Site Visit Checklist

Information

OBSERVE AS YOU ARE ENTERING THE MAIN LOBBY

Does the main lobby contain a reception or a security desk a physical person (security guard/receptionist) who manages visitors?
Does the main lobby have a console area with a central access terminal to register and issue temporary visitor badges?
Are visitors required to sign a visitor control log, provide a government issued ID, be escorted beyond enterance, and required to wear a badge?
Does the main entry contain a card reader on exterior as well as a man trap for after hour employee entry when 7x24 staffing is not in place?
Is there CCTV camera coverage of main entry, console and lobby?

Are emergency only exits identified and alarmed on a 7X24 basis?
Are all manned computing facilities equipped with emergency lighting?
Are all critical support areas equipped with smoke and fire detection?
Are there fire extinguishers clearly marked in facilities without automatic fire suppression?

Is access to facilities that are dedicated to computer processing (i.e., data centers, computer rooms) protected by a range of physical controls?
Are telecommunications cables, wiring closets and networking lines carrying data or voice protected from interception or damage?
Are critical information systems protected from power failures by using multiple feeds, uninterruptible power supply (UPS) or a backup generator?
Is emergency equipment, such as UPS and backup generators, serviced in accordance with the manufacturer's recommendations and tested periodically?
Have computing facility managers implemented water and moisture detection systems?

Are cell phones (with or without cameras), personal laptops and iPads seen in the Company Pod?
Are printed materials and media securely disposed? (cross-shredding or burning, etc.)
Are all desks clean and are computers not being used locked via a password protected screen saver, etc.?

Are administrative privileges restricted to those responsible for system administration? Ask for user to logon and view local access permission.
Can the user connect to the local/zoned vendor network from the Company system?
Are users allowed to print out Company data they have access to?
Can user copy paste Company information from their virtual session to a local session?
Are users allowed to copy to a removable (like a CD/USB Drive) or remote media (local network drive), the Company data they have access to? Are all drives disabled on workstations?
Are unique user IDs used for access? Have a couple of Company contractors log in and make sure they log in within unique IDs.
Is wireless networking technology used? - Screen shot of wireless networks available for rogue wireless detection. - Validate that workstations in Pod do not have wireless hardware or that connectivity is disabled. - Try to connect to the wireless via one of the systems in the Pod.

Are physical access audit logs maintained in either electronic or printed form and protected commensurate with requirements for confidential information? Review Visitor Log for Company Pod for the last 30 days.
Are visitor control logs retained for at least one year?
Are individuals NOT displaying access badges reported?
Are fire detection systems connected to local alarms, as well as alarms at the local fire department or 24 hour security center?
Are personnel aware of their company's Security Policy and have they completed their annual training? Interview and verify records for the Security Policy training.

Are visitors asked to surrender the badge before leaving the facility or at the date of expiration? Are you asked to surrender your badge?
Are delivery and loading areas isolated from general areas or monitored to prevent any unauthorized access to business or secure areas?
Does Closed Circuit Television (CCTV) monitor for coverage of main secondary (non manned) entry points, loading dock and parking?