Prince Sultan University PSU
Policy Management System
Physical Security Policy
Policy Code: | IT0006 |
Policy Title: | Physical Security Policy |
Owner: | Information Technology Center |
Responsible Office/Department: | Vice President for Academic Affairs |
Approved by: | University Council |
Date Created: | February 02, 2017 |
Recent Review: | December 2023 |
Effective date: |
POLICY STATEMENT
This policy is intended to institute standards for granting, monitoring, and terminating physical access to ITC services and to protect ITC equipment from environmental factors.
BACKGROUND AND JUSTIFICATION
Environmental Safeguards
- Air conditioning should be operational in ITC Data Center.
- All ITC facilities should have adequate fire extinguishing devices. These devices should be inspected regularly.
- Critical ITC resources must be connected to an Uninterrupted Power Supply (UPS) to maintain steady power source to prevent spikes and brownouts, which might damage data and Hardware.
- Electrical outlets should not be burdened with too many devices to insure practical usage of extension cords.
Physical Access
- Physical access privileges to all ITC facilities must be issued, managed, and documented by ITC.
- All ITC facilities should be physically protected.
- Only authorized PSU staff and faculty members are allowed to access ITC facilities.
- Granting fingerprint access to ITC facilities should be approved by CITO.
- All ITC facilitates must be kept locked when not used to reduce the occurrence of unauthorized entry and access
SCOPE AND PURPOSE
This policy relates to all ITC facilities including but not limited to meeting rooms, presentation rooms, network closets, and the ITC Data and Operation Centers.
PRINCIPLES OF THE POLICY
- Layered Security: Physical security will be approached with multiple layers, from the perimeter to data centers, ensuring redundancy and minimizing vulnerabilities.
- Access Control: Only authorized personnel will have access to IT facilities. Entry and exit points will be controlled and monitored to prevent unauthorized access.
- Asset Management: All IT physical assets, from servers to mobile devices, will be inventoried and regularly audited to ensure their security.
- Surveillance: Strategic areas, such as server rooms, will be under continuous surveillance using tools like CCTV to deter and detect threats.
- Environmental Safeguards: IT facilities will have controls against environmental hazards, such as fire, floods, and electrical outages, ensuring continuous operation and data integrity.
- Training and Awareness: All staff will receive regular training on the importance of physical security and their role in maintaining it.
- Visitor Management: All visitors to IT-specific areas will be logged, monitored, and possibly escorted, minimizing potential security risks.
- Incident Response: Procedures will be in place for immediate action in the event of a physical security breach, including communication protocols and recovery strategies.
- Continuous Improvement: The policy will be reviewed periodically, and measures will be updated based on new threats, technological advancements, and feedback.
- Compliance with Regulations: All physical security measures will adhere to relevant local, national, and international regulations to ensure compliance and standardization.
DEFINITIONS
- Physical Security: Measures and controls to protect IT assets from physical threats, including unauthorized access, theft, and environmental disasters.
- Access Control: Mechanisms to grant or deny individuals' entry into specific areas based on their authorization levels.
- Asset Management: The systematic process of maintaining, upgrading, and managing physical IT assets, such as servers, workstations, and networking equipment.
- Surveillance: Continuous or periodic observation of IT facilities to prevent, detect, and respond to security breaches.
- Environmental Controls: Systems in place to manage environmental factors, such as temperature, humidity, and fire, ensuring optimal operation and protection of IT assets.
- Visitor Log: A record of all non-staff individuals who enter IT-specific areas, including their name, purpose of visit, entry, and exit times.
- Incident: Any event that compromises, or has the potential to compromise, the physical security of IT assets.
- Perimeter Security:: Measures taken at the outermost boundary of an IT facility to prevent unauthorized entry. This includes fences, gates, and guards.
- Restricted Area: A designated space with stringent access controls, usually housing critical IT infrastructure.
- Authentication Mechanisms: Tools or methods used to verify the identity of individuals seeking access, such as badges, biometrics, and PINs.
RESPONSIBILITIES AND IMPLEMENTATION STRATEGIES
- Facility Design & Management:
- Ensure facilities housing IT equipment are designed with security in mind.
- Utilize barriers, such as walls or fences, to protect against unauthorized access.
- Access Control Measures:
- Implement key card access, biometric verification, or other access control systems.
- Regularly review and update access permissions, ensuring only authorized personnel can access critical areas.
- Asset Tracking & Management:
- Maintain a current inventory of all IT assets.
- Deploy tracking systems, such as RFID tags, for high-value items.
- Surveillance & Monitoring:
- Install and maintain surveillance cameras at strategic points.
- Regularly review footage, especially after reported or suspected incidents.
- Environmental Control Implementation:
- Install fire suppression systems, uninterrupted power supplies, and climate control in critical IT areas.
- Conduct periodic checks to ensure all systems are functional.
- Training & Awareness Programs:
- Provide training for staff on their role in physical security, from tailgating prevention to emergency evacuation procedures.
- Update training content to address new threats or challenges.
- Visitor Management Protocols:
- Ensure all visitors to sensitive IT areas are logged, provided with visitor badges, and possibly escorted.
- Limit the duration and scope of their visits to necessary activities.
- Incident Response Preparedness:
- Establish and regularly review protocols for responding to physical security incidents.
- Conduct drills or simulations to ensure staff readiness.
- Regular Audits & Assessments:
- Periodically evaluate the effectiveness of physical security measures.
- Address identified vulnerabilities promptly.
- Collaboration with Relevant Entities:
- Build relationships with local law enforcement and emergency response teams.
- Share relevant information about potential threats and seek guidance on best practices.
RESPONSIBILITIES AND IMPLEMENTATION STRATEGIES
Any violation of this policy will make the subject susceptible disciplinary actions. with the Enforcement section of the ITC Unauthorized Use Policy.
https://www.psu.edu.sa/en/IT0002-unauthorized-use-policy