PHYSICAL SECURITY FOR IT RESOURCES POLICY

Title: Physical Security for IT Resources
Subject: Information Resources and Technology
Policy No: ISO:2016:02
Applies: University-wide
Issuing Authority: Information Security Office - Chief Information Security Officer
Responsible Officer: Vice President for Information Resources and Chief Information Officer
Date Adopted: 04-01-2016
Last Revision: 05-25-2016
Last Review: 05-25-2016

I. PURPOSE
The purpose for this policy is to outline physical security measures to safeguard all Rowan University information technology resources against unlawful and unauthorized physical intrusion, as well as fire, flood and other physical threats.

1. ACCOUNTABILITY

Under the direction of the President, the Chief Information Officer, IRT Director(s) and Departments, Schools and Business Units, the Information Security Office (ISO) shall implement and ensure compliance with this policy.

1. APPLICABILITY

This policy to all employees, as it addresses threats to critical IT resources that result from unauthorized access to facilities owned or leased by Rowan University, including facilities containing critical IT resources or sensitive information, data centers, network closets, and similar areas that are used to house such resources.

1. DEFINITIONS

1. Principle of Least Privileges: the practice of limiting access to the minimal level required for someone to perform their job responsibilities.

1. POLICY
2. Rowan University locations that include computers and other types of information technology resources must be safeguarded against unlawful and unauthorized physical intrusion, as well as fire, flood and other physical threats. This includes but is not limited to the use of; security doors, card access, external doors that are locked from closing until opening of the building, locked and/or barred windows, security cameras, registration of visitors at entrances, security guards, and fire protection. Information Security issues to be considered are:

• Unlawful access may be gained with the intent of theft, damage, or other disruption of operations.
• Unauthorized and illegal access may take place covertly (internal or external source) to steal, damage, or otherwise disrupt operations.
• Destruction or damage of physical space may occur due to environmental threats such as fire, flood, wind, etc.
• Loss of power may result in the loss of data, damage to equipment and disruption of operations.

1. All information resource facilities must be physically protected in proportion to the criticality or importance of their function. Physical access procedures must be documented, and access to such facilities must be controlled. Access lists must be reviewed at least semi-annual by the Information Security Office (ISO) or more frequently depending on the nature of the systems that are being protected.
2. Use of Secure Areas to Protect Data and Information

• Use physical methods to control access to information processing areas. These methods include, but are not limited to, locked doors, secured cage areas, vaults, ID cards, cameras, and biometrics.
• Restrict building access to authorized personnel only (when applicable).
• Identify areas within a building that should receive special protection and be designated as a secure area. An example would be a data center, server room, or network closet.
• Use entry controls.
• Security methods should be commensurate with security risk.
• Compliance with fire codes.
• Installation, use and maintenance of air handling, cooling, UPS and generator backup to protect the IT investment within the secure areas.

1. Physical Access Management to protect data and information

• Access to facilities that house critical IT infrastructure, systems and programs must follow the principle of least privilege access. Personnel, including full and part-time staff, contractors and vendors' staff should be granted access only to facilities and systems that are necessary for the fulfillment of their job responsibilities.
• Individuals may request access from the facility manager. Each facility manager must establish, in coordination with the ISO, a standard process for review, approval, and provisioning of access to secured areas. Where practical, this process must provide the ISO with the ability to monitor compliance with the established process.
• Access reviews must be conducted at least semi-annually, or more frequently depending on the nature of the systems that are being protected. Removal of individuals who no longer require access must then be completed in a timely manner.
• Access cards and keys must be appropriately protected, not shared or transferred and returned when no longer needed. Lost or stolen cards/keys must be reported to the Information Security Office (ISO) immediately.
• Security clearance for visitors. This could include, but is not limited to, a sign in book, employee escort within a secure area, ID check and ID badges for visitors.

1. Non-Compliance and Sanctions

• Violation of this policy may subject the violator to disciplinary actions, up to or including termination of employment or dismissal from a school, and may subject the violator to penalties stipulated in applicable state and federal statutes.

By Direction of the CIO:

__________________________________
Mira Lalovic-Hand,
VP and Chief Information Officer