The University Policy Manual

  • Home »
  • Physical Access to Information Technology Resources

Physical Access to Information Technology Resources

The University of North Carolina at Greensboro

  • (Approved by the Chancellor, September 23, 2013)

Purpose

The University of North Carolina at Greensboro’s (hereinafter "University") computing and telecommunication networks, computing equipment and computing resources are owned by the University and are provided to support the academic and administrative functions of the University. Federal and state law, and University policies and procedures govern the use of this equipment and technologies.

Information technology resources and access to those resources are required to comply with known federal and state data protection or disclosure standards (which include HIPPA[1], FERPA[2], NC IDPA[3], FISMA[4] and other regulations), as well as the University Information Security Policy, and Information Security Management Standards and procedures. University Information Security Management Standards require physical and environmental security measures consistent with the International Organization for Standardization’s ISO/IEC27002 Code of Practice for information security management.

Scope

This policy applies to all faculty, staff, students, contracted vendors and other parties who require access to all university communications duct bank, telecommunications closets, network distribution facilities, and data centers (hereinafter "secure areas") in construction and operations funded by all State, Fee, Auxiliary, and Foundation sources. These facilities are designated ISO 27002 information technology (IT) Secure Areas as described in ISO/IEC27002 Code of Practice. The managing unit for IT Secure Areas is Information Technology Services.

IT Secure Areas include, but may not be limited to

  1. IT equipment only spaces such as unshared telecom closets and data centers (the room is the IT Secure Area)
  2. Shared telecom closets that contain IT and other non-IT equipment such as, electrical panels, fire alarms, etc. (the room is the IT Secure Area)
  3. Locking cabinets or cages containing IT equipment in shared spaces (the cabinet or cage is the IT Secure Area)

In all cases, IT Secure Areas should be occupied by IT equipment only. Facilities Design and Construction and Information Technology Services have developed design and construction standards that prevent creation of new shared IT Secure Area space for all new construction and renovation projects, without the written approval of the VC for Information Technology Services. However, some existing IT Secure Areas have historically been and continue to be shared because no reasonable remediation path exists to isolate the IT equipment.  Existing shared IT Secure Areas are covered by this policy.

Policy

  1. IT Secure Areas must be isolated in dedicated (non-shared) access-controlled space.[5] At no time shall any individual access IT Secure Areas or place equipment or wiring in any IT Secure Area without written approval from the Vice Chancellor for Information Technology Services.
  2. Access to IT Secure Areas will be controlled and restricted to only authorized ITS and non-ITS personnel[6] who require ongoing access to IT Secure Areas. Authorized ITS and Non-ITS personnel are identified and maintained by the Vice Chancellor for Information Technology Services (ITS) and/or his designee(s). A Master Access List for IT Secure Areas (a list of ITS and non-ITS personnel who require ongoing access to IT Secure Areas) will be developed and reviewed in July and January of each year by the Vice Chancellor of ITS and/or his designee(s), the Associate Vice Chancellor of Facilities, and the Director of the SpartanCard Center.
  3. Physical access to IT Secure Areas for non-authorized personnel will be granted on a case by case basis by the Vice Chancellor for Information Technology Services and/or his designee(s) when a clear University business need merits exception.
  4. Police, fire and other emergency responders may enter IT Secure Areas to respond to incidents that threaten public safety, health and welfare as needed without prior authorization.
  5. All physical access to IT Secure Areas by non-authorized personnel must be logged for entry time, exit time, purpose, and workforce member who allowed (enabled) the IT Secure Area entry. Non-authorized personnel who have been granted temporary access by exception must always be escorted by authorized personnel when in an IT Secure Area covered by this policy. Access by police, fire and other emergency responders must be logged for entry time, exit time and purpose after the causative incident has been fully resolved.
  6. Access authorization is granted based on the principle of least privilege and follows the "minimum necessary" standard by which users are given the minimum amount of access necessary to perform their job functions. Access lists are subject to regular review (at a maximum interval of 6 months) to ensure that IT Secure Area access is limited to only those with a business need for physical access to the IT Secure Area.
  7. Physical access controls for all building interior IT Secure Areas (telecommunications closets, network distribution facilities, and data centers) will include one or more of the following: multi-factor authentication, key-card access, biometric access controls, or limited access key. Access will be logged and audited at least every six months, and an audit trail of all access will be maintained.
  8. Environmental controls must be in place for all building interior IT Secure Areas covered under this policy. Reasonable attempts must be made to implement protections against power outages, fire, water damage, temperature extremes, and other environmental hazards.

Enforcement

Any violation of this policy by faculty and staff is "misconduct" under EPA policies (faculty and EPA non-faculty) and "unacceptable personal conduct" under SPA policies, including any appeal rights stated therein. Any violation of this policy by students is subject to the Student Code of Conduct. Violations of law may also be referred for criminal or civil prosecution.

This policy is carried out by Information Technology Services. Failure of the University to carry out this policy effectively, could result in audit findings that could endanger its designation as a Special Responsibility Constituent Institution (SRCI) and loss of budget flexibility.

Review

Information Technology Services will review the policy annually.

Links to Related University Policies

Contact

Comments or questions? Email the Policy Administrator.


Footnotes:

  1. Public Law 104 - 191 - Health Insurance Portability and Accountability Act of 1996
  2. Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
  3. Article 2A. Identity Theft Protection Act. § 75‑60
  4. Federal Information Security Management Act (FISMA)
  5. The exceptions are existing shared IT Secure Areas that remain because no suitable remediation path exists for isolating the IT equipment.
  6. Non-ITS authorized personnel may include staff members from Facilities, SpartanCard Center, HRL, University Police and other departments that require ongoing access in specific locations in order to perform job functions.