Episode 24 — Guard physical access to cardholder areas relentlessly
Entry control must pair technology with identity, and the pairing must be consistent across doors and times of day. Badges, biometrics, and monitored doors work when they link to a central identity system that records who entered, when, and through which portal, then enforces the same policy at the front door, the back hallway, and the equipment cage. As an assessor, you are not impressed by a fingerprint reader if it falls back to an unlogged key override or if lost badges are not promptly disabled, because gaps like those turn high-tech locks into a false sense of comfort. What convinces you is alignment: doors enrolled to the same directory as user accounts, badge events correlated with shift schedules, and alarms when a door stays open longer than policy allows. The right evidence is straightforward: policy exports, sample entry logs, and a simple narrative that shows how identity flows from hire to access and from termination to revocation without manual exceptions.
Inside the boundary, small surfaces matter because attackers love the quiet path. Securing consoles, ports, and cables is less about heavy locks and more about making tampering obvious and access predictable. Closed racks with keyed or coded doors, blanking panels for unused bays, disabled interfaces in device configurations, and tamper-evident indicators on exposed panels turn opportunistic access into a risky, noisy act. As an assessor, you look for consistency: a pattern of sealed plates where a certain model exposes a dangerous port, a ticket that records a seal replacement with the reason and date, and device configuration baselines that show unused interfaces disabled by default. When people argue that internal risk is low, the correct exam answer focuses on the fact that physical attacks often begin with the smallest, least defended connector. Good practice makes those connectors either unavailable or obviously disturbed, which is how you catch trouble early.
Point-of-sale and field devices require special attention because they live in messy, human spaces where fatigue and routine erode vigilance. Seals, cages, and serial number reconciliation form a practical trio: tamper-evident seals show when a device has been opened, cages prevent casual removal, and serial checks ensure that a swapped unit does not blend into the background. The assessment lens looks for a cadence: daily or shift-based visual checks, periodic reconciliations that compare inventory lists to what sits on counters and in service kits, and a procedure for what happens when a number does not match. Evidence here includes photos from recent checks, discrepancy logs with outcomes, and training records that show clerks understand what a broken seal means. The exam expects you to connect the importance of field discipline to fraud risk, because rogue readers and tiny insertions are still among the most effective ways to intercept card data in the wild.
Identity is a river that changes daily, so access events must reconcile against human resource status changes at a regular, short interval. Weekly is a baseline that many organizations can sustain; faster is better when turnover is high or when contractors rotate frequently. The control you evaluate is simple: when someone changes roles or leaves, their physical rights change or end in step, and the badge system can prove it. Assessors sample recent separations and transfers, compare the effective dates to badge revocations and group changes, and look for exceptions that suggest manual follow-up. Weakness reveals itself as drift: badges that remain active days after exits, contractors whose end dates moved without approval, or access restored ad hoc after hours without recorded reason. The exam expects you to prefer reconciled automation over heroics, because repeatable linkage between systems is what keeps risk low when people are busy.
Surprise walk-throughs reveal the difference between policy and practice in a way no report can. When you enter a facility unannounced and look for propped doors, tailgating, missing signage, or unattended consoles, you see how controls behave during pressure and routine, not during demonstrations. The assessor’s skill here is observation with purpose: noting how staff challenge unfamiliar faces, whether delivery routes pierce sensitive zones, and how quickly a concern reaches someone who can act. Findings should lead to immediate fixes when simple issues appear, or to tickets that track work when the problem requires coordination. The exam values this habit because it anchors your judgment in the physical truth of a place, not only in the documents that describe it, and because small frictions you see today often prevent bigger incidents tomorrow.
Media destruction is the last control in the chain, and it must be as deliberate as the first. Retired drives, tapes, and printed extracts should meet approved methods such as witnessed shredding, degaussing, or destruction by certified vendors whose processes produce serial-numbered receipts. The assessor verifies that methods match media types, that custody remains controlled until the moment of destruction, and that certificates or logs exist to tie each destroyed item to a date and a method. Common shortcuts fail here: informal disposal without witness, commingled bins with office waste, or unverified vendor claims that break the chain of trust. The correct exam perspective is that destruction is not an administrative afterthought but a control that closes risk definitively, and therefore it demands the same quality of evidence as entry control at the front door.
Even the strongest program requires humility and iteration. Facilities change, tenants move, field devices rotate, and teams learn hard lessons from minor incidents that never made headlines. Your role is to look for feedback loops: signage updated after a confusion point, escort routes adjusted to reduce temptation, seals redesigned to resist a clever bypass, or storage practices simplified so busy staff can comply without effort. Good programs measure small things—door held alarms per week, visitor log corrections per month, serial reconciliations that found a mismatch—and then decide specific actions rather than sweeping statements. The exam looks for that practical intelligence: a sense that robust physical security is a living system, not a static checklist, and that evidence of change in response to observation is a mark of strength, not weakness.
