance
Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.
Control Enhancements
PE-8(1): Automated Records Maintenance and Review
Baseline(s):
- High
Maintain and review visitor access records using [Assignment: organization-defined automated mechanisms].
PE-8(3): Limit Personally Identifiable Information Elements
Baseline(s):
- Privacy
Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements].