Personnel and Physical Security Program Controls
Key Takeaways
- Personnel controls manage risk before, during, and after the worker relationship: screening, onboarding, acceptable use, separation of duties, job rotation, mandatory vacation, and termination.
- Separation of duties splits a risky process across people; least privilege and dual control add independent approval to high-value actions.
- Physical controls protect facilities, equipment, records, and people through badges, visitor management, cameras, locks/mantraps, guards, and environmental controls.
- Badge logs, visitor records, camera footage, lock reports, and access reviews provide investigation and audit evidence.
- Offboarding must remove logical AND physical access together; orphaned badges and shared door codes are classic gaps the exam tests.
People and Facilities Are In Scope
Security programs cover people and buildings, not just networks and software. A person with the wrong access can approve fraudulent payments; a visitor in the wrong room can photograph equipment; a terminated contractor with a live badge can enter after hours. Personnel and physical controls reduce these risks across the full worker lifecycle: pre-employment, employment, and post-employment.
Personnel Security Controls
| Control | Purpose | Scenario |
|---|---|---|
| Background check | Evaluate risk before hire, where law allows | Screen a privileged finance administrator |
| Onboarding | Train and provision correctly | New analyst signs AUP, gets least-privilege access |
| Acceptable use policy (AUP) | Define permitted technology use | Users agree not to bypass controls |
| Non-disclosure agreement (NDA) | Protect confidential data | Contractor signs NDA before site access |
| Separation of duties | Stop one person controlling a full risky process | One user creates vendors, another approves payments |
| Least privilege | Grant only what the role needs | Help desk cannot edit payroll banking |
| Job rotation | Rotate duties to expose hidden fraud | Backup admin rotates into change review |
| Mandatory vacation | Force time away so concealment surfaces | A payment approver cannot avoid review indefinitely |
| Termination process | Remove access, recover assets | Disable SSO, revoke badge, collect laptop, preserve records |
Separation of duties is heavily tested. If one person can create a supplier, approve that supplier, and release payment, fraud can go undetected. The fix splits responsibility or adds independent (dual) approval. Job rotation and mandatory vacation are detective controls — they surface schemes that depend on one person continuously hiding activity, because a substitute performing the duties will notice irregularities.
Distinguish these on the exam: least privilege limits how much access a person has, separation of duties prevents one person from holding conflicting duties, and dual control (or two-person integrity) requires two people to act together for a single high-value transaction such as a wire transfer or a vault opening.
The worker lifecycle frames the rest. Pre-employment controls include screening and signing the AUP and NDA. During employment, recurring access recertification, security training, and a clear insider-threat reporting channel keep risk in check. Post-employment controls — the termination/offboarding workflow — must execute quickly and completely, ideally automated from the HR system so that an end date triggers identity disablement, badge revocation, asset recovery, and a knowledge-transfer/exit interview. A friendly resignation and a hostile termination may follow different timelines, but both must remove access.
Physical Security Controls
| Control | Type | Evidence example |
|---|---|---|
| Badge / access control | Preventive | Badge logs of entry attempts |
| Visitor management | Preventive/detective | Sign-in record and host approval |
| Cameras (CCTV) | Deterrent/detective | Video clip tied to incident time |
| Locks and mantraps/access vestibules | Preventive | Door access report, maintenance record |
| Security guards | Preventive/deterrent | Guard incident report |
| Asset inventory | Detective | Laptop assignment and return record |
| Environmental (HVAC, fire suppression, UPS) | Compensating | UPS test logs, temperature alerts |
A mantrap (access vestibule) uses two interlocking doors to stop tailgating/piggybacking — only one person passes per authentication. Controls should match the area: a public lobby, an office floor, a server room, and an evidence-storage closet should not share the same access rules. Layered physical defense is sometimes taught as deter, deny, detect, delay, respond — fences and signage deter, locks and barriers deny and delay, cameras and sensors detect, and guards respond.
SY0-701 also expects familiarity with sensors (motion, infrared, pressure, microwave), bollards to stop vehicle ramming, proper lighting as a deterrent, and fencing rated by height and gauge.
Environmental and detective physical controls round out the domain. A server room needs HVAC for temperature and humidity, fire suppression (clean-agent rather than water in equipment rooms), uninterruptible power supplies (UPS) and generators, and water/leak sensors. Faraday cages and screened rooms block electromagnetic emanations for the most sensitive areas.
Each control produces evidence — UPS self-test logs, temperature-alert history, fire-system inspection records — that an auditor or investigator can later request, which is why physical and IAM, incident response, privacy, and legal functions must coordinate rather than operate in silos.
Scenario
A contractor finishes a data-center cabling project on Friday. The project manager closes the ticket, but the contractor badge stays active. On Sunday night the badge enters the building — and camera footage shows a different person using it. The badge system, visitor log, project record, and footage become investigation evidence.
The corrective action is not just reissuing a badge. The organization updates offboarding so a contractor end date automatically triggers badge deactivation, sponsor confirmation, equipment return, and a review of any shared door codes the contractor knew.
Privacy and Common Traps
These controls handle sensitive personal data — screening results, badge logs, footage, disciplinary records. Limit access to approved purposes, retain per policy and law, and post monitoring notices where jurisdiction requires them.
- Disabling network access but leaving building access active.
- Shared door codes that cannot identify a person.
- Letting visitors move unescorted in restricted areas.
- Keeping footage past its retention purpose.
- Combining conflicting duties in one role.
- Forgetting contractors, temps, and service technicians in onboarding/offboarding.
One employee can create vendors, approve vendor changes, and release payments. Which control best reduces this fraud risk?
A contractor's project ends, but the contractor badge stays active for two weeks afterward. Which control most directly failed?
Which physical control uses two interlocking doors to ensure only one authenticated person enters at a time, preventing tailgating?