University Policies

Page tree

Versions Compared

Old Version 6

changes.mady.by.user O'Neill, Erin E.

Saved on

compared with

New Version 7

changes.mady.by.user O'Neill, Erin E.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ROWAN UNIVERSITY POLICY


Title: Physical Security for IT Network Resources
Subject: Information Security
Policy No: ISO:2016:03
Applies: University-Wide
Issuing Authority:

...

 Senior Vice President for Information Resources and Technology and Chief Information Officer
Responsible Officer:

...

 Senior Director, Infrastructure Services
Date Adopted: 04/01/2016
Last Revision:

...

04/

...

11/

...

2019
Last Review:

...

 04/

...

11/

...

2019
 
I.

...

PURPOSE

The purpose for this policy is to outline physical security measures to safeguard all Rowan University information technology network resources against unlawful and unauthorized physical intrusion, as well as

...

II.  ACCOUNTABILITY

Under the direction of the President, the Chief Information Officer, IRT Director(s) and Departments, Schools and Business Units, the Information Security Office (ISO) shall implement and ensure compliance with this policy.

III.  APPLICABILITY

This policy to all employees, as it addresses threats to critical IT resources that result from unauthorized access to facilities owned or leased by Rowan University, including facilities containing critical IT resources or sensitive information, data centers, network closets, and similar areas that are used to house such resources.

IV.  DEFINITIONS

Principle of Least Privileges: the practice of limiting access to the minimal level required for someone to perform their job responsibilities.

V.  POLICY

...

environmental (e.g. fire, flood) and other physical threats. Information Security issues considered include:

  • Unlawful access may be gained with the intent of theft, damage, or other disruption of operations.Image Added
  • Unauthorized and illegal access may take place covertly (internal or external source) to steal, damage, or otherwise disrupt operations.
  • Destruction or damage of physical space may occur due to environmental threats such as fire, flood, wind, etc.

...

  • Loss of power may result in the loss of data, damage to equipment and disruption of operations.

II. ACCOUNTABILITY

Under the direction of the President, the Chief Information Officer and the Director of Information Security shall implement and ensure compliance with this policy. The Vice Presidents, Deans, and other members of management will implement this policy in their respective areas.

III. APPLICABILITY

This policy applies to all members of the Rowan Community.

IV. DEFINITIONS

Refer to Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.

V. POLICY

  1. Designation of Secure Areas to Protect IT Resources - Areas within a building that house critical information technology services shall be designated as secure areas. Data centers, server rooms, and network closets are designated secure areas. 
  2. Dedicated Purpose - Secure areas should not be shared with or used with any function other than legitimate IT resources. In those instances where a dedicated purpose is not feasible, a policy exception must be approved by the Chief Information Officer. 
  3. Physical Security Methods - Physical security methods should be used to control access to secure
  4. All information resource facilities must be physically protected in proportion to the criticality or importance of their function. Physical access procedures must be documented, and access to such facilities must be controlled. Access lists must be reviewed at least semi-annual by the Information Security Office (ISO) or more frequently depending on the nature of the systems that are being protected.
  5. Use of Secure Areas to Protect Data and InformationUse physical methods to control access to information processing areas. These methods include, but are not limited to, locked doors, locked data cabinets, secured cage areas, vaults, ID cards, cameras, and biometrics.Restrict building access to authorized personnel only (when applicable).
  6. Identify areas within a building that should receive special protection and be designated as a secure area. An example would be a data center, server room, or network closet.
  7. Use entry controls.
    8. Security methods should be commensurate with the security risk.
  8. Compliance with fire codes.
  9. Installation, use and maintenance of air handling, cooling, UPS and generator backup to protect the IT investment within the secure areas.
    10. Physical Access Management to protect data and information 
  10. Documented Provisioning Procedures - Processes and procedures for provisioning access to secure areas must be documented. 
    1. The Director of Facilities at each campus must establish, in coordination with the ISO, a standard process for review, approval, and provisioning of access to secured areas. 
    2. Information Technology Resource Managers must establish, in coordination with the ISO, a standard process for review, approval, and provisioning of access to secured areas. 
    3. The Information Security Office (ISO) must monitor compliance with established processes. 
  11. Least Privilege Access - The principle of least privilege must be followed when granting access to secure areas and facilities that contain secure areas. Access to facilities that house critical IT infrastructure, systems and programs must follow the principle of least privilege access.
    1. Building access should be restricted to authorized personnel only (when applicable). 
    1. Personnel, including full and part-time staff, contractors and vendors
    ' staff
    1. should be granted access only to facilities and systems that are necessary for the fulfillment of their job responsibilities. 
  12. Individuals may request access from the facility manager. Each facility manager must establish, in coordination with the ISO, a standard process for review, approval, and provisioning of access to secured areas. Where practical, this process must provide the ISO with the ability to monitor compliance with the established process.
  13. Visitor Access - Individuals not regularly assigned to access secure areas are considered visitors. 
    1. Visitors must present identification to access secure areas. 
    2. Visitors accessing secure areas must be escorted and their activity must be monitored. 
    3. Visitors access records must be maintained by the member of the Standard Access group escorting the Non-Standard Access member accessing the physical space. Records should include name, organization, signature, date/time of access and purpose of visit. Such inventories are subject to periodic ISO review. 
  14. Control of Physical Access Devices - Access cards, combinations, keypads, and keys must be secured against theft, loss, or damage. 
    1. Combinations should be changed when compromised, or when individuals with access are transferred or terminated. 
    2. Keys are a backup form of access to the designated physical space. Key/Lock inventories should be setup by Facilities and keys should be distributed to Public Safety, Network Services and Facilities. Such inventories are subject to periodic ISO review. 
    3. Lost or stolen cards/keys must be reported to the ISO immediately. 
  15. Monitor Physical Access - Physical access to secure areas must be monitored to detect and respond to physical security incidents. Access reviews must be conducted at least semi-annually, or more frequently depending on the nature of the systems that are being protected.
    1. Automated mechanisms should be employed to monitor physical access to secure areas. 
    2. Physical access logs of secure areas should be reviewed on a monthly basis. 
    1. Removal of individuals who no longer require access must
    then
    1. be
    completed
    1. done in a timely manner.
  16. Access cards and keys must be appropriately protected, not shared or transferred and returned when no longer needed. Lost or stolen cards/keys must be reported to the Information Security Office (ISO) immediately.
  17. Security clearance for visitors. This could include, but is not limited to, a sign in book, employee escort within a secure area, ID check and ID badges for visitors.
    18. Non-Compliance and SanctionsViolation
    1.  
    2. Results of access reviews must be coordinated with the ISO incident response team. 
  18. Environmental Controls - Environmental controls must be implemented to protect the University's investment in critical information technology resources. 
    1. Fire suppression and detection devices/systems must be installed and maintained. 
    2. Temperature and humidity controls must be installed and maintained. 
    3. When present, sprinkler systems should provide master shutoff or isolation values. 
    4. Data centers must be supported by backup power generators that are properly installed and maintained.

VI. POLICY COMPLIANCE

Violations of this policy may subject the violator to disciplinary actions, up to or including termination of employment or dismissal from a school, subject to applicable collective bargaining agreements and may subject the violator to penalties stipulated in applicable state and federal statutes. Sanctions shall be applied consistently to all violators regardless of job titles or level in the organization per the Acceptable Use Policy.


By Direction of the CIO:

Mira Lalovic-Hand,
SVP and Chief Information Officer