Assessing Physical Access Controls
Question
Which of the following questions is less likely to help in assessing physical access controls?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.B.
Physical security and environmental security are part of operational controls, and are measures taken to protect systems, buildings, and related supporting infrastructures against threats associated with their physical environment.
All the questions above are useful in assessing physical access controls except for the one regarding operating system configuration, which is a logical access control.
Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A-21 to A-24).
The question that is less likely to help in assessing physical access controls is answer B: "Is the operating system configured to prevent circumvention of the security software and application controls?"
Physical access controls are designed to protect physical assets, such as buildings, rooms, or equipment, from unauthorized access. Answer B is related to technical controls, which are designed to protect information systems, software, and data from attacks, but are not directly related to physical access controls.
Answers A, C, and D are more directly related to physical access controls:
A. Does management regularly review the list of persons with physical access to sensitive facilities? This question addresses the management oversight of access controls, which is a key aspect of physical security.
C. Are keys or other access devices needed to enter the computer room and media library? This question addresses the use of access devices, which are physical mechanisms that restrict entry to sensitive areas.
D. Are visitors to sensitive areas signed in and escorted? This question addresses the procedures for controlling access by visitors, which is an important aspect of physical access controls.
In summary, physical access controls are concerned with protecting physical assets from unauthorized access, whereas technical controls are designed to protect information systems, software, and data from attacks. Answer B is less likely to help in assessing physical access controls because it is focused on technical controls rather than physical access controls.
