IT Facilities Security Standard
Date of Current Revision or Creation:泭January 1, 2023
The purpose of an Information Technology Standard is to specify requirements for compliance with 圖朸厙 Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this compliance standard is to establish the requirements for safeguard the physical facilities that house information technology equipment, systems, services, and personnel.
Definitions
IT Facilities is a static, mobile or portable facility (or facilities) or a location that contains 圖朸厙 information technology equipment, systems, services, and personnel.
Standards Statement
圖朸厙 implements physical security practices to prevent unauthorized physical access, damage and interference to the institution's premises and information. The protection provided should be commensurate with the identified risks.
Site Security
- Security perimeters of IT sites are clearly defined and controls depend on the requirements of the asset and the results of a risk assessment.
- The perimeters of the site should be physically sound and of solid construction.
- Doors should be suitably protected against unauthorized access with suitable control mechanisms.
- Physical security for offices, rooms and other facilities should consider all relevant health and safety standards.
- Where applicable, sites should be unobtrusive and give minimum indication of their purpose.
Environmental Controls
- Physical barriers should provide environmental protection.
- Electric power, heating, fire suppression, ventilation, air-conditioning, and air purification are to be installed, as required by the IT systems and data.
- All fire doors are to be alarmed, monitored and tested in compliance with fire safety regulations.
Physical Access Controls
- Access to sites should be restricted to authorized personnel only.
- Physical access to essential computer hardware, wiring, displays, and networks by the principle of least privilege, where feasible.
- A system of monitoring and auditing physical access to sensitive IT systems is provided.
- The Information Security Officer (ISO) is to periodically review the list of persons allowed physical access to sensitive IT systems.
Working in Secure Areas
- Guidelines for working in secure areas should include controls for employees, contractors and third party users.
- Personnel should only be aware of activities on a need-to-know basis.
- Unsupervised working is secure areas should be avoided for safety reasons and to prevent opportunities for malicious activities.
- Vacant areas should be physically locked and periodically checked.
- Audio and video equipment is not allowed in secure areas without the authorization of the Information Security Officer.
Public Access, Delivery and Loading Areas
- Access points for deliveries and loading are to be controlled for unauthorized access.
- Incoming material should be inspected for potential threats before being moved to the point of use and handled in accordance with asset management procedures.
Procedures, Guidelines & Other Related Information
- Federal and State Law
- University IT Policies
- IT Policies and Standards
History
Date |
Responsible Party |
Action |
October 2008 |
ITAC/CIO |
Created |
October 2009 |
ITAC/CIO |
Reaffirmed |
October 2010 |
ITAC/CIO |
Reaffirmed |
October 2011 |
ITAC/CIO |
Reaffirmed |
March 2012 |
ITAC/CIO |
Revised for working in secure areas and public access and delivery |
December 2012 |
IT Policy Office |
Numbering revision |
December 2016 | IT Policy Office | Reviewed no changes |
September 2019 | IT Policy Office | Reviewed no changes |
January 2023 | IT Policy Office | Reviewed no changes |