For background, the FFIEC is the Federal Financial Institutions Examination Council. It is a formal organization...
of the United States government that regulates and oversees financial institutions.
Don't forget the FFIEC security guidelines only apply to customer non-public personal information.
In the FFIEC IT Examination Handbook (.pdf), dated July 2006, there is an explicit statement regarding physical access to secured areas:
"The employees who access secured areas should have proper identification and authorization to enter the area. All visitors should sign in and wear proper IDs so that they can be identified easily. Security guards should be trained to restrict the removal of assets from the premises and to record the identity of anyone removing assets. Consideration should be given to implementing a specific and formal authorization process for the removal of hardware and software from premises". (Pages 52-55)
Therefore, based on the above quote from the Examination Handbook, it is necessary to keep physical security logs of visitors who enter secured areas . However, if you are using a badge system to include requiring a key card to enter the facility, then you can configure the key card access control system to maintain a log of those who have accessed a room. Keeping accurate logs, though, would require that there be no piggybacking : that each person entering a room or zone must card only for him or herself -- not holding the door for anyone else -- and thus be logged electronically. This requirement can be included in your security policy and be enforced with a guard or video camera.
Dig Deeper on Security audit, compliance and standards
Related Q&A from Ernie Hayden
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Which will be more likely to further your infosec career: A certification, or an advanced degree? Expert Ernie Hayden weighs in. Continue Reading
While employee termination may be necessary in cases of insecure conduct, most employees are more encouraged by the carrot than the stick when it ... Continue Reading