Information Resources Use and Security Policy

19.1. All Information Resources must be physically protected, based on risk, as determined in accordance with Section 9 of this Policy; and associated risk management decisions as part of the overall security program for the university.

19.2. Physical access safeguards help to establish best practices for the appropriate granting, controlling, and monitoring of physical access for all facilities supporting information resources (such as Data Centers). Physical access safeguards include the following:

19.2.1. All facilities supporting information resources must be physically protected in proportion to the criticality and confidentially of their function.

19.2.2. All facilities supporting information resources must have physical access controls in proportion to the importance, sensitivity, and accountability requirements of the data and systems housed in that facility.

19.2.3. Access to facilities supporting information resources will only be granted to authorized university personnel and other contractors or personnel whose job responsibilities require such action.

19.2.4. Access cards and/or keys must not be shared or loaned to others.

19.2.5. Access cards, and/or keys, and badges that are no longer required must be returned to the responsible department contact. All returned access cards must be forwarded to the responsible campus key management or ID center contact as soon as possible. Cards must not be reallocated to another individual, thereby bypassing the return process.

19.2.6. Lost or stolen access cards and/or keys must be reported to the appropriate department or entity as soon as possible.

19.2.7. Access and log records for facilities supporting information resources are the responsibility of the department that manages the facility. Such records will be kept in accordance to the accountability requirements of the data and systems in that facility and the university's record retention schedule.

19.2.8. The department in charge of facilities supporting information resources must be notified within three business days if individuals who had access to these facilities should no longer need access due to a change in roles, completion of contract or other cause that negates their need for further access.

19.2.9. Visitors must be escorted in controlled areas of facilities supporting information resources.

19.2.10. The department in charge of facilities supporting information resources must review access records on a periodic basis and investigate any unusual access.

19.2.11. The department in charge of facilities supporting information resources must review card and/or key access rights on a periodic basis and remove access for individuals that no longer require access.

19.2.12. Signage for restricted access rooms and locations must be practical. Minimal discernible evidence of the importance of the location should be displayed.