University Policies

Page tree

Versions Compared

Old Version 10

changes.mady.by.user O'Neill, Erin E.

Saved on

compared with

New Version Current

changes.mady.by.user O'Neill, Erin E.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


Title: Physical Security for IT Network Resources
Subject: Information Security
Policy No: ISO:2016:03
Applies: University-Wide
Issuing Authority: Senior Vice President for Information Resources and Technology and Chief Information Officer
Responsible Officer: Senior Director, Infrastructure Services
Date Adopted: 04/01/2016
Last Revision: 04 01/1119/20192024
Last Review: 04/11/2019

I. PURPOSE

...

  1. Designation of Secure Areas to Protect IT Resources - Areas within a building that house critical information technology services shall be designated as secure areas. Data centers, server rooms, and network closets are designated secure areas. 

  2. Dedicated Purpose - Secure areas should not be shared with or used with any function other than legitimate IT IRT Infrastructure Services resources. In those instances where a dedicated purpose is not feasible, a policy exception must be approved by the Chief Information Officer. 

  3. Physical Security Methods - Physical security methods should be used to control access to secure areas. These methods include, but are not limited to, locked doors, locked data cabinets, secured cage areas, vaults, ID cards, cameras, and biometrics. Security methods should be commensurate with the security risk. 

  4. Documented Provisioning Procedures - Processes and procedures for provisioning access to secure areas must be documented. 

    1. The Director of Facilities at each campus must establish, in coordination with the ISO, a standard process for review, approval, and provisioning of access to secured areas. 

    2. Information Technology Resource Managers must establish, in coordination with the ISO, a standard process for review, approval, and provisioning of access to secured areas. 

    3. The Information Security Office (ISO) must monitor compliance with established processes. 

  5. Least Privilege Access - The principle of least privilege must be followed when granting access to secure areas and facilities that contain secure areas. 

    1. Building access should be restricted to authorized personnel only (when applicable). 

    2. Personnel, including full and part-time staff, contractors and vendors should be granted access only to facilities and systems that are necessary for the fulfillment of their job responsibilities. 

  6. Visitor Access - Individuals not regularly assigned to access secure areas are considered visitors. 

    1. Visitors must present identification to access secure areas. 

    2. Visitors accessing secure areas must be escorted and their activity must be monitored. 

    3. Visitors access records must be maintained by the member of the Standard Access group escorting the Non-Standard Access member accessing the physical space. Records should include name, organization, signature, date/time of access and purpose of visit. Such inventories are subject to periodic ISO review. 

  7. Control of Physical Access Devices - Access cards, combinations, keypads, and keys must be secured against theft, loss, or damage. 

    1. Combinations should be changed when compromised, or when individuals with access are transferred or terminated. 

    2. Keys are a backup form of access to the designated physical space. Key/Lock inventories should be setup by Facilities and keys should be distributed to Public Safety, Network Services and Facilities. Such inventories are subject to periodic ISO review. 

    3. Lost or stolen cards/keys must be reported to the ISO immediately. 

  8. Monitor Physical Access - Physical access to secure areas must be monitored to detect and respond to physical security incidents. 

    1. Automated mechanisms should be employed to monitor physical access to secure areas. 

    2. Physical access logs of secure areas should be reviewed on a monthly basis. 

    3. Removal of individuals who no longer require access must be done in a timely manner. 

    4. Results of access reviews must be coordinated with the ISO incident response team. 

  9. Environmental Controls - Environmental controls must be implemented to protect the University's investment in critical information technology resources. 

    1. Fire suppression and detection devices/systems must be installed and maintained. 

    2. Temperature and humidity controls must be installed and maintained. 

    3. When present, sprinkler systems should provide master shutoff or isolation values. 

    4. Data centers must be supported by backup power generators that are properly installed and maintained.

...