Facilities Security

The Facilities Security module governs your physical and environmental security posture: facilities, physical areas within them, visitor records, environmental controls (HVAC, fire suppression, power, water), periodic physical access reviews, and physical security exceptions. It is the governance layer above access-control systems, badge systems, building management systems, and CMMS tools.

This module does not unlock doors, issue badges, or run environmental sensors. It governs the posture: what facilities exist, what areas have what classification, who visited, what environmental controls are in place, what reviews have been performed.

When you would reach for this

You set up facilities security when:

A regulator or framework expects a documented physical security program with reviewable posture.
Facilities and physical areas need an inventoried register with classification, ownership, and access posture.
Visitor records need governance beyond the badge system’s own logs.
Environmental controls (fire suppression certifications, UPS testing, generator runs) need governed records.
Periodic physical access reviews need an audit trail.
Physical security exceptions (a contractor temporarily allowed extended access during a project) need formal records.

You don’t reach for this for the actual access-control system, the badge system, or the building management system. Those enforce and operate. This module is the governed register.

What lives in the module

Six record types:

Facility captures one physical site: address, owner, posture summary, scope.
Physical area captures one defined area within a facility: a server room, a laboratory, a vault, a restricted floor.
Visitor record captures one governed visitor event with escort, purpose, time, scope of access.
Environmental control captures one environmental control measure: a fire suppression system, a UPS, a generator, a refrigeration unit holding regulated materials.
Physical access review captures a periodic review of who has access to which areas.
Physical security exception captures an approved deviation from standard physical posture.

A worked example: a museum governs its facility security across exhibitions, storage, and conservation

A museum operates a public exhibition space, restricted curatorial offices, environmental-controlled storage vaults for artworks, and a conservation laboratory. Each area has different classification: public, staff-only, restricted, secure-storage. Loans, insurance coverage, and accreditation depend on documented physical security posture. The director of facilities, Helena, sets up Facilities Security like this.

Step 1: facility records. The museum has one main building plus two off-site storage warehouses. Each becomes a facility record with address, owner, the responsible facility lead, the high-level posture.

Step 2: physical areas. Within each facility, areas are inventoried:

Main building: public-galleries, lobby, curatorial-offices, conservation-lab, climate-controlled-storage-A.
Storage warehouse 1: climate-controlled-storage-B, document-archive.
Storage warehouse 2: climate-controlled-storage-C, deep-archive.

Each area has its classification, access posture, environmental requirements.

Step 3: visitor records for restricted areas. Public visitors don’t get records (they go through ticketing). Visitors to restricted areas (researchers, conservators from other institutions, vendors servicing climate control, insurance assessors) do get visitor records: who, when, escort, purpose, scope of access.

Step 4: environmental controls. Each environmental control measure is recorded: the HVAC systems serving climate-controlled storage (with their performance requirements and inspection cadence), the fire suppression systems (with certification expiry), the UPS and generator infrastructure, the access-control system itself.

Step 5: physical access reviews. Annually, Helena conducts a physical access review per restricted area: who has badge access, why, when was access last used, should access be retained or revoked. Revocations route to the facilities team.

Step 6: exceptions. During a major exhibition installation, the exhibition design firm needs extended access to the galleries outside normal hours. Helena creates a physical security exception: scope (the contractor team, the gallery), duration (the install window), compensating posture (escort by museum staff for the first three nights, security camera coverage), approver (the head of security).

After a year:

The facility and area inventory is governed.
Visitor records to restricted areas form an audit trail.
Environmental controls have inspection records.
Periodic reviews surface stale access for cleanup.
An insurance assessor or accreditation reviewer has documented posture to examine.

What you’ll see in the product

Facilities Security lives under Governance → Facilities Security in the workspace.

Six top-level tabs: Facilities, Physical Areas, Visitor Records, Environmental Controls, Physical Access Reviews, Exceptions.

Every change is captured in the workspace Audit Log.

Common workflows

Inventorying a facility

Facilities → New facility. Address, owner, posture summary.
Add area records for each defined area within the facility.

Recording a visitor

Visitor Records → New. Visitor identity, purpose, escort, time window, scope.
The record is created at sign-in; expanded with departure time at sign-out.

Reviewing physical access

Physical Access Reviews → New. Pick the area or facility being reviewed.
Walk the access list; mark each entry retain, revoke, or escalate.
Revocations become tasks for the facilities team.

Approving an exception

Exceptions → New. Scope, duration, compensating posture, approver.
Approver decides.

Access - badge-system entitlements interact with physical area governance.
Assets - environmental control equipment may also be asset records.
Findings - facility-posture gaps surface as findings.
Exceptions - physical security exceptions also surface in the central exceptions register.
Party Engagements - vendor visitors typically tie to a party engagement.