Do all alternate sites where ‘s data is stored or processed meet the same physical security requirements as the main site?

Are physical access devices (such as card readers,
proximity readers, and locks) maintained and
operated per the manufacturer recommendations?

Are these devices updated with any changed access
control information necessary to prevent
unauthorized access?

Are keys, combinations, and other physical access
devices secured?

Are logs of physical access to sensitive areas
maintained per retention policies? (This includes
authorized access as well as visitor access.)

Are visitor access records retained for as long as
required by approved policy?

Are all visitors to sensitive areas always escorted by
an authorized employee?

Are visitors escorted and monitored as required in
security policies and procedures?

Are output devices such as printers placed in areas
where their use does not expose data to unauthorized
individuals?

Are lists of personnel with authorized access
developed and maintained, and are appropriate
authorization credentials issued?