Purpose

The purpose of this policy is to protect Information Systems and the Data stored and processed by them from physical hazards including theft, vandalism, inappropriate physical access and natural disasters. 

Scope

This policy applies to all university facilities where computing devices are used in the conduct of university business, and to all facilities in which servers and network or telecommunications equipment are installed and operated. 

Policy

  1. Data centers, server rooms and telecommunication facilities must be appropriately designed and managed to reasonably prevent physical intrusion and unauthorized access.
    • a.Data centers, server rooms and telecommunication facilities must include locks and other features to reasonably prevent bypass of physical security measures.
    • b.Authorized persons may be granted independent access to data centers, server rooms and telecommunication facilities. This authorization must be documented and periodically reviewed.
    • c.Other persons may be granted temporary access to data centers, server rooms and telecommunication facilities. They must be identified, authorized, documented and monitored.
    • d.Access to data centers, server rooms and telecommunication facilities are reviewed for unauthorized access based upon an assessment of risk.
    • e.The delivery to and removal of information system components from data centers, server rooms and telecommunication facilities must be controlled and documented.
  2. Measures must be taken to minimize the effects to personnel and information system components in data centers, server rooms and telecommunication facilities from reasonably anticipated hazards. Workplaces must be appropriately secured to prevent theft or damage of end-user computing devices.
    • a.Access to workplaces should be limited to only authorized persons.
    • b.Access to output devices (such as displays and printers) must be controlled to prevent unauthorized users from viewing or obtaining output containing Restricted Data.
    • c.Computing devices must be positioned to minimize damages from physical and environmental hazards.

Responsibilities

  1. All members of the University Constituency are responsible for maintaining the security of their workplaces. Violations of workplace security must be promptly reported, following unit procedures. 
  2. Information Security Administrators (ISAs) are responsible for unit procedures for the protection of workplaces and computing devices.
  3. Information Security Administrators (ISAs) are responsible for ensuring that appropriate facilities are available to install and operate servers, network and telecommunication equipment.
  4. Information Security Managers (ISMs) are responsible for procedures and documentation to secure data centers, server rooms and telecommunication facilities. 

Authority

UF-1.0102: Policies on Information Technology and Security  

Effective date

February 6, 2020  

References

NIST 800-53 revision 3: AC-18, AC-18 (2), SC-7, PE-2, PE-3, PE-5, PE-6, PE-7, PE-8, PE-12, PE-13, PE-14, PE-15, PE-16, PE-17, PE-18