Guards, CCTV, Alarms, and Logs

Monitoring Physical Access

Physical access controls are stronger when they can be monitored and reviewed. A locked door is useful; a locked door with a badge reader, alarm, camera, and a defined response process is far stronger. Monitoring answers the basic incident questions: Who entered, when, where, was it authorized, was the door forced or propped, and did the person match the credential used?

Guards

Security guards supply judgment that devices cannot. A guard compares a badge photo to a face, challenges an unknown person, directs visitors, observes behavior, and calls for help. Guards also make mistakes, so they need post orders, training, and escalation paths defining what to do when a delivery arrives without an appointment, a badge does not match a person, or an employee tries to bring a visitor into a restricted area.

Depending on the moment, a guard can be deterrent (visible presence), preventive (challenging at a door), detective (noticing someone slip through an emergency exit), or responsive (calling facilities after an alarm). One control role can shift with the scenario, which is exactly what exam items probe.

Guards also raise a control concept worth naming: two-person control (also called the two-person rule or dual control). For the most sensitive areas, such as a vault or a key-storage cage, policy may require two authorized people to be present, so neither can act alone and collusion is harder. A single guard at a normal door is not two-person control; the term specifically means two people are mandatory for the action. Examiners use this to test whether you can separate a generic guard from a structured control requirement.

CCTV

CCTV (closed-circuit television) provides visual monitoring or recording at entrances, exits, loading docks, parking areas, server-room doors, and cash-handling points. CCTV is fundamentally a detective control: it does not stop entry unless paired with response. A camera nobody watches, with footage overwritten in an hour, gives almost no investigative value. Strong programs plan:

Alarms

Alarms signal that attention is needed. Common physical alarm types:

• Door-forced: a door opened without normal credential use.
• Door-held / door-prop: a door stayed open beyond a set threshold.
• Motion: movement in a protected zone after hours.
• Glass-break: shattering glass at a window or display.
• Environmental: smoke, water, temperature, or humidity threatening equipment availability.

An alarm only helps if someone receives, understands, and responds to it. A door-held alarm everyone ignores becomes background noise; teams must tune thresholds, fix root causes, and document response.

Two alarm tuning errors appear on the exam. A false positive (false alarm) fires when nothing real happened, such as a motion sensor triggered by a curtain or a stray cat; too many cause alarm fatigue and slow real response. A false negative is worse: a real event that the alarm misses entirely, such as a sensor with too high a threshold that ignores a slowly opened door. Good programs balance sensitivity so genuine events are caught without flooding responders with noise.

Environmental alarms tie directly to availability, the third pillar of the CIA triad: a humidity or temperature alarm that detects a failing cooling unit protects uptime as much as any anti-theft control.

Logs and Correlation

Physical logs include badge events, visitor sign-ins, guard logs, delivery records, alarm records, camera-access records, and maintenance entries. During investigation these correlate with logical logs. If an admin account changed a firewall rule at 2:10 a.m., badge logs and CCTV can show whether the admin was physically on site or whether the credential was used remotely. This correlation only works when clocks agree, which is why time synchronization is repeatedly emphasized.

Scenario: Server Room Door Alarm

At 11:47 p.m. a door-held alarm triggers for the server room. Badge logs show an authorized facilities employee entered at 11:43 p.m. CCTV shows them propping the door while carrying tools. The guard log shows no scheduled maintenance. This could be a policy violation, a misunderstanding, or malicious activity. The response: verify the person's identity, confirm whether the work was approved, close the door, document the event, and escalate if anything is missing or damaged. Notice how three records (alarm, badge, video) combined to establish identity, time, and authorization.

A single record would have been ambiguous. The badge log alone shows an authorized entry and looks routine. The alarm alone shows a held door but not who or why. The camera alone shows a person with tools but not whether they badged in legitimately. Only correlation across all three, anchored by synchronized timestamps, turns scattered events into a defensible timeline. This is the recurring lesson of the section: monitoring controls are evidence sources whose value multiplies when combined, and the right exam answer rarely depends on one device in isolation.

Exam Focus

Do not treat monitoring tools as magic. CCTV, alarms, and logs produce information; guards and response procedures turn information into action. The strongest answer usually correlates multiple records to establish identity, authorization, time, and location rather than relying on one device alone.