Personnel and Physical Security Program Controls
Key Takeaways
- Personnel security controls manage risk before, during, and after a worker relationship.
- Common controls include background checks where allowed, onboarding, acceptable use, separation of duties, job rotation, mandatory vacation, and termination procedures.
- Physical controls protect facilities, equipment, records, and people from unauthorized access or environmental risk.
- Badge logs, visitor records, camera footage, lock records, and access reviews can support investigations and audits.
- Physical and personnel controls should be coordinated with IAM, incident response, privacy, and legal requirements.
Personnel and Physical Security Program Controls
Security programs include people and facilities, not only networks and software. A person with the wrong access can approve fraudulent payments. A visitor in the wrong room can photograph equipment. A terminated contractor with an active badge can enter a site after hours. Personnel and physical controls reduce these risks.
Personnel Security Controls
| Control | Purpose | Scenario |
|---|---|---|
| Background check | Evaluate risk before hiring where allowed | Screen a privileged finance administrator according to law and policy |
| Onboarding | Train and provision access correctly | New analyst signs acceptable use and receives least-privilege access |
| Acceptable use policy | Define permitted technology use | Users agree not to bypass security controls |
| Separation of duties | Prevent one person from controlling a full risky process | One user creates vendors, another approves payments |
| Job rotation | Move duties periodically to reduce hidden fraud or single-person dependency | Backup administrator rotates into change review duties |
| Mandatory vacation | Require time away so concealed issues may surface | Trader or payment approver cannot avoid review indefinitely |
| Termination process | Remove access and recover assets | Disable SSO, revoke badge, collect laptop, preserve records |
Separation of duties is common in exam scenarios. If the same person can create a supplier, approve that supplier, and release payment, fraud may go undetected. The better control splits responsibility or adds independent approval.
Physical Security Controls
| Control | Purpose | Evidence example |
|---|---|---|
| Badge access | Restrict entry by person, area, and time | Badge logs showing entry attempts |
| Visitor management | Track and escort nonemployees | Visitor sign-in record and host approval |
| Cameras | Deter and investigate activity | Video clip tied to incident time |
| Locks and mantraps | Prevent unauthorized entry | Door access report and maintenance record |
| Security guards | Enforce entry procedures | Guard incident report |
| Asset inventory | Track equipment custody | Laptop assignment and return record |
| Environmental controls | Protect systems from power, heat, water, and fire | UPS test and temperature alert logs |
Physical controls should match the area. A public lobby, general office floor, server room, and evidence storage closet should not all have the same access rules.
Scenario
A contractor finishes a data center cabling project on Friday. The project manager submits the closeout ticket, but the contractor badge remains active. On Sunday night, the badge is used to enter the building. Camera footage shows another person using it. The badge system, visitor log, project record, and camera footage become investigation evidence.
The corrective action is not limited to replacing the badge. The organization updates offboarding so contractor end dates automatically trigger badge deactivation, sponsor confirmation, equipment return, and review of any shared access codes.
Compliance and Privacy Considerations
Personnel and physical controls may involve sensitive personal data, such as background screening results, badge logs, camera footage, and disciplinary records. Access to that evidence should be limited to approved purposes. Retention should follow policy and legal requirements. Monitoring notices may be required depending on jurisdiction and workplace policy.
Common Traps
- Disabling network access but leaving building access active.
- Using shared door codes that cannot identify a person.
- Letting visitors move unescorted in restricted areas.
- Keeping camera footage longer than necessary without a retention purpose.
- Combining conflicting duties in one role.
- Forgetting contractors, temporary workers, and service technicians in onboarding and offboarding workflows.
One employee can create vendors, approve vendor changes, and release payments. Which control best reduces this risk?
A contractor project ends, but the contractor badge remains active for two weeks. What control failed?
Which items can be useful physical security evidence during an investigation? Select three.
Select all that apply