PHYSICAL AND ENVIRONMENTAL SECURITY

Transcription

1 PHYSICAL AND ENVIRONMENTAL SECURITY 1.0 STANDARD FOR PHYSICAL AND ENVIRONMENTAL SECURITY - EQUIPMENT 1.1 PURPOSE The purpose of this standard is to establish baseline controls to prevent loss, damage, theft or compromise of assets and interruption to the university s operations. 1.2 SCOPE All system and equipment owners, as well as users of that equipment, should ensure that measures are in place to protect equipment from loss, damage, theft or compromise. Furthermore, it is important for all ECSU staff, faculty, students, associates, affiliates, contractors, volunteers or visitors using ECSU facilities, services or IT systems to understand the need to ensure the protection of any university equipment. 1.3 CONTROL OBJECTIVE To prevent loss, damage, theft or compromise of assets and interruption to the organization s operations. 1.4 STANDARD Steps to protect equipment and to prevent loss, damage, theft or compromise of assets should include: Equipment placement and protection Equipment should be positioned and protected in a manner to reduce the risk of environmental threats and hazards as well as opportunities for unauthorized access. Supporting utilities Equipment should be protected from power failures and from the impact of potential disruptions caused by failures in supporting utilities such as telecommunications, water, gas, sewage, and HVAC. 1

2 Cabling security Power and network/telecommunications cabling should be protected from interception, interference, or damage. Equipment maintenance Equipment should be maintained by authorized personnel and in accordance with recommended service intervals to ensure availability and integrity. Removal of equipment or assets Equipment, information, or software should not be taken off-site without prior management authorization. Security of equipment and assets off-premises Security should be applied to off-site equipment and assets with consideration for the additional risks that are likely presented with working outside the campus. Secure disposal or re-use of equipment All equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten before it is disposed or re-purposed. Unattended user equipment All users should ensure that unattended equipment has appropriate protection by terminating sessions, logging off from applications when no longer needed, initiating a screen lock, and securing computers or mobile devices with a pattern, PIN, or password when not in use. Clear desk and clear screen policy In addition to equipment screen locks, all work areas should be further secured by clearing those spaces of all papers and removable devices containing sensitive information. These papers and devices should be stored in appropriately secured locations. 1.5 RELATED RESOURCES Guideline for Hardware and Media Disposal ISO/IEC 27002:

3 Direct your questions about this standard to DIT Information Security Office at 1.6 REVISION HISTORY Approved by DIT Security Committee

4 2.0 STANDARD FOR PHYSICAL AND ENVIRONMENTAL SECURITY SECURE AREAS 2.1 PURPOSE The purpose of this standard is to establish baseline controls to prevent unauthorized physical access, damage, or interference to the university s information and information processing facilities. 2.2 SCOPE Physical protections should be in place to prevent unauthorized access to any university information and information processing facilities. Furthermore, it is important for all ECSU staff, faculty, students, associates, affiliates, contractors, volunteers or visitors using ECSU facilities, services or IT systems to understand the need to ensure physical protections to any university information. 2.3 CONTROL OBJECTIVE To prevent unauthorized physical access, damage and interference to the organization s information and information processing facilities. 2.4 STANDARD Steps to prevent unauthorized access, damage or interference to the university s information or information processing facilities should include: Defined physical security perimeters Security perimeters should be used to protect areas containing sensitive or critical information or information processing and the boundaries should be appropriate to the sensitivity of the information contained within. Physical entry controls Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Physical security for offices, rooms, and facilities 4

5 Physical security for offices, rooms, and facilities should be designed and implemented. Protection against external and environmental threats Physical protection should be designed and implemented to protect against natural disasters, accidents, and malicious attacks. Working in secure areas Procedures for working in secure areas should be designed and implemented. Delivery and loading areas Delivery and loading areas should be isolated from information storage or processing facilities. 2.5 RELATED RESOURCES ISO/IEC 27002: 11.1 Direct your questions about this standard to DIT Information Security Office at 2.6 REVISION HISTORY Approved by DIT Security Committee