Description

University information resource facilities must have appropriate physical access control systems/devices and safeguards at every entrance/exit based on risk management decisions.

Applicability

  • This Control applies to facilities that house information systems (e.g. data centers, server rooms or closets) considered mission critical and which require a higher level of security due to the nature of one of the following: ● type of equipment ● type of data the equipment stores Responsibility for ensuring physical security to information resources may be part of the job function for departmental staff who may include, but not be limited to, information technology staff, information resource custodians, facility coordinators, supervisors, managers and others.

Implementation

  • 1

    Unit Heads, or designees, are responsible for enforcing physical access authorizations to University information resource facilities by;

    • 1.1

      Verifying individual access authorizations before granting access to the facility;

    • 1.2

      Controlling physical access to the facility using unit specified safeguards;

    • 1.3

      Maintaining physical access audit logs as appropriate based on the criticality of the information resources being protected;

    • 1.4

      Escorting and monitoring visitors in restricted areas within the information resource facility;

    • 1.5

      Securing and maintaining inventory of keys, combinations, and other physical access devices; and

    • 1.6

      Changing combinations and keys on unit approved schedule; and when keys are lost, combinations are compromised, or individuals are transferred or terminated.