For background, the FFIEC is the Federal Financial Institutions Examination Council. It is a formal organization...
of the United States government that regulates and oversees financial institutions.
Don't forget the FFIEC security guidelines only apply to customer non-public personal information.
In the FFIEC IT Examination Handbook (.pdf), dated July 2006, there is an explicit statement regarding physical access to secured areas:
"The employees who access secured areas should have proper identification and authorization to enter the area. All visitors should sign in and wear proper IDs so that they can be identified easily. Security guards should be trained to restrict the removal of assets from the premises and to record the identity of anyone removing assets. Consideration should be given to implementing a specific and formal authorization process for the removal of hardware and software from premises". (Pages 52-55)
Therefore, based on the above quote from the Examination Handbook, it is necessary to keep physical security logs of visitors who enter secured areas . However, if you are using a badge system to include requiring a key card to enter the facility, then you can configure the key card access control system to maintain a log of those who have accessed a room. Keeping accurate logs, though, would require that there be no piggybacking : that each person entering a room or zone must card only for him or herself -- not holding the door for anyone else -- and thus be logged electronically. This requirement can be included in your security policy and be enforced with a guard or video camera.
Dig Deeper on Security audit, compliance and standards
Related Q&A from Ernie Hayden
In this Ask the Expert video, Ernie Hayden answers the question of what 'big data' is and outlines big data security issues in this video. Continue Reading
Every firm needs a security conscience, according to expert Ernie Hayden, who says it is critical among key CISO responsibilities. Continue Reading
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.