Physical Access to Sensitive IT Facilities
University Policy Number 1314
Responsible Office: Information Security Officer
Related Law & Policy:
- Policy 1114: Data Stewardship
- Policy 1301: Responsible Use of Computing
- Policy 1303: Telecommunications Spaces and Cabling
- Policy 1305: Reporting Electronic Security Incidents
- Policy 1312: Physical and Logical Access Security
- Policy 1404: Reporting of Crimes, Accidents, Fires and Other Emergencies
This policy applies to all academic and operational departments and offices at all university locations owned and leased. This policy applies to all Mason faculty, staff, students, visitors, and contractors.
All university departments must establish procedures to protect Information Technology (IT) resources that process or store highly sensitive data from unauthorized physical access, tampering, and theft. Access to facilities that house IT systems and highly sensitive data must be restricted to individuals who have a legitimate business need for such access. Legitimate business needs include a primary work assignment or a job responsibility that requires access to university facilities that house IT systems related to highly sensitive data.
II. POLICY STATEMENT
Various facilities within the University currently house information technology (IT) resources supporting business operations. The data stored, processed or accessed from these locations may be highly sensitive in nature, and the confidentiality, integrity and availability of the data must be ensured in order to comply with legal, regulatory and university policy requirements. This policy requires that security practices and procedures must be established, followed, and maintained for these facilities in order to protect the IT resources, including the personnel and the facility in which they work, as well as the data, equipment, support systems and storage media.
Overall, any IT system storing or processing highly sensitive data must be housed in a secure location, protected with appropriate security structures and entry controls. The system must be physically protected from unauthorized access, damage, and interference. The level of protection provided will be directly related to the identified risks.
Physical access to essential computer hardware, wiring, displays, and networks must be controlled by the principle of least privilege, which requires that users have only the minimum access rights necessary to fulfill their responsibilities.
The examples of physical access controls listed below should be deployed based on the value of the technology and data assets, and the type of facility in which they are housed.
- Locks on facility doors and windows
- Access control systems, with logging and reporting
- Physical monitoring systems, including Closed Circuit Television with recording
- Visitor logging and controls
- Alarm systems
- Security guards
Access Based on Role and Business Need
Physical access to sensitive IT systems must be controlled, based on job role and legitimate business needs, and commensurate with sensitivity and risk. Logs should be maintained to document who has been granted physical access to sensitive IT systems and when access was authorized. Logs should be regularly monitored and audited to ensure that those who access sensitive IT systems physically have authorization and have a legitimate business need.
Access Logs Required
Procedures should include physical access logs. These physical access logs should be reviewed periodically for the list of persons allowed physical access to sensitive IT systems. This review should confirm that physical access to sensitive IT systems has been authorized and that there is a legitimate business need. The frequency of these reviews should be relative to the level of sensitivity of the systems and the risk involved.
Documentation involved in a review should include an access control list or a list of individuals’ issued keys if mechanical locks are used. Also, a list of the visitor logs for the period should be provided for this review.
Account Management Required
The procedures should state when reviews of the authorized users would be conducted. There should be a documented method for how a user’s access would be removed, in a timely fashion, in cases where (1) the user has been terminated, (2) the user has changed roles and access is no longer needed, and (3) contractors are no longer engaged to provide services that required access. These procedures should include a description of when rekeying of locks or reprogramming of electronic access systems would be required and how that would be accomplished. The procedures should provide auditable records of account management, account review, and logs of access.
Access control: This refers to the practice of restricting entrance to a physical site (property, building, room), or mobile/portable location to authorized persons only.
Highly Sensitive Data: Data that (1) by their personal nature can lead to identity theft or exposure of personal health information, or (2) a researcher, funding agency or other research partner has identified as highly sensitive or otherwise requiring a high level of security protection. The definition is established in the Data Stewardship Policy 1114 where a more detailed definition and examples can be found.
Least privilege: The principle of least privilege requires that a user be given no more privilege than necessary to perform a job. The enforcement of least privilege requires identifying what the user’s job is, determining the minimum set of privileges required to perform that job, and defining the user’s role, which includes those privileges only.
Physical facility: This is the building, room, closet or other structure housing sensitive IT systems and network components.
Physical access control: This determines the “who, where, and when” of access to a facility. Authentication is proving who you are and authorization is granting access based on authentication. These components support the principal of authentication, authorization, and accounting.
Risk: The potential that an event may cause an important or significant negative impact to a resource, such as data or an IT system.
Sensitive IT systems: These include any computer, server, network device or storage device that processes or stores highly sensitive data as defined in the Data Stewardship Policy 1114.
Any university department, office or unit that houses sensitive IT systems must establish procedures to protect those sensitive IT systems from unauthorized physical access, tampering, and theft. The documented procedures should include a description of the methods used to ensure the adequate management of authorized users, the type(s) of physical controls employed, and the logging of physical access.
V. OTHER INFORMATION
Reporting an IT Security Facility Event
Any occurrence of an observable threat to a facility housing sensitive IT systems (or to any contents within) is considered an IT Security Facility Event. An IT Security Facility Event that has an adverse effect on the facility or its contents should be reported immediately to university police. A suspected IT Security Facility event includes, but is not limited to:
- Physical break in
- Physical damage inside and/or outside the facility
- Violence of any kind, including threats
- Theft of property within and/or outside the facility
Department administration must have documented procedures for access control and must be able to produce the documented procedures when required for auditing purposes. Evidence of access control, logs of who and when facilities were accessed, and the list of authorized users with the date of most recent review must be available when required for auditing purposes.
Failure to honor the requirements set forth in this policy may result in disciplinary or administrative action.
VII. EFFECTIVE DATE AND APPROVAL
The policies herein are effective February 3, 2012. This Administrative Policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of the University’s fiscal year, unless otherwise noted.
Maurice W. Scherrens
Senior Vice President
Peter N. Stearns
Date approved: March 19, 2012
Date of most recent review: January 29, 2013