Facility Access Controls

This task requires that agencies implement policies and procedures to limit physical access to its Electronic Information Systems and the facility which they are housed, while ensuring properly authorized access is allowed.

There are 4 addressable tasks under this section. The first is Contingency Operations which states that you must establish and implement procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

If there is a disaster or an emergency, how would you restore access to your EPHI. Do the proper personnel have access to your building or the alternative location? Who will manage this process? Will you need outside vendors? How will they be authorized?