For background, the FFIEC is the Federal Financial Institutions Examination Council. It is a formal organization of the United States government that regulates and oversees financial institutions.
Don't forget the FFIEC security guidelines only apply to customer non-public personal information.
In the FFIEC IT Examination Handbook (.pdf), dated July 2006, there is an explicit statement regarding physical access to secured areas:
"The employees who access secured areas should have proper identification and authorization to enter the area. All visitors should sign in and wear proper IDs so that they can be identified easily. Security guards should be trained to restrict the removal of assets from the premises and to record the identity of anyone removing assets. Consideration should be given to implementing a specific and formal authorization process for the removal of hardware and software from premises". (Pages 52-55)
Therefore, based on the above quote from the Examination Handbook, it is necessary to keep physical security logs of visitors who enter secured areas . However, if you are using a badge system to include requiring a key card to enter the facility, then you can configure the key card access control system to maintain a log of those who have accessed a room. Keeping accurate logs, though, would require that there be no piggybacking : that each person entering a room or zone must card only for him or herself -- not holding the door for anyone else -- and thus be logged electronically. This requirement can be included in your security policy and be enforced with a guard or video camera.
This was first published in May 2010