§164.310(a)(2)(iv): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
Audit Inquiry
Does the entity have policies and procedures in place to document repairs and modifications to the physical components of a facility which are related to security?
Does the entity document repairs and modifications to the physical components of a facility which are related to security?
Obtain and review such policies and procedures related to maintaining maintenance records. Evaluate the content in relation to the specified performance criteria for documenting repairs and modifications to the physical components of a facility related to security.
Elements to review but are not limited to:
• Workforce members’ roles and responsibilities in repairs and modification to the physical components
• Record keeping process of repairs and modification to the physical components
• Specification of when repairs or modification of physical security components are required
• Authorization process of repairs or modification of physical security components
Obtain and review documentation demonstrating records of repairs and modifications to physical security components. Evaluate and determine if records of repairs and modifications are being tracked and reviewed on periodic basis by authorized personnel.
Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.
Required/Addressable
Addressable