Description

The granting, controlling and monitoring of physical access to information resource facilities is extremely important to an overall security program. The purpose of the Texas A&M University information resources physical security procedure is to establish the processes to grant, control, monitor and remove physical access to information resource facilities.

Applicability

  • This Control applies to facilities that house information resources (i.e. data centers) considered high or moderate impact and which require a higher level of security due to the nature of one of the following:

    • type of equipment

    • type of data the equipment stores

  • Responsibility for ensuring physical security to information resources may be part of the job function for departmental staff who may include, but not be limited to, information technology staff, information resource custodians, supervisors, managers and others.

Implementation

  • 1

    Physical Security and Access

    • 1.1

      All information resource facilities shall be physically protected in proportion to the criticality or importance of their function at the university.

    • 1.2

      All physical security systems shall comply with applicable regulations such as, but not limited to, building codes and fire prevention codes.

    • 1.3

      Facilities users should receive information regarding appropriate physical security practices and emergency procedures.

    • 1.4

      If signage for restricted access rooms or locations is required, it must be practical and display minimal discernible evidence of the importance of the facility.

    • 1.5

      Access cards and/or keys must not identify the location or purpose of the information resource facility.

    • 1.6

      Security access codes, or access cards, may only be provided to others with appropriate authorization.

    • 1.7

      Keys to information resource facilities may only be provided to others with authorization from the facility’s owner or designee.

    • 1.8

      Access to information resources facilities shall be granted only to unit personnel, vendors, or other authorized personnel whose job responsibilities require access to that facility.

    • 1.9

      Visitors must be escorted in restricted access areas in information resource facilities.

    • 1.10

      Appropriate unit personnel responsible for the physical security of information resources shall review access rights for the facility on a periodic basis and revoke access for individuals who no longer require such access.

    • 1.11

      Access cards or door keys must not be directly transferred to another individual, which would circumvent the return procedure.

  • 2

    Documenting Access

    • 2.1

      Physical access procedures to all information resources facilities shall be documented and managed.

      • 2.1.1

        Physical access records shall be maintained as appropriate for the criticality of the information resources being protected. Such records shall be reviewed as needed by organizational unit heads or their designees.

      • 2.1.2

        There shall be an approval and documentation process to grant, revoke, or return security access codes, access cards and/or door keys that provide access to information resource facilities.

      • 2.1.3

        Individuals who are granted access rights to an information resource facility must sign appropriate access agreements.