ISO/IEC 27001 Control 7.2: Physical entry
Control
Secure areas should be protected by appropriate entry controls and access points.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
MidPoint can provide a degree of automation regarding management of physical access tokens, especially with respect to their revocation.
Implementation Details
MidPoint can be integrated with system managing physical access tokens by using ordinary provisioning capabilities and identity connectors. In such case, midPoint can manage access tokens and their properties, controlling physical access privileges of persons using policies and automation. MidPoint can use location information to automatically grant basic access to physical location. Even more importantly, midPoint can automatically revoke all physical access to location when a person is re-assigned to a different location. MidPoint can use identity lifecycle mechanism to automatically revoke all physical access when employment is terminated, based on data synchronized from the human resource (HR) system. Role-based access control (RBAC) mechanism can be used to automatically grant and revoke physical access based on job roles and responsibility, by including physical access and locations in business roles. E.g. midPoint can automatically grant physical access to call center rooms for all call center agents, automatically revoking the access when person is re-assigned to a different job. Policy rules can be used to limit access to certain areas only to specific roles or organizational units. E.g. access to information processing facilities (data centers, server rooms) can be limited only for IT staff, refusing to grant such access for any non-IT personel. Access certification and micro-certifications mechanism can be used for re-certification of physical access (e.g. access to security perimeters), e.g. by managing review of clearances. MidPoint delegated administration can be used to register visitors and automatically grant them physical access appropriate for the location. Alternatively, self-registration can be used by visitors to pre-register for access. Activation schema can be used to grant access to visitors on a temporary basis, automatically disabling all granted access after a specified time period.
Rationale
This control is mostly about physical security, which is out of reach of midPoint. However, midPoint is very effective tool for managing physical access tokens, especially revocation of the tokens.
Related Features
-
Information classification (planned)