Policy 7.10 Physical and Environmental Security
SCOPE: FACULTY, STAFF, STUDENTS, AND GUESTS
1. POLICY STATEMENT
1.1. This policy establishes physical security requirements for mission critical information resources facilities and facilities containing critical telecommunications infrastructure, regardless of location.
1.2. This policy also establishes general physical security requirements for information resources.
2.1. The responsibility for securing departmentally administered computer facilities or equipment from unauthorized physical access ultimately rests with the designated owner and designated custodian of the facility or equipment.
2.2. Computers, workstations, mobile devices (e.g., tablets, portable storage devices, smart phones, etc.), communication switches, network components, and other devices outside the LIT data center shall receive the level of protection necessary to ensure the integrity and confidentiality of the institutional information accessible through them. The required protection may be achieved by physical or logical controls, or a combination thereof.
2.3. The creator of an authenticated work session (i.e., a session in which the user’s identity has been authenticated and authorization has been granted) is responsible for any activity that occurs while logged in under his or her account.
2.4. No authenticated work session shall be left unattended on any devices unless appropriate measures have been taken to prevent unauthorized use. Examples of appropriate measures include: activation of password-protected keyboard or device locking; automatic activation of a password-protected screensaver after a brief inactivity period (15 minutes or less, based upon risk assessment); or, location or placement of the device in a locked enclosure preventing access to the device by unauthorized parties.
2.5. Employees and information resources shall be protected from the environmental hazards posed by information resources facilities. Emergency procedures shall be developed, documented, and regularly tested in collaboration with the Facilities department.
3. MISSION CRITICAL INFORMATION RESOURCES FACILITIES
3.1. Physical access to mission critical information resources facilities shall be managed and documented by the facility’s custodian. The facilities must be protected by physical and environmental controls appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems operated within those facilities.
3.2. Physical security measures must be reviewed annually in conjunction with each facility’s risk assessment and whenever facilities or security procedures are significantly modified.
3.3. Physical access to mission critical information resources facilities administered by LIT Information Technology is restricted to individuals having prior authorization from the IRM or ISO.
3.4. Physical access to facilities containing critical telecommunications infrastructure is restricted to individuals having prior authorization from the IRM, ISO, or Facilities Director.
3.5. LIT Information Technology will maintain an access log for the LIT data center.
4. AUTHORITY AND RESPONSIBILITY
Questions related to this policy should be addressed to the IRM at email@example.com.