PHYSICAL & ENVIRONMENTAL PROTECTION GUIDE

Transcription

1 2017 PHYSICAL & ENVIRONMENTAL PROTECTION GUIDE UTC IT0129-G UTC Information Technology Michael Dinkins, CISO 4/28/2017

2 CONTENTS 1. SCOPE PRINCIPLES REVISIONS OBJECTIVE POLICY APPLICABILITY RESPONSIBILITIES IT SECURITY OFFICE DEFINITIONS

3 1. Scope This Guide applies to all users of and information technology (IT) resources owned, operated, or provided by the University of Tennessee at Chattanooga. Users includes but is not limited to students, faculty, staff, contractors, agents, representatives, and visitors accessing, using, or handling the University s information technology resources. Information transmitted or stored on University IT resources is the property of the University unless it is specifically identified as the property of other parties. 2. Principles This document is a University of Tennessee at Chattanooga-specific Guide based on University policy. Each User of UTC resources is required to be familiar and comply with University policies, and acceptance is assumed if the User accesses, uses, or handles UTC information technology resources. The Associate Vice Chancellor and Chief Information Officer (AVC/CIO) is responsible for information technology and security at the University of Tennessee Chattanooga. The AVC/CIO is the Position of Authority (POA) for Information Technology at UTC. 3. Revisions Date Action Name 4/28/2017 Version 1.0 Michael Dinkins 4. Objective This document provides guidance for developing, maintaining and documenting a Physical & Environmental Protection Program for UTC s business-critical information systems. 5. Policy This guide is a supplement to published University of Tennessee Policy IT0129, Physical & Environmental Protection. Click here for more information. This policy requires 2

4 UTC s Physical & Environmental Protection program to include procedures that address the following: 1) Physical Access Authorization. 2) Physical Access Control. 3) Access Control for Output Devices. 4) Emergency Power. 6. Applicability A formal Physical & Environmental Protection program must be applied to the following mission-essential systems/subsystems: Banner Banner Banner MISSION-ESSENTIAL SYSTEMS System Subsystem Owner Administrator Contact Enterprise Services (Non-Banner) Banner Services Systems applications Banner Services Systems database Banner Services Systems servers Data Center Banner Systems Support Services Director, Banner Systems Support Services Banner Systems DBA Executive Director, Deputy CIO Infrastructure Network Infrastructure Deputy CIO Infrastructure Telecomm Infrastructure Deputy CIO Moderate-categorized Departments registered with Office of CIO Department Head Department Head 7. Responsibilities ROLE RESPONSIBILITY Associate Vice- Chancellor & CIO (AV/CIO) As Position of Authority (POA), the AVC/CIO has overall responsibility of the Audit & Accountability program at UTC. The AVC/CIO ensures: 3

5 Chief Information Security Officer Subsystem Owner / Administrator (or assignee) 1) The Contingency Planning program is developed, documented, and disseminated to appropriate UTC entities in accordance with University policy. 2) The program is reviewed and updated annually. 3) Ensure critical business systems and mission-essential functions are identified for inclusion in the Physical & Environmental Protection program. The CISO is responsible for overseeing the implementation of the UTC Physical & Environmental Protection program for systems that support mission-essential functions. The CISO and IT Security Team consults and assists the CIO and systems owners of business-critical systems to ensure procedures address: 1) Physical Access Authorization. 2) Physical Access Control. 3) Access Control for Output Devices. 4) Emergency Power. 5) Annual review and update of program processes and procedures. System owners are responsible for developing procedures for their respective system(s) ensuring: 1) A Facilities Access List of individuals with authorized access to areas that house business-critical information systems is developed, approved and maintained. a) Review the Facility Authorized Access list annually. b) Remove individuals from the facility access list when access is no longer required. Authorization credentials can include, for example, badges, identification cards, and smart cards. The Executive Director of Enterprise Systems and Data Center will determine the strength of authorization credentials needed (badges, smart cards, or acceptable government ID cards, etc.) 2) Provide physical access control: a) Enforce physical access authorizations to the facility where the information system resides by verifying individual access authorizations before granting access to the facility. b) Maintain physical access audit logs for visitors to the facility. Note that Individuals with permanent physical access authorization credentials are not considered visitors. c) Escorts visitors and monitor visitor activity when individuals have access to systems classified as HIGH and there is 4

6 potential for severe impact to the University should there be a security breach. 8. IT Security Office Michael Dinkins, CISSP Chief Information Security Officer (423) michael-dinkins@utc.edu d) Document procedures for securing keys, combinations, and other physical access devices, and when access devices are lost, compromised or individuals are transferred or terminated. This applies to UTC employees, contractors and visitors. Any individuals with permanent physical access authorization are not considered visitors. The Executive Director of Enterprise Systems has to determine the types of facility guards needed including, for example, administrative staff or information system users. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated, or some combination thereof. Physical access points can include building access points, interior access points to the information systems and/or components requiring access controls, or both. Components of an information system (e.g., workstations, terminals) may be located in areas designated as publicly accessible with the Data Center, for example, safeguarding such devices. 3) Control access to output devices. Mission-essential systems need to implement appropriate level of controlled access to information system output devices to prevent unauthorized individuals from obtaining the output. For example, printers, copiers, and fax machines could be placed in controlled areas with keypad access controls or limiting access to individuals with certain types of badges. 4) Enough short term uninterruptible power supply is available to facilitate an orderly shutdown of all critical business systems in the event of a primary power outage. Larry Prince IT Security Analyst (423) larry-prince@utc.edu 5

7 9. Definitions 1) Alternate Processing Site is a geographically distinct site separate from the primary processing site that provides processing capability in the event that the primary processing site is not available. 2) Alternate Storage Site is a geographically distinct site separate from the primary storage site that maintains duplicate copies of information and data in the event that the primary storage site is not available. 3) Contingency Plan Testing determines the effectiveness of the Plan and identifies potential weakness in the Plan. Testing can be in the form of walk-throughs, tabletop exercises, checklists, simulations or a comprehensive exercise. 4) Mission-Essential Functions are those business-critical services and/or activities performed by the University that must be continued throughout, or resumed rapidly after, a disruption of normal operations. 5) System-level Information includes system-state information, operating system and application software and licenses. 6) User-level Information includes any information other than system-state information. 6