Policy Number: 12-022
Physical Security of Information Technology
Category: Information Technology
Responsible Executive: Vice President and Chief Information Officer
Responsible Office: Vice President and Chief Information Officer
- Purpose The purpose of this policy is to protect Information Systems and the Data stored and processed by them from physical hazards including theft, vandalism, inappropriate physical access and natural disasters.
- Applicability This policy applies to all university facilities where computing devices are used in the conduct of university business, and to all facilities in which servers and network or telecommunications equipment are installed and operated.
- Definitions
Data Center: A dedicated facility in which multiple computer servers, network or telecommunications equipment are placed and operated. Data Centers have special purpose environmental, electrical, network and physical designs optimized for computing equipment.
Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.
Server Room: A facility in which computer servers, network or telecommunications equipment are placed and operated. Server Rooms typically rely upon general purpose environmental, electrical, and physical controls; server rooms may not be dedicated solely to computing equipment.
Telecommunication Facilities: Smaller facilities in which network or other communications cabling is run, organized and/or terminated. Telecommunications facilities may also house electronic equipment that interfaces with network or communications cabling. Telecommunications facilities include ‘network closets’, ‘telecommunications rooms’, and ‘fiber huts’. - Policy Statement
- Data centers, server rooms and telecommunication facilities must be appropriately designed and managed to reasonably prevent physical intrusion and unauthorized access.
- Data centers, server rooms and telecommunication facilities must include locks and other features to reasonably prevent bypass of physical security measures.
- Authorized persons may be granted independent access to data centers, server rooms and telecommunication facilities. This authorization must be documented and periodically reviewed.
- Other persons may be granted temporary access to data centers, server rooms and telecommunication facilities. They must be identified, authorized, documented and monitored.
- Access to data centers, server rooms and telecommunication facilities are reviewed for unauthorized access based upon an assessment of risk.
- The delivery to and removal of information system components from data centers, server rooms and telecommunication facilities must be controlled and documented.
- Measures must be taken to minimize the effects to personnel and information system components in data centers, server rooms and telecommunication facilities from reasonably anticipated hazards. Workplaces must be appropriately secured to prevent theft or damage of end-user computing devices.
- Access to workplaces should be limited to only authorized persons.
- Access to output devices (such as displays and printers) must be controlled to prevent unauthorized users from viewing or obtaining output containing Restricted Data.
- Computing devices must be positioned to minimize damages from physical and environmental hazards.
Additional Resources
History
Revision Date | Description |
---|---|
February 6, 2020 | Policy originally adopted |
Policy updated |