Internal Control Questionnaire for Physical Security

By Nina Youngstrom

This was developed by Piedmont Health in Georgia. It’s used during audits of compliance with the HIPAA Security Rule’s physical security requirements (see story, p. 4),[1] according to Debra Harris and Lisa Anderson, senior IT internal auditors at the Georgia health system. Contact Anderson at Lisa.Anderson@piedmont.org and Harris at Debra.Harris1@piedmont.org.

Internal Control Questionnaire: Physical Security

Prepared by: _____________________________________

Date: ___________________________________________

Purpose

This questionnaire is designed to assist the person in charge of this business area in conducting a self-assessment of the adequacy of internal controls in place to ensure adequate monitoring procedures for physical security.

  1. This questionnaire should be completed by the person delegated to be responsible for this area.

  2. Save this file in your computer before completing and respond to each question below.

  3. Please answer each question to the best of your knowledge.

  4. Print a copy of this document for your records.

  5. Electronically send the questionnaire back to the person that sent you the questionnaire.

  6. Estimated completion time: 45 minutes

Questionnaire

  1. Identify the responsible individuals for overseeing the facility’s physical security.

  2. Does a physical security policy exist? Please supply an electronic copy.

  3. Do job descriptions exist for individuals with key security roles? Please supply an electronic copy.

  4. Do policies and procedures exist for various security activities—theft, intrusion, physical threats/harm, etc.? If so, please provide an electronic copy.

  5. Is the physical security of the facility included in routine risk assessments and adjusted as vulnerabilities change and new, emerging physical threats are identified? If so, please provide examples and any supporting documentation.

  6. Does the risk assessment include external and internal threats? If so, please provide examples and any supporting documentation.

  7. How often are the facility’s physical security policies, procedures and process reviewed, updated and approved by management?

  8. Do policies/procedures exist for managing third-party/contract personnel (examples: data center hosting, IT infrastructure support, facility/building management, janitorial services, equipment support, suppliers, etc.) physical access and restricted access? If so, please provide an electronic copy.

  9. How are third party/contract personnel screened, trained on the facility’s local requirements (security, privacy, etc.) and monitored?

  10. How are third-party/contract personnel monitored for adherence to the facility’s local requirements?

  11. Are the facility’s local requirements for security, privacy, policies, etc., documented? If so, what is documented and where are the supporting documents stored?

  12. Are third-party/contractors required to provide supporting documentation that their personnel meet all of the facility’s awareness and training? If so, provide the list of the required training. (This question is similar to no. 17.)

  13. Is there a physical access provisioning procedure for employees, medical staff, third-party/contract personnel, visitors, etc.? If so, please provide a copy.

  14. Is security required to log rounds, incidents, activities, etc.? If so, please provide a copy of the logs for the prior month.

  15. Do different badges exist for employees, visitors, third party/contract, medical staff? If so, please give a brief description of each type of badge.

  16. Does a procedure exist for transfer, termination of badge access? If so, please provide an electronic copy and a brief description below.

  17. Does a physical security training program exist for all employees, third-party/contract personnel, medical staff, etc.? If so, please provide a brief description below and please provide an electronic copy of the program. (See question no. 12.)

  18. How is the local perimeter and critical infrastructure secured and protected? (Examples of areas: entrances, equipment, sensitive areas, controlled areas, IT infrastructure, drugs, etc. Examples of security: cameras, locks, fences, etc.)

  19. Have any physical security reviews or audits been performed at the facility over the past 12 months? If so, please provide a copy of the report(s) and a status update on any findings noted during the review.

  20. Have any physical security or security incidents occurred in the last 12 months? If so, please provide an electronic copy of the incident report, findings and updated remediation plan status for each incident. Where are these incidents logged?

  21. How are the facility’s outside areas such as parking, common areas, etc., monitored and secured?

  22. If fences or barriers exist, are they routinely inspected and maintained properly? Please explain below.

  23. Do cameras exist in the outside areas? If so, how are they tested and maintained? What is the retention policy for the video? For the security cameras located in internal critical areas, are these reviewed or consistently monitored? Do they follow the same testing maintenance and retention as outside cameras?

  24. Is the outside lighting routinely inspected and maintained? If so, please give brief description below.

  25. Does the local facility have any panic buttons or emergency notification stations? If so, please explain below along with the testing and maintenance process.

  26. Have any drills (in-person or tabletop) been performed with the facility’s security and local, state or other agencies to access the readiness and performance of responses for security incidents within the past year? If so, please provide a copy of the report, findings and status of remediation.

  27. Any known concerns with the physical security of the facility?

  28. Please list any shared site facility/building management arrangements for your location.

  29. If any shared site facility/building management arrangements, were (1) utility requirements; (2) redundancies (power, HVAC, water communications, etc.); (3) shared communication closets and/or server rooms; (4) multiple connections to power for critical systems/equipment; (5) multiple telecommunication connections to prevent loss of voice services; (6) ground-to-earth conduit to carry excess power away from systems during power faults?

PLEASE PROVIDE AN ELECTRONIC COPY OF THE FOLLOWING ITEMS (most are included in the above questionnaire)

  1. Physical security policy, procedures and process.

  2. A list of individuals involved in physical security and job descriptions of the various levels included.

  3. Security logs for rounding of prior month – including outside and internal areas.

  4. Physical badging and access policy, procedures, process—including employees, third party/contract, medical staff, visitors, etc.

  5. Termination and/or transfer procedures for badging and access.

  6. Physical security training and awareness program.

  7. Security equipment maintenance and testing policy, process, procedures.

  8. Last risk assessments dealing with physical security.

  9. Any audit and/or review of the physical security by internal, local, state, federal or third-party agencies in last year.

  10. Physical security incident reports for last year, including any findings and updated remediation plan.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings