PHYSICAL ACCESS CONTROLS
CHAPTER 3 - PART 2
Advantages of electronic door locks over bolting
TOPICS COVERED
and combination locks:
● Physical Access Controls
● Auditing Physical Access
PHYSICAL ACCESS CONTROLS
INTRODUCTION
● Protection from unauthorized access
● Limit access to authorized individuals
● Explicit and implicit authorization
EXAMPLES OF PHYSICAL ACCESS CONTROLS
a) Bolting door locks
● Metal key; do not duplicate; strict
management control
● Require the traditional metal key to gain
entry. The key should be stamped “do not
duplicate” and should be stored and issued
under strict management control.
b) Combination door locks (cipher locks)
● Use a numeric keypad or dial to gain entry
and are often seen at airport gate entry
doors and smaller server rooms
● change combination; reduces risk of
combination being known
● The combination should be changed at
regular intervals or whenever an employee
with access is transferred, fired or subject
to disciplinary action.
● This reduces the risk of the combination
being known by unauthorized people.
● Example: Yung password sa UST dapat
palitan every term (regular intervals).
● Buburahin yung combi kapag umalis or
lumipat ng department yung employee.
Baka kasi may SoD issue.
c) Electronic door locks
● Card key or token and sensor reader
● Uses a special code to activate door
locking mechanism
● Use a magnetic or embedded chip-based
plastic card key or token entered into a
sensor reader to gain access.
● A special code stored in the card or token is
read by the sensor device that then
activates the door locking mechanism.
1) Card assignment to a specific (identifiable)
individual
2) Access restricted to individual’s unique access
needs
● Through the special internal code and
sensor devices, access can be restricted
based on the individual’s unique access
needs. Restrictions can be assigned to
particular doors or to particular hours of
the day.
3) Difficult to duplicate
4) Easy deactivation of card entry upon
employee termination or card stolen or lost
(silent or audible alarms; control card keys;
example is the swipe card with slotted
electronic device; for sensitive locations; logs
card users)
● If na terminate yung employee, aalisin yung
access niya.
● Kapag may card key na reported
loss/stolen, mag-aalarm yon. Pwede
malaman kung sino yung nag access.
● Swipe card - may magnetic chips
containing data.
○ For logging yung ID na tinatap sa
UST. More of detective control
● Silent or audible alarms can be automatically
activated if unauthorized entry is attempted.
● Issuing, accounting for and retrieving the card
keys is an administrative process that should
be carefully controlled.
● The card key is an important item to retrieve
when an employee leaves the firm.
● An example of a common technique used for
card entry is the swipe card.
○ A swipe card is a physical control
technique that uses a plastic card with a
magnetic strip containing encoded data to
provide access to restricted or secure
locations. The encoded data can be read
by a slotted electronic device.
■ Ex. Timezone
○ After a card has been swiped, the
application attached to the slotted
electronic device prevents unauthorized
physical access to those sensitive
locations, as well as logs all card users that
try to gain access to the secure location.
❖ Bolting door lock - metal key
❖ Combi door lock - may keypad
1
 Chapter 3: Physical Access Controls - Part 2

❖ Electronic door lock - May plastic card key or ● Logging is typically done at the front
token reception desk and entrance to the computer
room.
● Before gaining access, visitors should also be
Security Token
required to provide verification of
● Physical device (e.g. smart card)
identification such as a driver’s license or
● With something that a user knows (e.g. PIN)
vendor identification tag.
● Allows authorized access to a computer or
network
f) Electronic logging
● A feature of electronic and biometric
Administrative process for card keys of
security systems
electronics locks that should be controlled
○ Dapat hindi na-eedit
includes:
○ Example: pag tap ng card, ATM
a) Issuing of the card keys
● All access can be logged, with unsuccessful
b) Accounting for the card keys
attempts being highlighted.
c) Retrieval of the card keys

RECITATION QUESTION:
d) Biometric door locks
● Activated by an individual’s unique body
Question 1A: Identify the picture:
features; for extremely sensitive facilities
○ Can be voice, retina, finger print,
hand geometry, or signature
■ Ex. GCash, Touch ID
○ This system is used in instances when
extremely sensitive facilities must be
protected, such as in the military.

e) Manual logging
● Requires visitors to sign a log; at the
front reception desk or entrance; requires
providing verification of identification
Answer: combination door lock
○ Lahat ay galing sa manual bago
naging high tech
Question 1B: An advantage of electronic door
○ Important sa computer room. Hindi
locks over bolting and combination locks is:
dapat laging pumapasok yung
Answer:
programmers sa computer room.
1) Card assignment to a specific individual
○ Visitor’s should provide their
2) Access restricted to individual’s unique
identification upon entering.
access needs
○ Paglog ng attendance sa computer -
3) Difficult to duplicate
generally, manual logging siya kasi
4) Easy deactivation of card entry upon
may human intervention kahit nag
employee termination or card stolen or
iinput sa computer. Automated yung
lost
portion ng date and time.
○ Electronic kapag yung computer yung
gumawa without human intervention. g) Identification badges (photo IDs)
● Should be worn and display by all
personnel; different color; sophisticated
Important information in the visitor’s log
photo IDs; control issuing, accounting
1) Name of the visitor
and retrieving badges
2) Company represented
● Visitor badges should be a different color
3) Reason for visiting
from employee badges for easy
4) Person to see
identification.
5) Date and time of entry and exit
● Sophisticated photo IDs can also be
used as electronic card keys.

2
 Chapter 3: Physical Access Controls - Part 2
● Issuing, accounting for and retrieving
the badges is an administrative process
that must be carefully controlled.
h) Video cameras
● Including motion-activated models, should
be located at strategic points and
monitored by guards; retain recording
with sufficient resolution
● The video surveillance recording should be
retained for possible future playback, and
it should be recorded in sufficient
resolution to permit enlarging the image to
identify an intruder.
● Balance control and costs. Mas malaki
yung cost kapag matagal i-reretain yung
recording.
i) Security guards
● Very useful if supplemented by video
cameras and locked doors; bond for
guards supplied by external agency
● Guards supplied by an external agency
should be bonded to protect the
organization from loss.
Security guard agency bond
● Ensures the lawful and honest conduct of
the security guard agency in providing
security services to its clients
● Also a financial assurance that protects
clients from the dishonest acts of the
security guard agency and its personnel
j) Controlled visitor access
● All visitors escorted by responsible
employee; bonded personnel
● Visitors include friends, maintenance
personnel, computer vendors, consultants
Turnkey system
(unless long-term, in which case special
guest access may be provided) and
external auditors.
○ Maintenance - yung software galing sa
scratch, i-momodify mo siya at
ichechange
● All service contract personnel, such as
cleaning people and offsite storage
services, should be bonded personnel.
○ This does not improve physical
security but limits the financial
exposure of the organization.
k) Deadman doors
● Also referred to as a mantrap or airlock
entrance
● Use two doors in entries to facilities such
as computer rooms and high security
areas; reduces the risk of piggybacking;
use of a turnstile; may also be used for
delivery and dispatch areas
● For the second door to operate, the first
entry door must close and lock, with only
one person permitted in the holding area.
○ Only use one door at a time
● This reduces the risk of piggybacking,
when an unauthorized person follows an
authorized person through a secured entry.
● In some installations, this same effect is
accomplished through the use of a full
height turnstile.
○ Turnstile - Ex. yung nasa MRT or LRT
● Deadman doors may also be used for
delivery and dispatch areas where outer
doors open to admit a truck and the inner
doors cannot be opened to load or unload
until the outer doors are closed and
locked.
l) Computer workstation locks
● Secure the device to the desk to prevent
use; another feature is the use of a
turnkey or card key
● Secure the device to the desk, prevent the
computer from being turned on or
disengage keyboard recognition, thus
preventing use.
● Another available feature is locks that
prevent turning on a PC workstation until a
key lock is unlocked by a turnkey or card
key.
● This is sometimes seen in the case of
high-security workstations, such as those
that process payroll.
● Customized for a particular application
● Idea: users can just turn the key and the
system is ready go
● Includes all the hardware and software
necessary for a particular application
m) Controlled single-entry point
● Monitored by a receptionist
● Should be used by all incoming
personnel; unnecessary or unused entry
points should be eliminated
● Multiple entry points increase the risk of
unauthorized entry.
3
 Chapter 3: Physical Access Controls - Part 2
● Unnecessary or unused entry points, such
follows an authorized person through a secured
as doors to outside smoking or break
entry, this is known as:
areas, should be eliminated.
Answer: piggybacking
● Emergency exits can be wired to an
alarmed panic bar for quick evacuation.
n) Alarm system
● Should be linked to inactive entry points,
motion detectors, and the reverse flow of
enter- or exit-only doors
● Security personnel should be able to hear
the alarm when activated.
o) Secured report/document distribution carts
● Such as mail carts; should be covered,
locked and not left-unattended
p) Other physical controls on facilities
● On the computer room or information
processing facility
● Not be visible or identifiable from the
outside
● Discreet identification
● Use of reinforced glass and further
protection such as bars
● Facilities such as computer rooms should
not be visible or identifiable from the
outside; there should be no windows or
directional signs.
● The building or department directory
should discreetly identify only the
general location of the information
processing facility.
● If windows are present, they should be
constructed of reinforced glass and, if on
the ground floor of the building, further
protected for example, by bars.
RECITATION QUESTION:
Question 2A: Identify the picture:
Testing should go beyond the computer room to
include:
Answer: turnstile
Question 2B: When an unauthorized person
AUDITING PHYSICAL ACCESS
● Touring the computer site; provides
opportunity to begin review access
restrictions
● Include computer site and offsite storage
facilities
● Visual observation; Documents to help
includes:
○ Emergency evacuation procedures
○ Inspection tags
○ Fire suppression system test results
○ Key lock logs
● Touring the computer site is useful for the
auditor to gain an overall understanding and
perception of the installation being reviewed.
● As with environmental controls where the site
is owned by a third party, a contractual right
of audit may be required.
● This tour provides the opportunity to begin
reviewing physical access restrictions
(e.g., control over employees, visitors,
intruders and vendors).
● The computer site (i.e., computer room,
developers’ area, media storage, printer
stations and management offices) and any
offsite storage facilities should be included in
this tour.
● Much of the testing of physical safeguards
can be achieved by visually observing the
previously noted safeguards.
● Documents to assist with this effort
include emergency evacuation procedures,
inspection tags (recent inspection?), fire
suppression system test results
(successful? Recently tested?) and key lock
logs (all keys accounted for and not
outstanding to former employees or
consultants?).
● Location of all operator consoles
● Printer rooms
● Computer storage rooms
● UPS/generator
● Location of all communications equipment
identified on the network diagram
● Media storage
● Offsite backup storage facility
4
 Chapter 3: Physical Access Controls - Part 2

● To complete a thorough test, the IS auditor

should look above the ceiling panels and
below the raised floors in the computer
operations center observing smoke and water
detectors, general cleanliness, and walls that
extend all the way to the real ceiling (not just
the fake/suspended ceiling).
● For ground-floor computer room, the IS
auditor may consider walking around the
outside of the room viewing the location of any
windows, examining emergency exit doors for
evidence that they are routinely used (such as
the presence of cigarette stubs or litter) and
examining the air conditioning units.
● The IS auditor should consider if additional
threats exist close to the room such as storage
of dangerous or flammable material.

Paths of physical security to be evaluated:

● All entry doors
● Emergency exit doors
● Glass windows and walls
● Movable walls and modular cubicles
● Above suspended ceilings and beneath raised
floors
● Ventilation systems
● Over a curtain, fake wall

RECITATION QUESTION:

Question 3A: (identify the picture)

Answer: generator

Question 3B: An example of an evidence to look

for by an IS auditor when examining emergency
exit doors, if these are routinely used, is the
presence of:
Answer: cigarette stubs or litters