1.Purpose
Information technology (IT) resources and access to those resources are required to comply with known federal and state data protection or disclosure standards as well as the University Information Security Policy. This policy specifies the minimum guidelines and requirements for physical and environmental security measures for IT Secure Areas.
2.Scope
This policy applies to all faculty, staff, students, contracted vendors and other parties who require access to Univresity IT Secure Areas.
3.Definitions and Roles & Roles and Responsibilities
3.1Definitions
3.1.1IT Secure Areas:
Any University communications duct bank, telecommunications closet, network distribution facility, data center, or space that contains IT equipment. Examples of IT Secure Areas include, but may not be limited to:
- Unshared telecommunications closets that contain only IT equipment
- Shared telecommunications closets that contain IT equipment and other non-IT equipment, such as electrical panels, fire alarms, door control devices, etc.
- Locking cabinets or cages containing IT equipment in shared spaces (the cabinet or cage is the IT Secure Area)
3.1.2Master Access List (MAL):
The list of personnel who are authorized to enter IT Secure Areas.
3.2Roles and Responsibilities
3.2.1Chief Information Security Officer
is responsible for providing interpretation of this and other related policies and disseminating related information.
3.2.2Information Technology Services
is responsible as the managing unit for IT Secure Areas.
3.2.3Staff, Faculty, and students who are authorized to enter IT Secure Areas
are responsible for the application of this and related policies to the systems, information, and other information resources in their care.
3.2.4Application Administrators of the University’s electronic access control systems
are responsible for the application of this and related policies to the systems, information, and other information resources that process, store, or transmit University data.
3.2.5Third-party Affiliates with access to University Facilities, including IT Secure Areas
are expected to abide by the University’s information security and privacy policies.
4.Policy
4.1Physical Characteristics of IT Secure Areas
- New or renovated IT Secure Areas must be isolated in dedicated (non-shared) access-controlled space.
- Physical access controls for IT Secure Areas will include one or more of the following: multi-factor authentication, key-card access, biometric access controls, or limited access key.
- Environmental controls must be in place for IT Secure Areas. Reasonable attempts must be made to implement protections against power outages, fire, water damage, temperature extremes, and other environmental hazards.
- The University recognizes that some pre-existing IT Secure Areas do not meet these criteria because no reasonable remediation path exists to isolate the IT equipment or to accommodate electronic access control equipment. Deviations from physical and environmental controls identified in the University Design and Construction Guidelines for new or renovated IT Secure Areas require written approval.
4.2Physical Entry
- At no time shall any individual access IT Secure Areas or place equipment or wiring in any IT Secure Area without written approval.
- Access to IT Secure Areas will be controlled and restricted to authorized personnel who require ongoing access. Authorization for access is granted based on the principle of least privilege and follows the “minimum necessary” standard by which users are given the minimum amount of access necessary to perform their job functions.
- Information Technology Services will maintain the Master Access List (MAL) of personnel who are authorized to enter IT Secure Areas. Only named individuals on the MAL can obtain keys, key cards, fobs, or other credentials that enable physical entry to IT Secure Areas.
- Access lists are subject to regular review (at a maximum interval of 6 months) to ensure that IT Secure Area access is limited to only those with a business need for physical access to the IT Secure Area.
- Physical access to IT Secure Areas for non-authorized personnel or visitors will be granted on a case-by-case basis by the Vice Chancellor for Information Technology Services and/or designee(s) when a clear University business need merits exception. Non-authorized personnel who have been granted temporary access by exception must be escorted by authorized personnel.
- Police, fire, and other emergency responders may enter IT Secure Areas to respond to incidents that threaten public safety, health, and welfare as needed without prior authorization.
4.3Logging
- Access to IT Secure Areas will be logged, and an audit trail of all access will be maintained.
- Access to IT Secure Areas by non-authorized personnel or visitors must be logged for entry time, exit time, purpose, and workforce member who allowed (enabled) the entry.
- Access by police, fire and other emergency responders must be logged for entry time, exit time and purpose after the causative incident has been fully resolved.
5.Compliance and Enforcement
Information Technology Services (ITS), in cooperation with other University authorities and administrators, will enforce this Policy, and establish standards, procedures, and protocols in support of the policy.
Any violation of this policy by a University student is subject to the Student Code of Conduct in the Student Policy Handbook.
For employees, violation of this policy will be subject to consideration as “misconduct” under EHRA policies (faculty and non-faculty) and “unacceptable personal conduct” under SHRA policies, including any appeal rights stated therein.
If a violation of this policy also results in a violation of law, it may also be referred for criminal or civil prosecution.
Additionally, violations of this policy may result in termination or suspension of access, in whole or in part, to University information systems at the discretion of ITS where such action is reasonable to protect the University or the University’s information infrastructure. Failure of the University to carry out this policy effectively could result in audit findings that could endanger its designation as a Special Responsibility Constituent Institution and loss of budget flexibility.
6.Additional Information
6.1Supporting Documents
6.2Related Policies
6.3Resources
- ISO/IEC 27002:2022 Information Security, Cybersecurity and Privacy Protection – Information Security Controls
- Family Educational Rights and Privacy Act of 1974 (FERPA)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Article 2A. Identity Theft Protection Act § 75-60.
- Federal Information Security Modernization Act of 2014 (FISMA)
6.4Approval Authority
The Chancellor is responsible for the approval of this Policy, and has delegated the administration thereof to the Vice Chancellor for Information Technology Services
6.5Contacts for Additional Information and Reporting
- Responsible Executive: Vice Chancellor for Information Technology Services and Chief Information Officer (CIO)
- Responsible Administrator: Chief Information Security Officer (CISO)
- Other Contacts: Director of Communications Infrastructure and IT Facilities
Revisions
| Revision Date | Revision Summary |
|---|---|
| 07/15/2022 | Conversion from Old Policy Manual to New Policy Manual, No Substantive Revisions |
| 03/02/2023 | Non-substantive revisions to include updating to conform with the new policy template requirements (separating definitions and roles and responsibilities) |