Guidelines are recommendations
They help support standards or serve as a reference when no applicable standard is in place.
Draft revised: 06/11/2015
Physical Security Guidelines
- Related Information
- Revision History
Information Resources should be protected by physical safeguards, according to the level of sensitivity and criticality of the data they create, receive, store, or transmit.
Federal, state and other legislative, regulatory and industry requirements and best practices, shape the security and privacy protections that apply to information resources. These guidelines outline the phsycial security controls that should be used to protect University Information Resources.
These guidelines apply to all individuals that have, or may require, access to Information Resources at McNeese State University, and those with responsibility for maintaining its Information Resources.
Information Resources that create, receive, store, or transmit Confidential or Restricted data (see Guidelines for Sensitive Data and Data Classification Guidelines) should be protected by use of the following controls.
Facility Security Controls
- Managers and administrators of Confidential or Restricted Information Resources should create documented procedures that ensure facilities containing these resources are safeguarded from unauthorized physical access. Each facility covered under these policies and procedures should have, at minimum, the following controls:
- Procedures to control and validate a person's access to facilities. These procedures should be based on role or function, and follow the minimum necessary standard by which users are given the minimum amount of access necessary to perform their job functions.
- Regular review at predetermined intervals of authorization for facility access of workforce members and vendors, which ensures that facility access is limited to only those with a business need for physical access to the facility.
- Logging of vendor access. All physical access to facilities by vendors should be logged (i.e. through sign-in sheets) for entry time, exit time, purpose, and workforce member who allowed (enabled) the facility entry. Vendors should always be escorted by workforce members when in a facility containing Confidential or Restricted resources.
- Procedures for providing facility access in support of restoration of data in the event of an emergency or disaster.
- Procedures that ensure emergency physical access, in the event of an emergency or disaster or otherwise, when a custodian of the physical site is unavailable.
Access and Authorization
- Facilities containing Confidential or Restricted Information Resourcees should be located in access-controlled areas.
- Physical access controls should be logged and audited at predetermined intervals.
- Any network wiring closets or other concentrated groups of Confidential or Restricted Information Resources should be secured from unauthorized access. Appropriate physical controls include door keys (where distribution is restricted, controlled, and reviewed at least once per year - see Key Control Plan).
- Environmental controls should be in place for any facility containing Confidential or Restricted Information Resources. Reasonable attempts should be made to implement protections against power outages, fire, water damage, temperature extremes, and other environmental hazards.
Workstation Physical Security
- Users are should make reasonable efforts to restrict the viewable access to workstations that are connected to (or are considered to be) Confidential or Restricted Information Resources when they are going to be out of viewable range of those workstations.
- After a predetermined amount of inactivity, workstations that have access to (or are considered to be) Confidential or Restricted Information Resources should automatically lock or log off.
- Sessions to Confidential or Restricted systems should be automatically terminated after a predetermined period of activity.
- Workstations that are connected to (or are considered to be) Confidential or Restricted Information Resources should not be located in public sections of walkways, hallways, waiting areas, etc.
Device and Media Controls
- Managers and administrators of each facility containing Confidential or Restricted Information Resources should create procedures for device and media security controls that encompass the following:
- The creation of an inventory of hardware and electronic media residing in the facility.
- Records documenting the movement of hardware and electronic media in and out of the facility.
- Maintenance records, including documentation of repairs and modifications to the security-related physical facility components. Security-related physical components include doors, locks, walls, access cards, etc.
Backup, Recovery, and Disposal
- Systems administrators and managers of Confidential or Restricted Information Resources should have documented procedures to create a retrievable, exact copy of Confidential or Restricted data and should test data and system recovery on a predefined, regular basis. Guidelines for backup of Confidential or Restricted data and systems include but are not limited to:
- Confidential or Restricted data and systems should be backed up (at least weekly) on a predefined, regular basis, using durable media and documented handling procedures should include provisions for keeping a backup or a copy of a backup in off-site storage.
- Backup media should be protected from theft, environmental and physical threats, and unauthorized access.
- Backup media that stores Confidential or Restricted data should be encrypted.
- Backup systems used to create backups of Confidential or Restricted data and systems should be capable of providing an inventory of the systems backed up, including a record of backups residing on each individual piece of media (e.g. backup tapes). The availability and accuracy of this inventory should be tested at least yearly.
- Managers and administrators of Confidential or Restricted systems or data should have documented restoration procedures.
- Disposal of Confidential or Restricted data should accomplished in a way that ensures data is deliberately, permanently, and irreversibly removed or destroyed, such that no residual data can be recovered, even with advanced forensic tools. Approved Data Sanitization methods are listed in IT STD 1-17 Data Santization - Standards and Requirement, by the State of Louisiana, Office of Technology Services. It is insufficient to simply delete information or reformat media, as that information is easily recovered. Disposal of Confidential or Restricted data and systems must be in compliance with the University's Records Retention and Disposition Policy and the Property Control Office
State IT Policies, Standards, and Guidelines