Lock Type
|
Physical Security Requirement
|
Additional SRA Requirements
|
| Mechanical Key |
- All keys must be tracked in a log.
- Change locks if key is lost or compromised.
- All keys must be returned when people quit or are terminated.
- Log access and retain for 3 years.
- If the key is secured in a key box, the key box key must meet the requirements above.
|
- All personnel with access to the key must have SRAs.
- If in a key box, all personnel with access to the key box key must have an SRA.
- If there is no IDS, the following people must have SRAs:
- All personnel with access to a master key.
- All personnel with access to a facility or building grand master.
- Entity locksmiths if they have or can make the key and the key can be traced to the door.
|
| Cipher Key/Combination Lock |
- Change the code or lock when personnel quit or are terminated. Changes must be reflected in a log.
- Change the code or lock in the event of compromise.
- Log access to registered areas and retain access records for 3 years.
|
- All personnel with the code/combination or access to the code/combination must have SRAs.
- If there is no IDS, the following people must have SRAs:
- All personnel who can change the code.
|
| Card Key |
- Maintain electronic or physical logs of access to registered areas for 3 years.
- The log should be capable of being printed.
- The access control network must meet the information security requirements.
|
- All personnel with card-key which can open door
- (includes facility wide keys)
|
| Card Key + Pin |
- Maintain electronic logs of access for 3 years.
- The access control network must meet the information security requirements.
|
- No additional requirement
|
| Biometrics |
- Maintain electronic logs of access for 3 years.
- The access control network must meet the information security requirements.
|
- No additional requirement
|
Multiple kinds of access control
(i.e., Card Key and Mechanical Lock on same door) |
- All the requirements for each type of access control systems when or if used.
|
- All the SRA requirements for both systems unless use of the access control device triggers the IDS (use of a mechanical key in Card-Key door will often trigger a ‘forced door’ alarm. The same alarm if someone broke the door down).
|
Remote opening (e.g., someone
‘buzzes’ a person in) |
- Maintain electronic logs of access for 3 years.
- The access control network must meet the information security requirements.
|
- No additional requirement
|
| “Emergency” card key kept with First Responders |
- Log of access.
- Inventory of key.
- Notification of the RO and FSAP in the event of its use.
|
- No SRA requirement for first responders
|
| Emergency mechanical key or Card-Key in Knox Box (key stored in secured ‘box’ only accessible to first responders) |
- Maintain electronic logs of access for 3 years.
- Notification of the RO and FSAP in the event of its use.
|
- No SRA requirement for first responders
|