Policy Statement

The purpose of this policy is to protect Information Systems and the Data stored and processed by them from physical hazards including theft, vandalism, inappropriate physical access and natural disasters.

Applicability

This policy applies to all university facilities where computing devices are used in the conduct of university business, and to all facilities in which servers and network or telecommunications equipment are installed and operated.

Definitions

  • Data Center: A dedicated facility in which multiple computer servers, network or telecommunications equipment are placed and operated. Data Centers have special purpose environmental, electrical, network and physical designs optimized for computing equipment.
  • Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.
  • Server Room: A facility in which computer servers, network or telecommunications equipment are placed and operated. Server Rooms typically rely upon general purpose environmental, electrical, and physical controls; server rooms may not be dedicated solely to computing equipment.
  • Telecommunication Facilities:Smaller facilities in which network or other communications cabling is run, organized and/or terminated. Telecommunications facilities may also house electronic equipment that interfaces with network or communications cabling. Telecommunications facilities include ‘network closets’, ‘telecommunications rooms’, and ‘fiber huts’.

Policy Specifics

  1. Data centers, server rooms and telecommunication facilities must be appropriately designed and managed to reasonably prevent physical intrusion and unauthorized access.
    1. Data centers, server rooms and telecommunication facilities must include locks and other features to reasonably prevent bypass of physical security measures.
    2. Authorized persons may be granted independent access to data centers, server rooms and telecommunication facilities. This authorization must be documented and periodically reviewed.
    3. Other persons may be granted temporary access to data centers, server rooms and telecommunication facilities. They must be identified, authorized, documented and monitored.
    4. Access to data centers, server rooms and telecommunication facilities are reviewed for unauthorized access based upon an assessment of risk.
    5. The delivery to and removal of information system components from data centers, server rooms and telecommunication facilities must be controlled and documented.
  2. Measures must be taken to minimize the effects to personnel and information system components in data centers, server rooms and telecommunication facilities from reasonably anticipated hazards. Workplaces must be appropriately secured to prevent theft or damage of end-user computing devices.
    1. Access to workplaces should be limited to only authorized persons.
    2. Access to output devices (such as displays and printers) must be controlled to prevent unauthorized users from viewing or obtaining output containing Restricted Data.
    3. Computing devices must be positioned to minimize damages from physical and environmental hazards.

Review and Adjudication

  1. All members of the University Constituency are responsible for maintaining the security of their workplaces. Violations of workplace security must be promptly reported, following unit procedures.
  2. Information Security Administrators (ISAs) are responsible for unit procedures for the protection of workplaces and computing devices.
  3. Information Security Administrators (ISAs) are responsible for ensuring that appropriate facilities are available to install and operate servers, network and telecommunication equipment.
  4. Information Security Managers (ISMs) are responsible for procedures and documentation to secure data centers, server rooms and telecommunication facilities.

Policy Violations

Failure to comply with this policy could result in disciplinary action for employees, up to and including termination. Volunteers may have their volunteer status terminated.

History

Revision DateDescription
February 6, 2020  Policy originally adopted
  Policy updated