Sensitive Item Control - Keys, Locks and Access Cards Controlling Access to Information Systems (IS) or IS Assets Connected to the DISN

From Traditional Security

Part of Sensitive Item Control - Keys, Locks and Access Cards

Associated with IA controls: PESS-1, PEPF-1

SV-42940r2_rule Sensitive Item Control - Keys, Locks and Access Cards Controlling Access to Information Systems (IS) or IS Assets Connected to the DISN

Vulnerability discussion

Lack of an adequate key/credential/access device control could result in unauthorized personnel gainingaccess to the facility or systems with the intent to compromise classified information, stealequipment, or damage equipment or the facility.

Check content

Checks: 1. Check to ensure there are written procedures for the control of sensitive items such as keys, locks, badges and smart cards. 2. Check to verify the process is being followed and that it is effective. As a minimum, lock and key or access control systems (using coded access swipe/prox badges) require a key or credential inventory, issue records, and a procedure for returning the key or access control credential once the user no longer needs it. 3. Check to ensure a Key Control/Credential Officer and/or Key/Credential Custodians are appointed in writing to implement the system for controling keys, locks and access control credentials. 4. Check to ensure the Key/Credential Control Officer conducts at least an annual inventory/reconciliation of all keys/credentials issued and on-hand. 5. Check to ensure that all keys/credentials are also inventoried upon change of Key/Credential Control Officer or Key/Credential Custodian. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix text

Fixes: 1. Ensure there are written procedures for the control of sensitive items such as keys, locks, badges and smart cards. 2. Verify the process for controlling keys/locks and credentials is being followed and that it is effective. As a minimum, lock and key or access control systems (using coded access swipe/prox badges) require a key or credential inventory, issue records, and a procedure for returning the key or access control credential once the user no longer needs it. 3. Ensure a Key Control/Credential Officer and/or Key/Credential Custodians are appointed in writing to implement the system for controling keys, locks and access control credentials. 4. Ensure the Key/Credential Control Officer conducts at least an annual inventory/reconciliation of all keys/credentials issued and on-hand. 5. Ensure that all keys/credentials are also inventoried upon change of Key/Credential Control Officer or Key/Credential Custodian.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer