Physical Access Control PolicyTechnology Services
Purpose
Protecting the College’s sensitive data and critical IT infrastructure is paramount. This policy outlines the procedures for controlling physical access to IT assets like data centers, network closets, storage rooms, and other restricted areas, minimizing security risks, and ensuring the uninterrupted operation of essential systems.
Scope
This policy applies to all staff, contractors, vendors, and visitors who need to access the Technology Services’ facilities, which include:
- Data centers and data backup locations
- Network closets and server rooms
- Telecommunications rooms
- IT equipment storage areas
- Other designated IT-restricted areas
Objectives
This policy sets out to achieve several important objectives that will, together, improve the physical security of sensitive IT areas and assets:
- Restrict access to authorized personnel only.
- Deter unauthorized access, theft, and vandalism of IT assets.
- Safeguard sensitive data and ensure its confidentiality, integrity, and availability.
- Maintain system uptime and prevent disruptions to critical IT operations.
- Foster a culture of security awareness among IT staff and personnel with access to IT assets.
Access Levels and Authorization
Tiered Access Levels
Different access levels will be established based on job duties and responsibilities, granting access to specific IT areas and equipment.
Mandatory Training
All personnel granted access must undergo initial and ongoing security awareness training on access control procedures and security best practices.
Clearance Levels
Background checks and security clearances may be required for access to certain highly sensitive IT areas or systems.
Access Credentials
Photo ID badges with proximity cards or biometric access credentials will be issued to authorized personnel for use in highly sensitive IT areas.
Visitor Access
Visitors who are not specifically employed or contracted by the College must notify appropriate campus personnel prior to visiting or working in any area containing sensitive IT systems or equipment.
Lost or Stolen Credentials
Lost or stolen credentials must be reported immediately via the online form for deactivation. Replacement cards can be requested from Campus Safety.
Physical Security Measures
Secure Doors and Barriers
All highly sensitive IT areas will be secured with electronic access control systems like keypads, card readers, or biometric scanners. Less critical assets, like network closets, should be kept locked, or otherwise made inaccessible, when and where possible.
Alarm Systems
Intrusion detection and alarm systems for sensitive IT areas will be installed and monitored 24/7 by Campus Safety or other authorized personnel and/or outside services.
Security Cameras
Strategic locations within sensitive IT areas will have high-resolution security cameras with recordings retained for a designated period for review by authorized personnel.
Environmental Controls
Appropriate temperature, humidity, and fire suppression systems will be installed and maintained to protect equipment and data.
Secure Practices
Sensitive data can be exfiltrated from devices that have been improperly used, and/or moved to less secure locations. USB keys and portable hard drives should never be used in a way that could compromise sensitive data. Documents left in printers, or passwords that have been written down are additional examples of physical practices that may adversely impact data security.
Regular Security Assessments
Vulnerability assessments and penetration testing will be conducted periodically or “as-needed” to identify and address security weaknesses.
Policy Enforcement
Unauthorized access attempts, misuse of credentials, or tampering with security measures will be subject to disciplinary action, up to and including criminal prosecution.
Access logs will be generated and accessible for review by authorized personnel if and when suspicious activity or security breaches occur.
Regular audits and inspections will be conducted to ensure compliance with this policy.
Policy Implementation Assistance
Contact the Chief Technology Officer with questions or comments related to this policy.
Policy Authority
The XLT has responsibility for this policy and will obtain necessary approvals for changes.