Physical and Environmental Security Standard
- Purpose
Implementation of physical, environmental, and logical security measures help to protect the privacy, security, and confidentiality of university systems, information, and information resources from unauthorized access. - Scope
The scope applies to all academic and operational departments and offices at all Winston-Salem State University locations, owned and leased and all University faculty, staff, students, visitors and contractors and covers the physical and logical access to all university systems, especially highly sensitive systems, and the responsibilities of institutional units and individuals for such systems. - Protection of Information Resources
Protecting information resources includes:- Physical protection of information processing facilities and equipment
- Assurance that application and data integrity are maintained
- Assurance that information systems perform their critical functions correctly, in a timely manner, and under adequate controls
- Protection against unauthorized access to protected data through logical access controls
- Protection against unauthorized disclosure of information
- Assurance that systems continue to be available for reliable and critical information
- Assurance that the security and forensic needs of the university are met
- Additionally, information entered, processed, stored, generated, or disseminated by information systems must be protected from internal data or programming errors and from misuse by individuals inside or outside the university. Specifically, the information must be protected from unauthorized or accidental modification, destruction, or disclosure. Proper account management procedures, security monitoring, and logging practices are required to provide this type of protection of data.
- Secure areas
- Winston-Salem State University’s (WSSU) Office Information Technology (OIT) must document and manage physical security for mission critical information resources to ensure confidentiality, integrity, and availability of information resources.
- All information processing facilities must be protected by physical controls that are appropriate for the size and complexity of the operations and the criticality, sensitivity, regulatory compliance requirements and risks to the systems or services operated at those locations.
- All enterprise data processing facilities that process or store data classified as critical or sensitive should have multiple layers of physical security. Each layer should be independent and separate of the preceding and/or following layer(s).
- All other processing facilities should have, at a minimum, a single security perimeter protecting it from unauthorized access, damage and/or interference.
- Work areas must be protected in accordance with physical controls and security requirements that are appropriate for the classification and value of the data being handled or processed and the type of operational functions performed in the area. University departments and OIT shall develop procedures to distinguish between onsite personnel and visitors in sensitive areas.
- Physical security and emergency procedures for information resources must be documented, tested, and reviewed as part of the risk assessment process.
- Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises should be controlled, and if possible, isolated from information processing facilities.
- Equipment
- Equipment should be located in secured areas or protected to reduce the risks from environment threats and hazards and to reduce the opportunities for unauthorized access. Equipment located in areas where WSSU or OIT is unable to maintain a secure perimeter should be locked in a secured manner with access controlled by WSSU. Secure cabinets or facilities should support further segregation within the organization based on role and responsibility.
- Procedures for protecting mission critical information resources from environmental hazards, power failures, interception, interference, and other disruptions must be documented, updated, and tested at least annually.
- Designated employees shall be trained to monitor environmental control procedures and equipment and shall be trained in desired response in case of emergencies or equipment problems.
- Enterprise data processing facilities are to be equipped with security cameras to record activities in the parking lot and within the area encompassing the front entrance. All activities in these areas are recorded on a 24 hour a day 365 day per year basis.
- Fire Protection use is guided by local building codes and will be observed. Manufacturer’s recommendations on the fire protection of individual hardware will be followed.
- Equipment should be correctly maintained to ensure its continued availability and integrity.
- All equipment, software or information that is a part of WSSU operational systems or processes should not be taken off-site without the prior authorization from executive management or a designated representative and should be removed according to documented agency equipment transfer procedures.
- Security should be applied to off-site assets taking into account the different risks of working outside the organization’s premises.
- All data processing equipment including storage devices subject to transfer or reuse should be sanitized in accordance with the State of North Carolina’s media reuse procedure or superseding federal requirements. Data processing equipment assets that are not subject to transfer or reuse should be destroyed in accordance with the State of North Carolina’s media disposal procedures or in accordance with superseding federal requirements.
- Clear Desk and Clear Screen
- All data classified as confidential must be stored in a locked cabinet or room when unattended. All data processing equipment that provides access to Information Processing Systems will be configured so that a screen-saver, with password protection engaged, or another lock-down mechanism that prevents unauthorized viewing of screen information or unauthorized access to the system will automatically be implemented if the system has been left unattended.
- All computing platforms residing in non-secured facilities with attached displays should be oriented away from direct line of sight from unauthorized viewers.