Facility Access Controls — Access Control and Validation Procedures

§164.310(a)(2)(iii): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision

Audit Inquiry

Does the entity have policies and procedures in place for controlling a person’s access to facilities based on their role or function including visitor control and control of access to software programs for testing and revision?

Does the entity control a person’s access to facilities based on their role or function including visitor control and control of access to software programs for testing and revision?

Obtain and review procedures related to access control and validation. Evaluate the content in relation to the specified performance criteria for controlling a person’s facility access including workforce members, contractors, visitors and probationary employees.

Elements to review may include but are not limited to:
• Methods for controlling and validating an employee’s access to the facility
• Workforce members’ roles and responsibilities in the access control and validation process
• Frequency of reviewing lists of individuals with physical access to sensitive facilities
• Methods to control visitor’s physical access to facilities

Obtain and review documentation demonstrating the control of visitor’s physical access to facilities. Evaluate and determine if physical controls identify visitors attempting to access facility, prevent unauthorized visitors, and grant access to authorized visitors.

Obtain and review documentation demonstrating control of access to software program for modification and revision. Evaluate and determine if authorized individuals, roles, or job functions are identified and validated before gaining access to software program and is in accordance with applicable procedures.

Obtain and review documentation demonstrating facility and software access control and validation procedures are implemented.

Evaluate and determine if safeguards implemented overall controls access to facility physical environment, by validating individuals roles or function before granting physical access to facility or software programs; deter and prevent unauthorized access to the facility or software in accordance with applicable policies and procedures.

Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.

Required/Addressable

Addressable