Facility_Security

Facility Security Policy

Supporting documents: Full policy - Standard

The University must establish procedures to protect Sensitive Information System Resources and Data from unauthorized physical access, tampering, and theft.

The University must protect the confidentiality, integrity, and availability of its Information Systems by preventing unauthorized physical access, tampering, and theft to these systems and the facilities in which they are located, while ensuring properly authorized access is allowed.

Information System Resources containing Sensitive Data must be physically located in areas where unauthorized access is minimized. The perimeter of a building or site containing Information Systems with Sensitive Data must be physically sound; the external walls of the site should be solidly constructed and all external doors must have appropriate protections against unauthorized access.

The level of protection provided for Information Systems containing Sensitive Data must be commensurate with identified risks and aligned with information system resource classification. An annual assessment of risks to the facilities storing Information Systems with Sensitive Data must be performed.

An annual inventory of all physical access controls used to protect Information Systems resources with Sensitive Data and its facilities must be performed. All repairs and modifications to the physical components of its facilities that are related to security must be documented. This documentation must be stored in a secure manner.

All physical access rights to areas where Information Systems resources containing Sensitive Data are maintained must be clearly defined and documented. Such rights must be provided only to University workforce members having a need for specific access in order to accomplish the responsibilities of their positions and must be regularly reviewed and revised as necessary.

All workforce members must visibly wear the organization’s employee identification. Employees should be encouraged to report unescorted strangers or anyone not wearing visible identification. All visitors with a requirement for access to the facility must show proper identification and sign in prior to gaining physical access to areas where Information Systems resources containing Sensitive Data are located.

The University must maintain, regularly review and revise a formal, documented facility security plan in accordance with the Facility Security Plan Standard.

Facility Security Plan Standard:

The facility security plan must include appropriate safeguards for all equipment containing Sensitive Data. Such equipment includes, but is not limited to: workstations, servers, portable computing devices and biomedical devices (e.g. MRI).

The facility security plan must be based on a risk assessment, conducted at least annually, that assesses the risks to the facilities and the Information Systems Resources contained within.

At a minimum, The University facility security plan must address the following:

Identification of Information System Resources to be protected from unauthorized physical access, tampering, and theft.
Identification of processes and controls used to protect Information System Resources from unauthorized physical access, tampering, and theft.
Actions to be taken if unauthorized physical access, tampering, or theft attempts are made against Information System Resources.
Identification and definition of workforce member responsibilities.
Notification and reporting procedures
A maintenance schedule that specifies how and when the plan will be tested, as well as the process for maintaining the plan.

All appropriate workforce members must have a current copy of the plan. An appropriate number of current copies of the plan must be maintained off-site.