University of Maryland Eastern Shore
Department of Information Technology
Physical Access Security Policy
Date: November 28, 2018
The purpose of this policy is to establish standards for granting, managing and monitoring physical access to university facilities that contain network infrastructure and to protect them from unauthorized access and environmental damage.
This policy applies to all university facilities containing network infrastructure, including but not limited to the data center, network and telecommunication closets and fiber distribution facilities.
Physical access security provides access controls and environment safeguards to network infrastructure and facilities. Physical access must be granted, managed and monitored to protect information technology resources from unauthorized access and environment threats.
- Physical access privileges to all university network facilities must be documented and managed by the Department of Information Technology (IT).
- All facilities that house network infrastructure must be physically protected in proportion to the importance of their function. All of these facilities must be locked at all times with a key lock, magnetic card reader lock, or a push button combination door lock.
- Access to restricted IT areas may be granted to university staff and affiliates whose job responsibilities require access to that facility.
- Access to a restricted area must be granted by the Director of Information Technology.
- Secured access devices (e.g. access cards, keys or combinations) must not be shared or loaned to others by approved personnel.
- Lost or stolen keys or cards must be reported to IT and the Director of Public safety immediately.
- Access rights must be removed when the job function changes or the need to access the facility is no longer needed.
- University visitors or vendors must be escorted and monitored while working in a restricted area.
- Vendors, or others, accessing network or data center devices remotely must complete a non-disclosure agreement and must be approved by the Director of Information Technology.
- A list of personnel with approved access must be maintained by the Director of Information Technology and reviewed bi-annually.
- All restricted IT areas must remain locked at all times.
- All network and computing equipment that is access in a public area must be locked down with a security cable.
Environmental Controls In restricted IT Areas
- All physical access controls systems must comply with all regulations, including, but not limited to, building and fire prevention codes.
- Fire detection, power irregularity protection, air conditioning, humidity control and other environmental protection systems must be installed, operative and maintained.
- Adequate air conditioning must be operational network facility to prevent long-term heat damage and equipment failure.
- All network equipment and systems in network facilities must be connected to an uninterrupted power supply in order to prevent power spikes, brownouts, and subsequent damage to data and Hardware.
Cabinet approval pending. 12/13/18