Physical Access Control PolicyTechnology Services

Purpose

Protecting the College’s sensitive data and critical IT infrastructure is paramount. This policy outlines the procedures for controlling physical access to IT assets like data centers, network closets, storage rooms, and other restricted areas, minimizing security risks, and ensuring the uninterrupted operation of essential systems.

Scope

This policy applies to all staff, contractors, vendors, and visitors who need to access the Technology Services’ facilities, which include:

  • Data centers and data backup locations
  • Network closets and server rooms
  • Telecommunications rooms
  • IT equipment storage areas
  • Other designated IT-restricted areas

Objectives

This policy sets out to achieve several important objectives that will, together, improve the physical security of sensitive IT areas and assets:

  • Restrict access to authorized personnel only.
  • Deter unauthorized access, theft, and vandalism of IT assets.
  • Safeguard sensitive data and ensure its confidentiality, integrity, and availability.
  • Maintain system uptime and prevent disruptions to critical IT operations.
  • Foster a culture of security awareness among IT staff and personnel with access to IT assets.

Access Levels and Authorization

Tiered Access Levels

Different access levels will be established based on job duties and responsibilities, granting access to specific IT areas and equipment.

Mandatory Training

All personnel granted access must undergo initial and ongoing security awareness training on access control procedures and security best practices.

Clearance Levels

Background checks and security clearances may be required for access to certain highly sensitive IT areas or systems.

Access Credentials

Photo ID badges with proximity cards or biometric access credentials will be issued to authorized personnel for use in highly sensitive IT areas.

Visitor Access

Visitors who are not specifically employed or contracted by the College must notify appropriate campus personnel prior to visiting or working in any area containing sensitive IT systems or equipment.

Lost or Stolen Credentials

Lost or stolen credentials must be reported immediately via the online form for deactivation. Replacement cards can be requested from Campus Safety.

Physical Security Measures

Secure Doors and Barriers

All highly sensitive IT areas will be secured with electronic access control systems like keypads, card readers, or biometric scanners. Less critical assets, like network closets, should be kept locked, or otherwise made inaccessible, when and where possible. 

Alarm Systems

Intrusion detection and alarm systems for sensitive IT areas will be installed and monitored 24/7 by Campus Safety or other authorized personnel and/or outside services.

Security Cameras

Strategic locations within sensitive IT areas will have high-resolution security cameras with recordings retained for a designated period for review by authorized personnel.

Environmental Controls

Appropriate temperature, humidity, and fire suppression systems will be installed and maintained to protect equipment and data.

Secure Practices

Sensitive data can be exfiltrated from devices that have been improperly used, and/or moved to less secure locations. USB keys and portable hard drives should never be used in a way that could compromise sensitive data. Documents left in printers, or passwords that have been written down are additional examples of physical practices that may adversely impact data security.

Regular Security Assessments

Vulnerability assessments and penetration testing will be conducted periodically or “as-needed” to identify and address security weaknesses.

Policy Enforcement

Unauthorized access attempts, misuse of credentials, or tampering with security measures will be subject to disciplinary action, up to and including criminal prosecution.

Access logs will be generated and accessible for review by authorized personnel if and when suspicious activity or security breaches occur.

Regular audits and inspections will be conducted to ensure compliance with this policy.

Policy Implementation Assistance

Contact the Chief Technology Officer with questions or comments related to this policy.

Policy Authority

The XLT has responsibility for this policy and will obtain necessary approvals for changes.