Preprint
Article

This version is not peer-reviewed.

Unauthorised Entry into a Restricted Area Due to Physical Access Control Failure: A Simulated Case Study on Classified Information Protection in Critical Systems in the Portuguese Context

Submitted:

13 June 2026

Posted:

17 June 2026

You are already at the latest version

Abstract
In a simulated scenario involving a Portuguese company cleared to provide technological infrastructure and communications services to a public entity in an environment supporting critical systems, a newly hired technician entered a restricted technical room that was also being used for document storage, using an access card lent by his supervisor. While on site, he opened an unlocked cabinet, photographed part of a logical network diagram, and shared the image in an internal WhatsApp group, exposing documentation marked, for the purposes of the scenario, as RESERVADO (RESTRICTED) and CONFIDENCIAL (CONFIDENTIAL). The incident affected confidentiality, access traceability, and the chain of custody. The case is framed by the Portuguese regime for the protection of classified material, supported by SEGNAC and GNS guidance, and is analysed with complementary reference to ISO/IEC 27001:2022, ISO/IEC 27002:2022, ISO/IEC 27005:2022, NIST SP 800-116 Rev. 1, and NIST SP 800-53 Rev. 5. The main failures include the informal lending of an access card, insufficient authentication, absence of CCTV and alarm mechanisms, logs associated only with the credential, insufficiently reviewed access permissions, inadequate storage, and insufficient training. The proposed measures involve containment, preservation of evidence, physical inventory, access review, strengthened authentication, document segregation, control of mobile devices, training, and periodic auditing, with the aim of strengthening physical access control, compliance, accountability, and operational security.
Keywords: 
;  ;  ;  ;  ;  ;  ;  ;  

1. Introduction

The protection of classified information constitutes a specific safeguarding regime intended to maintain control over access to, handling, circulation, and storage of sensitive material. Such protection requires coordination between information security, communications security, physical security, cryptographic security, and organisational discipline. Under the Portuguese national framework, classified information is information whose unauthorised disclosure may cause harm to the interests of the State or of a Member State of an international organisation of which Portugal is a member, with such harm being graded according to the levels RESERVADO, CONFIDENCIAL, SECRETO, and MUITO SECRETO [1]. In environments supporting critical systems, this protection is also directly connected to operational continuity, mission assurance, and the ability to maintain trusted technical and organisational controls.
This framework is relevant to the present study because the case analyses, in a simulated scenario, unauthorised physical access to a restricted area associated with classified information. The scenario links physical access control to a technical room with the regime for the protection of classified material set out in SEGNAC 1 and summarised by the GNS, which requires control of need-to-know, traceability, appropriate storage, and response to security breaches or compromises [1,2]. Thus, the failure of a physical barrier has consequences for document protection and for the ability to demonstrate who accessed the information, under what conditions, and with what authorisation.
INFOSEC addresses the properties of confidentiality, integrity, availability, and traceability of information. COMSEC deals with the communications that support the technical infrastructure. Physical security operates through barriers, detection, delay, and response, making protection observable at the facility level. Smith and Brooks define physical security as the integration of people, procedures, and equipment for the protection of assets against threats and risks [3] (p. 176). Garcia complements this understanding by framing the physical protection system as an operational model based on detection, delay, and response, whose effectiveness depends on the integration of people, procedures, and equipment [4].
When a technical room also contains classified documentation, the INFOSEC, COMSEC, and physical security domains converge at the same operational point. Under the GNS guidance framework, the categorisation of spaces depends on the classification level of the classified information present in them and on the conditions under which it is worked on, handled, or stored [1]. Although the present case does not assume that the room had been formally designated as a Class 1 or Class 2 Security Area, the presence of CONFIDENCIAL (CONFIDENTIAL) documentation in the scenario prevents the space from being treated as a mere administrative area. The simultaneous use of the room as technical infrastructure, restricted document storage area, and temporary handling location for classified documents reveals a failure of physical and document segregation.
ISO/IEC 27002:2022 reinforces this interpretation by incorporating physical security into information security controls, including physical entry, the securing of rooms, physical security monitoring, working in secure areas, and the management of storage media [5]. In the case analysed, the improper entry into the mixed-use restricted technical room should be understood as a systemic failure affecting the confidentiality of the documentation, access traceability, the chain of custody, and the accountability of the individuals involved. The relevance of the study derives from the way in which an informal decision, such as lending an access card, cuts across complementary barriers of individual authorisation, need-to-know, physical control, monitoring, and incident response, falling within the category of non-malicious insider risk that is often underestimated in security programmes [6].
The guiding question of this paper is as follows: how can the improper lending of an access card, combined with the absence of CCTV and insufficient review of physical access permissions, enable unauthorised entry into a restricted technical room and compromise the confidentiality of the classified information located there, as well as its traceability and chain of custody?
The general objective is to analyse, on the basis of a simulated case, how physical, technical, human, procedural, and organisational failures combine in access control to a mixed-use restricted technical room, assessing the impact on the exposed assets and proposing verifiable corrective and preventive measures. The risk assessment follows the logic of ISO/IEC 27005:2022, which frames information security risk management through context establishment, risk identification, risk analysis and risk evaluation, selection of risk treatment options, monitoring, and review [7].
The case is simulated and technically plausible. It does not use real classified information, does not identify real facilities, and does not describe exploitable topologies, IP addresses, credentials, cryptographic keys, operational configurations, or sensitive locations. It adopts only the simulated classification levels RESERVADO (RESTRICTED) and CONFIDENCIAL (CONFIDENTIAL) to allow a proportionate academic analysis. The personal data and human resources documentation present in the scenario are treated as sensitive business information or personal data, and not as classified material. This is a single case study; therefore, the proposed measures should be read as operationalisable examples for entities in analogous situations, always subject to validation against the applicable regulatory, technical, and contractual context. Unless otherwise indicated, translations from Portuguese legal, normative, and institutional sources are the author’s own; the original Portuguese wording remains the authoritative reference.

2. Operational Context and Assumptions

The organisation in the scenario is a Portuguese private company cleared to provide technological infrastructure and communications services to a public entity. Its legal position corresponds to the framework set out in SEGNAC 2, which requires that “before an establishment, company, body, or service participates in a tender, in negotiations, or in the performance of any classified industrial, technological, or research activity, the National Security Authority must carry out its clearance” [8] (Art. 25). Clearance enables the company, under the applicable terms, to participate in activities involving classified material. It does not, however, replace the need to confirm each employee’s individual security clearance, formal authorisation, and need-to-know before access to classified documents is granted [1].
The room in question is a restricted technical room located within an administrative area of the building and also used for document storage. It houses network racks, technical communications documentation, encrypted removable media, document distribution records, operating procedures, and a metal cabinet whose class is insufficient for the CONFIDENCIAL (CONFIDENTIAL) level of the documentation stored there under SEGNAC 1 [2] (Ch. 5.6).
Under the GNS guidance framework, the categorisation of spaces is determined by the classification level of the classified information handled or stored in them and by the conditions under which such handling takes place. Administrative Areas may accommodate information up to RESERVADO (RESTRICTED), whereas Class 2 Security Areas cover locations where classified matters are worked on, handled, and temporarily stored, but not archived [1]. In the present case, the room is not assumed to have been formally designated as a Class 2 Security Area. Even so, the existence of documentation marked as CONFIDENCIAL (CONFIDENTIAL) in the scenario prevents it from being interpreted as a simple administrative area. The simultaneous use of the space as a technical room, restricted document storage area, and temporary handling location for classified documents evidences a failure of physical and document segregation, requiring a formal assessment of the area and controls compatible with the classification level of the information present.
There are four main actors, plus an internal reporter relevant to incident detection. The newly hired technician in the infrastructure team, who does not yet have formal security clearance or a declared need-to-know for the classified assets held in the room. The technician’s line manager, who is cleared, has authorised access, and lends him the access card. The facilities management officer, responsible for configuring the physical access control system and periodically reviewing access permissions. The organisation’s Security Officer for classified information, or the Head of the Control Post/Sub-Registry where applicable, is responsible for the internal procedures for the protection and handling of classified information and for coordinating the response to security breaches, in articulation with the CISO (Chief Information Security Officer) where information systems are involved. In addition, there is the employee who was a member of the internal WhatsApp group, identified the improper sharing, and reported the matter to the Security Officer for classified information or equivalent internal officer, acting as an internal reporter and as the trigger point for incident response. The arrangement deliberately keeps the Physical Access Control System (PACS) manager and the classified information security function in separate roles, in line with the principle of separation of duties operationalised by control AC-5 in the NIST SP 800-53 Rev. 5 control catalogue [9] (p. 36).
The relevant assets in the room are organised into four groups. In the CONFIDENCIAL (CONFIDENTIAL) group: (a) the logical diagram of the segregated network, (b) the technical documentation of the communications infrastructure, (c) the encrypted contingency removable medium, and (d) the procedure for activating critical communications. In the RESERVADO (RESTRICTED) group: (e) the rack inventory and (f) the distribution record for classified documents. As restricted internal evidence: (g) the logs of the physical access control system. As personal data and sensitive business information, without the nature of classified material: (h) the human resources documentation. The distinction between simulated classified information and personal data is not merely formal. Each category is subject to a different regime and to a different control matrix, even when they share the same cabinet.
The simulated classification levels used are RESERVADO (RESTRICTED), defined as material whose disclosure to unauthorised persons may be adverse to the interests of the country or its allies [1] (p. 1), and CONFIDENCIAL (CONFIDENTIAL), defined as material whose knowledge by unauthorised persons may be prejudicial to the interests of the country or its allies [1] (p. 1). Higher classification levels are not used.
Four assumptions support the analysis. The first is need-to-know: “access to classified material must be restricted exclusively to persons who need to know it for the performance of their duties or tasks” [2, Ch. 1.2.2.4]. The second is prior security clearance for access to classified information at CONFIDENCIAL (CONFIDENTIAL) level or above, without prejudice to the need-to-know and handling rules applicable to RESERVADO (RESTRICTED) information. Security clearance is defined by the GNS as the authorisation of a natural or legal person to handle classified information, granted by the National Security Authority (ANS) [1] (p. 1). The third is physical compartmentation, that is, the containment of classified material in a container of the appropriate class [2] (Ch. 5.6). The fourth is the segregation of duties and environments, materialised in the distinction between the technical room, classified document storage function, network operations space, and human resources records area.

3. Case Description: Timeline and Evidence

At the time of the incident, the room did not have an internal perimeter reinforced by complementary barriers. Direct access depended on a door controlled by a PACS, with the access record associated with the card used, but without strong authentication of the person who actually entered. At the critical point, there was no CCTV, no door-held-open alarm, no alert for entry outside the authorised profile, and no documented periodic guard tour or patrol.
The timeline below organises the incident into eight milestones, from the lending of the access card to confirmation of the unauthorised internal sharing.
Table 1. Incident timeline.
Table 1. Incident timeline.
Milestone Event Recorded Evidence
T0 (D−14) The technician is admitted to the infrastructure team. Technical onboarding is carried out. Briefing on restricted areas and need-to-know is not documented. HR record. Absence of briefing record.
T1 (D−1) The line manager asks the technician to “check” some equipment in the technical room. Informal arrangement. Message exchange, not preserved.
T2 (D, 09:12) The line manager lends his access card to the technician in the administrative corridor. No record. Reconstructed through the line manager’s later statement.
T3 (D, 09:17) The technician enters the room using the card. The PACS log records the card identifier. The person carrying the card is not identified. PACS log.
T4 (D, 09:21) The technician finds the metal cabinet unlocked, removes a folder containing documentation marked as CONFIDENCIAL (CONFIDENTIAL), and photographs part of a logical network diagram. No record at the time. Photograph recovered from the mobile phone on D + 1.
T5 (D, 09:26) The technician leaves the room. The card is returned to the line manager shortly after leaving the room. PACS exit log.
T6 (D, 09:41) The image is shared in an internal WhatsApp group with 14 members, some of whom have no need-to-know for the asset. Screenshot obtained on D + 1 at the request of the Security Officer for classified information or equivalent internal officer.
T7 (D + 1) Another member of the group reports the content to the Security Officer for classified information or equivalent internal officer. Incident response begins. Incident record.
The available evidence has three limitations that shape the entire subsequent analysis. The first is the absence of video surveillance at the access point. Without CCTV, the only primary evidence of entry is the PACS log, which confirms use of the card but does not identify who carried it. The second is the absence of a door-held-open alarm or anomalous event in the PACS. Entry outside the line manager’s usual profile and the dwell time in the room were not flagged in real time. The third is the absence of cabinet opening logs. Without an electronic lock or opening sensor, the opening of the container leaves no trace.
Gigliotti and Jason frame physical security as a combination of barriers, access control, surveillance, and deterrence, observing that “if a system can create the appearance of impenetrability, then it has succeeded in deterring some lesser adversaries” [10] (p. 70). Garcia is more direct regarding the operational function of the physical protection system: “the functions of a [physical protection system] are detection, delay, and response. They represent the integration of people, procedures, and equipment to meet the system objectives” [4] (p. 66). The failure of the detection function breaks this chain at its first link, and no subsequent response can restore its retroactive evidentiary value.
In normative terms, the security breach occurred at the moment when the card was used by someone other than its holder. The GNS defines a security breach as “acts or omissions that violate established security rules and that endanger or compromise classified information” [1] (p. 1), and compromise as “access to classified information, in whole or in part, by an unauthorised person” [1] (p. 1). The photograph at T4 and the dissemination at T6 move the case from a breach to confirmed compromise.

4. Normative and Procedural Framework

The framework combines national, European, technical, and methodological references:
National classified information regime. SEGNAC 1 establishes the framework for classification, authorisation, physical security, control, and security breaches concerning classified material [2]. SEGNAC 2 extends this regime to industrial, technological, and research activities, providing the basis for the prior clearance of companies participating in classified activities [8] (Art. 25). Within this framework, the National Security Authority (ANS) directs the Portuguese National Security Office (GNS) and exercises responsibilities for the protection, safeguarding, and clearance of classified information. The GNS, as a central service of the State administration, is used in this paper as an institutional and doctrinal reference for practical guidance on classification levels, security areas, security clearance, security breach, and compromise [1]. In the present case, this regulatory framework supports the categorisation of the area, the distinction between classified information and unclassified sensitive information, and the qualification of the incident as a security breach with confirmed compromise.
Information security management system. ISO/IEC 27001:2022 frames the ISMS, from leadership to continual improvement, and provides the structure for internal audit and the treatment of nonconformities [11]. ISO/IEC 27002:2022 provides the operational controls applicable to the case, four groups of which are decisive: information classification and labelling, controls 5.12 and 5.13; access and identity management, controls 5.15, 5.16, 5.17, and 5.18; physical and environmental security, controls 7.1, 7.2, 7.3, 7.4, 7.6, 7.7, and 7.10; and logging and monitoring, controls 8.15 and 8.16 [5].
Risk methodology standard. ISO/IEC 27005:2022 defines risk as the “effect of uncertainty on objectives” [7] (Clause 3.1.3) and provides the methodological basis for identifying, analysing, evaluating, and treating information security risks in the case. The Portuguese National Cybersecurity Centre (CNCS) adopts a qualitative scale from 1 to 5 for likelihood and impact, with the labels Very Low, Low, Medium, High, and Very High [12] (p. 28). The analysis in Section 5.3 follows this scale.
PACS and PIV controls. NIST SP 800-116 Rev. 1 is used as a technical good-practice reference for physical access control and credential authentication in PACS, without being treated as a Portuguese normative obligation. The standard establishes a risk-based approach for selecting physical authentication mechanisms, stating that “a risk-based approach should be used when selecting appropriate PIV [Personal Identity Verification] authentication mechanisms for physical access to Federal Government buildings and facilities” [13] (p. 14). It defines three area categories, Controlled, Limited, and Exclusion, associated with one-, two-, or three-factor authentication requirements [13] (p. 14), and states that the PIV credential is “non-transferable” due to the presence of the biometric factor [13] (p. 5). This risk-factor principle technically supports the recommendation for strengthened authentication in rooms that concentrate higher-criticality assets, such as classified documentation, removable media, and sensitive technical documentation.
NIST SP 800-53 Rev. 5 control catalogue. NIST SP 800-53 Rev. 5 is used as a complementary catalogue for access control, training, auditing, incident response, media protection, physical security, and personnel security controls, in conjunction with ISO/IEC 27002:2022 [5,9].
Risk and insider threat guidance. The CNCS risk management guide supports the matrix used in Section 5.3 [12]. The Common Sense Guide to Mitigating Insider Threats provides the non-malicious insider threat framework relevant to the case [6]. The ENISA technical guidance is used only as a complementary reference for post-incident review and the documentation of lessons learned [14].
Theoretical physical security. Smith and Brooks provide the general definition of physical security as the integration of people, procedures, and equipment [3]. Garcia supports the operational analysis of the physical protection system, particularly the functions of detection, delay, and response [4]. Gigliotti and Jason complement this framework by discussing barriers, access control, surveillance, and deterrence in physical security programmes [10].

5. Technical-Operational Analysis

5.1. Failure Identification

Procedural failures. The organisation did not have a written policy prohibiting the lending of access cards, nor a procedure requiring the informal request made by the line manager to be reported. Control 5.15 of ISO/IEC 27002:2022 requires access to be defined and authorised “based on business and information security requirements” [5] (p. 32), which presupposes an internal normative framework that the case lacked. The periodic review of access rights provided for in control 5.18 was also not implemented [5] (p. 32). As a consequence, the organisation was unable to demonstrate that the physical access rights assigned to the room remained appropriate to the current need-to-know of their respective holders.
Technical failures. The PACS operates with a single authentication factor, based solely on the card, without a PIN, biometrics, or any other mechanism capable of linking entry to the person who is actually authorised. By technical analogy with the area model in NIST SP 800-116 Rev. 1, a room that concentrates classified documentation, removable media, and sensitive technical assets presents a risk profile compatible with strengthened authentication. The reference states that “two-factor authentication is always employed to enter Limited areas, and three-factor authentication is employed to enter Exclusion areas” [13] (p. 17). Within this framework, a card-only configuration proves insufficient to ensure correspondence between the credential, the authorised person, and need-to-know. The PACS was also not configured to generate alarms for entries outside the usual temporal profile, anomalous dwell time, or rejected access attempts, which is not aligned with the purpose of control 7.4 of ISO/IEC 27002:2022, aimed at detecting and deterring unauthorised physical access [5]. The absence of CCTV at the access point reduced detection to a subsequent record of the credential used, without independent confirmation of the cardholder’s identity.
Physical failures. The cabinet in which the copies simulated as RESERVADO (RESTRICTED) and CONFIDENCIAL (CONFIDENTIAL) were stored did not correspond to the class of container required for the highest classification level present there, in light of the classification by container classes under SEGNAC 1 [2] (Ch. 5.6). The cabinet was found unlocked, which is not aligned with control 7.7 of ISO/IEC 27002:2022, whose purpose is “to reduce the risks of unauthorized access, loss of and damage to information on desks, screens and accessible locations” [5] (p. 73). The room jointly housed network racks, encrypted removable media, technical documentation, simulated classified documents, and copies of human resources documents, which is not aligned with the logic of segregation and physical protection associated with controls 7.3 and 7.10 [5] (pp. 70, 76).
Human failures. The newly hired technician accepted an informal request without questioning the regularity of the procedure, photographed a document for which he had neither need-to-know nor reading authorisation, and shared it through a channel that does not meet information protection requirements. The line manager, who had hierarchical authority and active security clearance, delegated to a subordinate a task that he should have performed personally, and did so by lending a personal credential. The two acts are distinct. The subordinate’s conduct may be partly attributed to insufficient training. The line manager’s conduct results from an internal culture in which compliance with need-to-know gives way to operational convenience. Both fall within the definition of non-malicious insider threat used by the CERT National Insider Threat Center [6].
Organisational failures. Onboarding did not documentably cover the restricted-area regime, the concept of need-to-know, or the handling of simulated classified information, which is not aligned with Practice 9 of the CERT guide [6] (p. 66). The organisation also had no formal insider risk programme and no mechanism for identifying behavioural indicators, which is not aligned with Practices 2 and 3 of the same guide [6] (pp. 19, 34). The periodic review of physical access permissions, implicitly required by control 5.18 of ISO/IEC 27002:2022 [5] (p. 32) and by control AC-2 of NIST SP 800-53 Rev. 5 [9] (p. 45), was not scheduled.

5.2. Causal Analysis

In the present scenario, the root cause can be understood as the structural dependence on a single-factor physical authentication model, in which possession of the card was sufficient to access the room. The lending of the card triggered the incident, but the main weakness lay in the PACS’s inability to confirm the actual identity of the cardholder and to validate, at the moment of access, individual authorisation and need-to-know. Thus, once the physical credential was transferred, the system ceased to distinguish between the authorised holder and the person who actually entered.
The contributing factors arise on three levels. At the organisational level, the absence of a policy on the lending of access cards and the normalisation of informal requests through the hierarchical line. At the technical level, the choice of a single factor in a space whose effective function, by housing classified documentation, required strengthened authentication in accordance with NIST SP 800-116 Rev. 1 [13] (pp. 14–15). At the physical level, the absence of an appropriate lock on the container holding the most sensitive asset, in non-compliance with the storage rules set out in SEGNAC 1 [2] (Ch. 5.6).
The failed barriers can be explained using Garcia’s detect, delay, respond model [4] (p. 43). The detection function failed because the PACS recorded only the credential, without multifactor authentication, CCTV, or anomaly alerts. The delay function failed because the cabinet was unlocked and had no additional control mechanism. The response function failed because there was no specific procedure for an incident in a room containing simulated classified material, leading the organisation to react only after the later report by a member of the WhatsApp group. Accountability was also limited, because the PACS logs indicated the card used but did not confirm who actually entered.
The relationship between the failures is cumulative. The lending of the card enabled entry; the absence of strengthened authentication prevented identity confirmation; the lack of CCTV and alarm mechanisms prevented immediate detection; the unlocked cabinet enabled access to the documentation; and the absence of a specific procedure delayed the response. Taken together, these gaps explain why a simple action, with no demonstrated malicious intent, was sufficient to generate a security breach with confirmed compromise in less than thirty minutes.

5.3. Risk Assessment

The risk assessment is qualitative and follows the CNCS 1-to-5 scale, in conjunction with the ISO/IEC 27005:2022 structure for risk identification, analysis, evaluation, and treatment [7,12]. Impact and likelihood are assessed on a scale from 1 to 5, where 1 corresponds to Very Low and 5 to Very High. The risk level results from multiplying impact by likelihood and is used to define treatment priority.
The classification of the risk level follows the CNCS criterion: 1 corresponds to very low, 2–4 to low, 5–11 to medium, 12–19 to high, and 20–25 to very high [12]. Where a risk affects more than one dimension, the final impact value corresponds to the most severe main affected dimension. The dimensions considered are confidentiality, integrity, availability, reputation, mission, and chain of custody. Chain of custody is included as an additional dimension due to the nature of the case and the relevance of document traceability.
Table 2. Risk matrix and treatment priority.
Table 2. Risk matrix and treatment priority.
Risk Affected Asset I L RL Priority Main Dimension
R1—Unauthorised access to classified information Technical communications documentation—CONFIDENCIAL (CONFIDENTIAL) 5 4 20 Very high Confidentiality
R2—Unauthorised dissemination of a technical diagram Logical diagram of the segregated network—CONFIDENCIAL (CONFIDENTIAL) 5 3 15 High Confidentiality
R3—Exposure of technical inventory Rack and equipment inventory—RESERVADO (RESTRICTED) 3 3 9 Medium Mission
R4—Failure to attribute responsibility PACS logs and access records—restricted internal evidence 4 4 16 High Accountability/traceability
R5—Compromise of the document chain of custody Distribution records—RESERVADO (RESTRICTED); technical documentation—CONFIDENCIAL (CONFIDENTIAL) 5 3 15 High Chain of custody
R6—Maintenance of inappropriate physical permissions Access profiles to the restricted room and need-to-know matrix 4 3 12 High Mission
R7—Exposure of encrypted removable media Encrypted contingency removable medium—CONFIDENCIAL (CONFIDENTIAL) 4 2 8 Medium Mission
R8—Exposure of sensitive administrative documentation HR documentation—sensitive/personal data, not classified 4 3 12 High Reputation/data protection
Legend. I = Impact; L = Likelihood; RL = Risk level. The RL results from multiplying I by L. Priority follows the CNCS scale: 1 = very low; 2–4 = low; 5–11 = medium; 12–19 = high; 20–25 = very high.
The reading of the matrix indicates that the scenario’s overall risk is concentrated at the high and very high levels. The most severe risk is R1, relating to unauthorised access to technical communications documentation classified in the scenario as CONFIDENCIAL (CONFIDENTIAL), with RL = 20 and very high priority. Risks R2, R4, R5, R6, and R8 fall within the high level, demonstrating that the incident is not limited to loss of confidentiality. Traceability, chain of custody, operational mission, and confidence in the organisation’s ability to control physical access and protect sensitive information are also affected.
Treatment priority should therefore focus first on the risks classified as very high and high, in line with the CNCS approach to prioritisation according to risk level [12]. ISO/IEC 27005:2022 reinforces this interpretation by framing risk evaluation as the basis for selecting risk treatment options, including risk modification, risk retention, risk avoidance, or risk sharing [7]. Thus, the matrix justifies treating risks R1, R2, R4, R5, R6, and R8 before the medium risks, with the risk owner being responsible for validating the priority, the acceptance criteria, and the decision on any remaining residual risk.

6. Corrective and Preventive Measures

The measures are structured into two functional categories. The first five (M1–M5) are corrective measures, to be executed immediately or in the short term. The following ten (M6–M15) are preventive measures, to be implemented over a longer timeframe. Each measure is specified using the same set of fields: type, responsible party, preconditions, evidence of implementation, and acceptance criterion. The mapping to normative controls is indicated in the final line of each block.

6.1. Short-Term Corrective Measures

M1. Temporary suspension of the line manager’s card.
  • Type: corrective.
  • Responsible party: PACS manager, in coordination with the Security Officer for classified information, or equivalent internal officer.
  • Preconditions: incident record opened; documented decision by the Security Officer for classified information or equivalent internal officer, with CISO involvement where information systems are affected.
  • Evidence: PACS log showing revocation/suspension of the card; record of the decision.
  • Acceptance criterion: suspension executed within 4 h of the incident being reported, verified by log review.
  • Controls: ISO/IEC 27002:2022 5.18—Access rights [5]; NIST SP 800-53 Rev. 5, AC-2—Account Management and PE-2—Physical Access Authorizations [9].
M2. Blocking the newly hired technician’s access to the room.
  • Type: corrective.
  • Responsible party: PACS manager, with validation by the functional manager and the Security Officer for classified information, or equivalent internal officer.
  • Preconditions: confirmation by HR of the technician’s functional position; validation by the functional manager that the profile includes neither authorisation nor need-to-know regarding the assets in the room; incident record opened. Internal disciplinary proceedings to be initiated in parallel, where applicable.
  • Evidence: PACS configuration excluding the room from the technician’s profile; record in the identity management system or access matrix.
  • Acceptance criterion: subsequent entry attempt refused and logged; monthly audit confirms exclusion from the access profile.
  • Controls: ISO/IEC 27002:2022 5.16—Identity management and 5.18—Access rights [5]; NIST SP 800-53 Rev. 5, PE-2—Physical Access Authorizations and PE-3—Physical Access Control [9]; AC-2—Account Management, where the PACS profile is managed as an account.
M3. Preservation of PACS logs and digital evidence associated with the incident.
  • Type: corrective, with evidentiary purpose.
  • Responsible party: Security Officer for classified information, or equivalent internal officer, with support from the IT team and coordination with HR, legal, or the Data Protection Officer (DPO), where applicable.
  • Preconditions: incident record opened; internal evidence management policy; segregated and controlled medium for preserving records; designation of the person responsible for collection.
  • Evidence: copy of the PACS logs and adjacent systems logs; recovered photograph; screenshot or export of the WhatsApp message; identification of the group, recipients, and date of sharing; integrity hash whenever technically possible; chain-of-custody record.
  • Acceptance criterion: evidence preserved within 24 h of the incident being reported, validated by a second person, and archived on a controlled medium; any collection involving personal devices, personal data, or identifiable internal communications must be coordinated with HR, legal, or the DPO, where applicable, respecting proportionality and data minimisation.
  • Controls: ISO/IEC 27002:2022 5.28—Collection of evidence and 8.15—Logging [5]; NIST SP 800-53 Rev. 5, AU-2—Event Logging and AU-9—Protection of Audit Information [9].
M4. Physical inventory of the room’s documents, media, and equipment.
  • Type: corrective.
  • Responsible party: Security Officer for classified information, or equivalent internal officer, together with the technical officer responsible for the room.
  • Preconditions: updated asset list; two-person presence during verification.
  • Evidence: inventory report indicating the documents, media, and equipment verified, as well as any discrepancies against the reference list.
  • Acceptance criterion: inventory completed within 48 h and reviewed by the Security Officer for classified information or equivalent internal officer.
  • Controls: ISO/IEC 27002:2022 5.9—Inventory of information and other associated assets and 7.10—Storage media [5].
M5. Compromise assessment and notification to the competent authorities, where applicable.
  • Type: corrective.
  • Responsible party: Security Officer for classified information or equivalent internal officer, in coordination with senior management and the CISO where information systems are affected and, where applicable, with notification to the ANS through the GNS.
  • Preconditions: preliminary impact analysis; identification of the recipients of the WhatsApp sharing; initial preservation of evidence.
  • Evidence: compromise assessment report; list of identified recipients; documented decision on notification; formal notification to the competent authority, where applicable.
  • Acceptance criterion: report approved and archived by the Security Officer for classified information or equivalent internal officer; decision on notification documented; notification sent within the applicable internal or regulatory deadlines.
  • Controls: ISO/IEC 27002:2022 5.25—Assessment and decision on information security events and 5.26—Response to information security incidents [5]; CERT National Insider Threat Center, Best Practice 6 [6].

6.2. Preventive Measures

M6. Formal policy prohibiting the sharing of access cards.
  • Type: preventive.
  • Responsible party: Security Officer for classified information, or equivalent internal officer, with CISO input where relevant.
  • Preconditions: review by the legal and HR teams; alignment with the access control policy and internal regulations.
  • Evidence: approved and signed formal policy; dissemination record; record of reading or acceptance by the covered employees.
  • Acceptance criterion: 100% of employees with access to restricted areas confirm reading/acceptance of the policy within 30 days.
  • Controls: ISO/IEC 27002:2022 5.15—Access control and 5.17—Authentication information [5]; CERT National Insider Threat Center, Best Practice 3 [6].
M7. Periodic review of physical access permissions.
  • Type: preventive.
  • Responsible party: PACS manager, with validation by the functional managers and the Security Officer for classified information, or equivalent internal officer.
  • Preconditions: updated list of restricted areas; approved need-to-know matrix by function; nominal list of users with physical access to the room.
  • Evidence: semi-annual review report, with accesses maintained, removed, and functionally justified; validation signed by the functional manager.
  • Acceptance criterion: semi-annual review cycle completed for two consecutive cycles; 100% of access rights to the restricted room supported by current, documented, and validated need-to-know.
  • Controls: ISO/IEC 27002:2022 5.18—Access rights [5]; NIST SP 800-53 Rev. 5, AC-2—Account Management, AC-6—Least Privilege, and PE-2—Physical Access Authorizations [9].
M8. Strengthened authentication (two factors) at the restricted room entrance.
  • Type: preventive.
  • Responsible party: PACS manager and IT team, with validation by the Security Officer for classified information and involvement of the DPO if biometric authentication is considered.
  • Preconditions: approved budget, technical feasibility analysis of the reader, and data protection impact assessment with DPO opinion if biometrics are used.
  • Evidence: reader configuration with PIN, biometrics, or another second factor; hardware acceptance minutes; access test report.
  • Acceptance criterion: 100% of entries recorded with two factors within 30 days after installation; quarterly audit confirms absence of unapproved exceptions.
  • Controls: NIST SP 800-116 Rev. 1 [13]; ISO/IEC 27002:2022 5.17—Authentication information [5].
M9. CCTV at the access point, with proportionality and data protection safeguards.
  • Type: preventive.
  • Responsible party: Security Officer for classified information, or equivalent internal officer, in coordination with the DPO.
  • Preconditions: proportionality assessment and DPO opinion; documented purpose; visible signage; defined retention period.
  • Evidence: installation contract or record; coverage map; retention policy; record of image testing and access to recordings.
  • Acceptance criterion: effective coverage of the door verified by testing. Compliance with data protection confirmed by audit.
  • Controls: ISO/IEC 27002:2022 7.4—Physical security monitoring [5]; NIST SP 800-53 Rev. 5, PE-6—Monitoring Physical Access [9].
M10. Door-held-open alarm and anomalous entry alarm in the PACS.
  • Type: preventive.
  • Responsible party: PACS manager, in coordination with the security operations team.
  • Preconditions: anomaly rules defined, including door held open beyond the permitted time, after-hours entry, atypical frequency, refused entry attempt, and entry by an incompatible profile.
  • Evidence: documented configuration of the rules; record of events triggered during testing; history of processed alerts.
  • Acceptance criterion: 100% of anomalous event simulations generate an alert and are processed by the identified team within 15 min.
  • Controls: ISO/IEC 27002:2022 7.4—Physical security monitoring and 8.16—Monitoring activities [5]; NIST SP 800-53 Rev. 5, AU-6—Audit Record Review, Analysis, and Reporting and PE-6—Monitoring Physical Access [9].
M11. Anti-tailgating policy and document segregation.
  • Type: preventive.
  • Responsible party: Security Officer for classified information, or equivalent internal officer, with support from the technical officer responsible for the room and review of the physical space design.
  • Preconditions: analysis of circulation flows; identification of the types of documentation present; redesign of storage by classification level and nature of the information.
  • Evidence: updated room layout with distinct zones or cabinets; published anti-tailgating procedure; signage next to the access point; audit record of document segregation.
  • Acceptance criterion: semi-annual audit confirms physical separation between classified documentation, removable media, and administrative documentation; no classified document stored outside the appropriate container.
  • Controls: ISO/IEC 27002:2022 7.2—Physical entry, 7.3—Securing offices, rooms and facilities, and 7.10—Storage media [5]; Sinai, on access control systems and identification badges [15].
M12. Cabinet/safe of a class appropriate to the highest classification level stored.
  • Type: preventive.
  • Responsible party: Security Officer for classified information, or equivalent internal officer, with support from facilities/security operations and CISO input where electronic media or information systems are affected.
  • Preconditions: identification of documents by classification level; definition of the container required for the highest classification level; approved budget.
  • Evidence: container installed and identified; record of documents stored; record of keys, combinations, or authorised persons.
  • Acceptance criterion: 100% of documents marked as CONFIDENCIAL (CONFIDENTIAL) stored in the appropriate container; review of keys, combinations, or authorisations every six months.
  • Controls: SEGNAC 1, Chapter 5.6—rules for the storage of classified material [2]; ISO/IEC 27002:2022 7.3—Securing offices, rooms and facilities, 7.7—Clear desk and clear screen, and 7.10—Storage media [5].
M13. Initial and periodic training on restricted areas, need-to-know, and handling.
  • Type: preventive.
  • Responsible party: Security Officer for classified information, or equivalent internal officer, together with HR.
  • Preconditions: approved training programme; minimum content defined on restricted areas, prohibition of access card sharing, need-to-know, handling of classified information, and authorised sharing channels; knowledge assessment defined.
  • Evidence: attendance record; completed assessment; training materials archived; record of onboarding for new employees.
  • Acceptance criterion: 100% of new employees with potential access to restricted areas complete the training within 30 days of admission; annual refresher cycle completed for employees with authorised access.
  • Controls: ISO/IEC 27002:2022 6.3—Information security awareness, education and training [5]; NIST SP 800-53 Rev. 5, AT-2—Literacy Training and Awareness and AT-3—Role-Based Training [9]; CERT National Insider Threat Center, Best Practice 9 [6].
M14. Incident response plan for incidents involving classified information and post-incident review.
  • Type: preventive.
  • Responsible party: Security Officer for classified information, or equivalent internal officer, with sponsorship from senior management and CISO involvement where information systems are affected.
  • Preconditions: documented plan; defined escalation criteria; roles for containment, evidence preservation, compromise assessment, and notification to the ANS through the GNS, where applicable; exercises scheduled.
  • Evidence: published plan; exercise records; post-incident review reports; lessons learned archived.
  • Acceptance criterion: at least one annual exercise; post-incident review performed for all confirmed incidents; lessons learned integrated into the plan within 60 days.
  • Controls: ISO/IEC 27002:2022 5.24—Information security incident management planning and preparation, 5.26—Response to information security incidents, and 5.27—Learning from information security incidents [5]; NIST SP 800-53 Rev. 5, IR-3—Incident Response Testing, IR-4—Incident Handling, and IR-8—Incident Response Plan [9]; ENISA, Post-incident reviews [14].
M15. Control of mobile devices, image capture, and sharing channels.
  • Type: preventive.
  • Responsible party: Security Officer for classified information, or equivalent internal officer, in coordination with IT, HR, and the DPO, where applicable.
  • Preconditions: updated restricted areas policy; identification of authorised procedures and channels for technical documentation, and formal Sub-Registry or Control Post procedures for classified documentation, where applicable; definition of formally approved operational exceptions.
  • Evidence: revised internal policy; signage at the entrance to the mixed-use restricted technical room; briefing or acknowledgement records; record of authorised exceptions for the use of image or sound capture devices.
  • Acceptance criterion: 100% of employees with access to the restricted room confirm awareness of the prohibition on photographing, copying, or sharing documentation through unauthorised channels; sample-based audit confirms the absence of undocumented exceptions.
  • Controls: ISO/IEC 27002:2022 5.14—Information transfer, 6.3—Information security awareness, education and training, 7.6—Working in secure areas, and 8.12—Data leakage prevention [5]; NIST SP 800-53 Rev. 5, AC-19—Access Control for Mobile Devices and MP-7—Media Use [9].

7. Lessons Learned and Applicability

The case demonstrates that entry into a restricted area rarely results from an isolated failure. The sharing of the access card was the immediate event, but the incident became possible through the accumulation of organisational, technical, physical, and human weaknesses. In terms of physical security, it confirms the need to treat protection as an integrated system of people, procedures, and equipment [4].
The first lesson is that access control must be associated with the authorised person, and not merely with the physical object that enables entry. A transferable physical credential loses its capacity to prove the real identity of the holder. This interpretation is consistent with SEGNAC/GNS, insofar as access to classified material depends on security clearance where applicable, formal authorisation, and need-to-know; position, organisational membership, or material possession of a credential are not sufficient [1]. In areas containing classified documentation, removable media, sensitive technical documentation, or critical procedures, access should therefore depend on up-to-date permissions and authentication mechanisms proportionate to the risk. This requirement is also compatible with the logic of NIST SP 800-116 Rev. 1, which associates stronger physical authentication mechanisms with areas of higher criticality [13] (pp. 14–15).
The second lesson is that traceability must be prepared before the incident. Incomplete logs, absence of CCTV, and lack of alarms do not only impair detection; they also hinder the subsequent reconstruction of the facts. In the scenario analysed, the organisation can demonstrate that a card was used, but it cannot independently confirm who entered, how long the person remained, which documents were consulted, or whether there was any additional reproduction of the information. This limitation directly affects the chain of custody and accountability.
The third lesson is that concentrating incompatible functions in the same physical space increases risk. When a technical room also functions as a restricted document storage area, the access model tends to serve both purposes poorly. Technicians require operational access; classified documents require compartmentation, appropriate storage, and strict control. Document segregation and the securing of rooms and facilities are aligned with the physical controls of ISO/IEC 27002:2022, especially those relating to the protection of rooms, secure areas, and storage media [5].
The case also reveals recurring failure patterns: normalisation of informal shortcuts, excessive reliance on physical cards, insufficient review of permissions, weak reporting culture, incomplete onboarding, and insufficient auditable evidence. These patterns are relevant to organisations that combine technical teams, contracts with public entities, physical document storage areas, and access control systems with limited maturity. The CERT National Insider Threat Center frames this insider risk as a phenomenon that may result from both malicious and unintentional conduct [6].
The limitations of the case must be considered. The scenario is simulated and does not involve real classified information, real operational data, IP addresses, cryptographic keys, sensitive locations, or authentic documentation. The risk assessment is qualitative and depends on the available evidence, which is limited by the absence of CCTV, cabinet opening logs, and PACS alarms. For this reason, the analysis serves technical-operational prioritisation and does not replace a formal assessment by a competent authority or audit team with direct access to the site, contracts, systems, and original records.
The lessons from the case can be transferred to technical rooms, data centres, classified archives, communications rooms, cryptographic rooms, areas supporting segregated networks, and environments of technology service providers that work with sensitive or classified documentation. Applicability is greater where concentrated physical and documentary assets coexist with card-based access, traceability requirements, dependence on technical teams, and the risk of credential misuse.
Generalisation must respect the classification level, type of asset, maturity of the access control system, applicable legislation, and contractual model. Not all organisations will require the same measures, but the principles are transferable: individual authorisation, need-to-know, compartmentation, segregation of duties, training, appropriate storage, auditable logs, proportionate monitoring, incident response, and post-incident review. In this sense, post-incident review, with root cause identification and documented lessons learned, is consistent with ENISA guidance aimed at reducing the recurrence and consequences of future incidents [14] (p. 48).

8. Conclusion

The case demonstrates how the informal lending of an access card can transform an operational weakness into a security breach with confirmed compromise of documentation marked, for the purposes of the scenario, as RESERVADO (RESTRICTED) and CONFIDENCIAL (CONFIDENTIAL). The problem went beyond the individual conduct of those involved and resulted from the combination of organisational, technical, physical, and human failures: absence of an express prohibition on credential sharing, single-factor authentication, lack of monitoring, insufficiently reviewed permissions, an unlocked cabinet, and a response dependent on external reporting.
Containment of the incident requires access blocking, evidence preservation, physical inventory, and compromise assessment. Prevention of recurrence depends on formal rules, access permission review, strengthened authentication, proportionate monitoring, alarms, document segregation, appropriate storage, training, and a pre-defined response plan. These measures are appropriate to the risk because they restore the barriers that failed: individual authorisation, detection, delay, response, and accountability.
In the context of critical systems, these measures also contribute to strengthening operational assurance, continuity, accountability, and the controlled handling of sensitive technical documentation.
With the implementation and periodic verification of these controls, the organisation gains greater control over who accesses the room, under what conditions, with what authorisation, and with what evidentiary record. The expected result is protection that is more consistent with the need-to-know principle, better compliance with the classified information regime, greater traceability of the chain of custody, and stronger operational security in the handling of technical and sensitive documentation.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Data Availability Statement

The data presented in this simulated case study are contained within the article.

Conflicts of Interest

The author declares no conflict of interest.

References

  1. Gabinete Nacional de Segurança. Questões Sobre Informação Classificada; v. 4.2; Gabinete Nacional de Segurança: Lisboa, Portugal, 2024; Available online: https://www.gns.gov.pt/docs/questoes-sobre-informacao-classificada-2024-v42.pdf (accessed on 17 May 2026).
  2. Resolução do Conselho de Ministros n.º 50/88, de 3 de dezembro, alterada pela Resolução do Conselho de Ministros n.º 13/93, de 6 de março. In Instruções para a Segurança Nacional, Salvaguarda e Defesa das Matérias Classificadas—SEGNAC 1; Diário da República: Lisboa, Portugal, 1988; Available online: https://www.gns.gov.pt/docs/segnac1.pdf (accessed on 17 May 2026).
  3. Smith, C.L.; Brooks, D.J. Security Science: The Theory and Practice of Security; Butterworth-Heinemann: Oxford, UK, 2013. [Google Scholar]
  4. Garcia, M.L. The Design and Evaluation of Physical Protection Systems, 2nd ed.; Butterworth-Heinemann: Oxford, UK, 2008. [Google Scholar]
  5. ISO/IEC 27002:2022; Information Security, Cybersecurity and Privacy Protection—Information Security Controls. 3rd ed. ISO: Geneva, Switzerland, 2022.
  6. CERT National Insider Threat Center. Common Sense Guide to Mitigating Insider Threats, 7th ed.; Software Engineering Institute, Carnegie Mellon University: Pittsburgh, PA, USA, 2022. [Google Scholar]
  7. ISO/IEC 27005:2022; Information Security, Cybersecurity and Privacy Protection—Guidance on Managing Information Security Risks, 4th ed. ISO: Geneva, Switzerland, 2022.
  8. Resolução do Conselho de Ministros n.º 37/89, de 24 de outubro. In Normas para a Segurança Nacional, Salvaguarda e Defesa das Matérias Classificadas, Segurança Industrial, Tecnológica e de Investigação—SEGNAC 2; Diário da República: Lisboa, Portugal, 1989; Available online: https://www.gns.gov.pt/docs/segnac2.pdf (accessed on 17 May 2026).
  9. Joint Task Force. Security and Privacy Controls for Information Systems and Organizations; NIST Special Publication 800-53, Rev. 5; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020. [Google Scholar] [CrossRef]
  10. Gigliotti, R.; Jason, R. Approaches to physical security. In Effective Physical Security, 5th ed.; Fennelly, L.J., Ed.; Butterworth-Heinemann: Oxford, UK, 2017; pp. 67–84. [Google Scholar]
  11. ISO/IEC 27001:2022; Information Security, Cybersecurity and Privacy Protection—Information Security Management Systems—Requirements, 3rd ed. ISO: Geneva, Switzerland, 2022.
  12. Centro Nacional de Cibersegurança. Guia para Gestão dos Riscos em Matérias de Segurança da Informação e Cibersegurança; v. 1.1; Centro Nacional de Cibersegurança: Lisboa, Portugal, 2022; Available online: https://www.cncs.gov.pt/docs/guia-de-gestao-dos-riscos11.pdf (accessed on 17 May 2026).
  13. Ferraiolo, H.; Mehta, K.; Ghadiali, N.; Mohler, J.; Johnson, V.; Brady, S. Guidelines for the Use of PIV Credentials in Facility Access; NIST Special Publication 800-116, Rev. 1; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2018. [Google Scholar] [CrossRef]
  14. Moulinos, K.; Theocharidou, M. Technical Implementation Guidance on Cybersecurity Risk-Management Measures: On Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 Laying Down Rules for the Application of NIS2 Directive as Regards Technical and Methodological Requirements of Cybersecurity Risk-Management Measures; Version 1.0; European Union Agency for Cybersecurity: Athens, Greece, 2025; Available online: https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance (accessed on 17 May 2026).
  15. Sinai, J. Access control systems and identification badges. In Effective Physical Security, 5th ed.; Fennelly, L.J., Ed.; Butterworth-Heinemann: Oxford, UK, 2017; pp. 255–264. [Google Scholar]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.
Copyright: This open access article is published under a Creative Commons CC BY 4.0 license, which permit the free download, distribution, and reuse, provided that the author and preprint are cited in any reuse.
Prerpints.org logo

Preprints.org is a free preprint server supported by MDPI in Basel, Switzerland.

Subscribe

© 2026 MDPI (Basel, Switzerland) unless otherwise stated

Accessibility

Disclaimer

Terms of Use

Privacy Policy

Privacy Settings