Skip to main content
Learn More
Shearman Fine Arts at Dusk

Physical Security Guidelines

Physical Security Guidelines

Physical Security Guidelines

  1. Overview

    In accordance with the McNeese State University Guidelines for Sensitive Data, all information systems that create, receive, store, or transmit 'Sensitive Data' should adhere to the physical security principles of this document.

  2. Purpose

    State and federal regulations, as well as general best practices, shape the security and privacy protections that should be afforded to "Confidential Data". These guidelines address regulatory and best practice requirements to protect physical data security.

  3. Scope

    These guidelines apply to employees, contractors, consultants, temporaries, and other workers at McNeese State University, including all personnel affiliated with third parties. These guidelines apply to all equipment that is owned or leased by McNeese State University.

  4. Guidelines

    Information systems or applications that create, receive, store, or transmit Confidential data (hereafter "Confidential Systems" - see Guidelines for Sensitive Data) should, adhere to the following:

    1. Facility Security Controls
      1. Managers and administrators of Confidential systems are responsible for creating documented policies and procedures that ensure facilities containing these Confidential systems are safeguarded from unauthorized physical access. Each facility covered under these policies and procedures should have, at minimum, the following controls:
        1. Procedures to control and validate a person's access to facilities. These procedures should be based on role or function, and follow the minimum necessary standard by which users are given the minimum amount of access necessary to perform their job functions.
        2. Regular review (at a minimum interval of 6 months) of authorization for facility access of workforce members and vendors, which ensures that facility access is limited to only those with a business need for physical access to the facility.
        3. Logging of vendor access. All physical access to facilities by vendors should be logged (i.e. through sign-in sheets) for entry time, exit time, purpose, and workforce member who allowed (enabled) the facility entry. Vendors should always be escorted by workforce members when in a facility covered by this policy.
        4. Procedures for providing facility access in support of a restoration of data in the event of an emergency or disaster.
        5. Procedures that ensure emergency physical access, in the event of an emergency or disaster or otherwise, when a custodian of the physical site is unavailable.
    2. Access and Authorization
      1. Facilities containing Confidential systems should be located in access-controlled areas.
        Physical access controls should be logged and audited at least every six months.
      2. Any network wiring closets or other concentrated groups of IT resources classified as "Confidential" should be secured from unauthorized access. Appropriate physical controls include door keys (where distribution is restricted, controlled, and reviewed at least once per year - see McNeese State University Key Control Plan).
      3. Environmental controls should be in place for any facility covered under this policy. Reasonable attempts should be made to implement protections against power outages, fire, water damage, temperature extremes, and other environmental hazards.
    3. Workstation Physical Security
      1. Please reference the Data Integrity Guidelines for workstation physical security guidelines.
    4. Device and Media Controls
      1. Managers and administrators of each facility covered under this policy are responsible for creating and documenting procedures for device and media security controls that encompass the following:
        1. The creation of an inventory of hardware and electronic media residing in the facility.
        2. Records documenting the movement of hardware and electronic media in and out of the facility.
        3. Maintenance records, including documentation of repairs and modifications to the security-related physical facility components. Security-related physical components include doors, locks, walls, access cards, etc.
    5. Backup, Recovery, and Disposal
      1. Systems administrators and managers of Confidential systems should have documented procedures to create a retrievable, exact copy of Confidential data and should test data and system recovery on a predefined, regular basis; at least once per year. Guidelines for backup of Confidential data and systems include but are not limited to:
        1. Confidential data and systems should be backed up (at least weekly) on a predefined, regular basis, using durable media and documented handling procedures that should include provisions for keeping a backup or a copy of a backup in off-site storage.
        2. Backup media should be protected from theft, environmental and physical threats, and unauthorized access.
        3. Reasonable efforts should be made to encrypt backup media that stores Confidential data and is external to the backup system.
        4. Backup systems used to create backups of Confidential data and/or systems should be capable of providing an inventory of the systems backed up, including a record of backups residing on each individual piece of media (e.g. backup tapes). The availability and accuracy of this inventory should be tested at least yearly.
        5. Managers and administrators of Confidential systems or data should have documented procedures for restoring those Confidential systems or data.
        6. Confidential data and systems should be disposed of in such a way as to ensure that data cannot be retrieved or recovered. When donating, selling, or otherwise planning to reuse information technology resources or media, users should ensure that Confidential data is rendered unreadable or unrecoverable. Acceptable methods for doing this include: complete destruction, degaussing, or using other standard Department of Defense approved techniques for wiping media. It is insufficient to simply delete information or reformat media, as that information is easily recovered.
  5. Revision History

    Fri Dec 20 2013