As with logical access controls, audit logs should be produced and monitored for physical access controls. Which of the following statements is correct about auditing physical access?

A.
Unsuccessful access attempts should be logged but only need to be reviewed by a security guard.

B.
Only successful access attempts should be logged and reviewed.

C.
Only unsuccessful access attempts during unauthorized hours should be logged and reviewed.

D.
All unsuccessful access attempts should be logged and reviewed.

Explanation:
D: Physical access control systems can use software and auditing features to produce audit trails or access logs pertaining to access attempts. The following
information should be logged and reviewed: the date and time of the access attempt, the entry point at which access was attempted, the user ID employed when
access was attempted, and any unsuccessful access attempts, especially if they occur during unauthorized hours.
A is incorrect because as with audit logs produced by computers, access logs are useless unless someone actually reviews them. A security guard may be
required to review these logs, but a security professional or a facility manager should also review these logs periodically. Management needs to know where entry
points into the facility exist and who attempts to use them. Audit and access logs are detective controls, not preventive. They are used to piece together a situation
after the fact instead of attempting to prevent an access attempt in the first place.
B is incorrect because unsuccessful access attempts should be logged and reviewed. Even though auditing is not an activity that will deny an entity access to a
network, computer, or location, it will track activities so that a security professional can be warned of suspicious activity. This information can be used to point out
weaknesses of other controls and help security personnel understand where changes must be made to preserve the necessary level of security in the
environment.
C is incorrect because all unauthorized access attempts should be logged and reviewed, regardless of when they occurred. Attempted break-ins can occur at
any time. Operating parameters can be set up for some physical access controls to allow a certain number of failed access attempts to be accepted before a user
is locked out; this is a type of clipping level. An audit trail of this information can alert security personnel to a possible intrusion.