Policy 917 - Physical and Environmental Security Policy

Section: Information Technology
Policy Number: 917
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19

Policy Statement

The protection of the physical environment is one of the most obvious yet most important tasks within the area of information security. A lack of physical access control can undo the most careful technical precautions, and potentially put lives at risk. 

St. John’s University (St. John’s) is committed to ensuring the safety of its employees, contractors and assets and takes the issue of physical security very seriously. This policy sets out the main precautions that must be taken.

Scope and Applicability

This policy applies to the University Community. Adherence to this policy helps safeguard the confidentiality, integrity and availability of the University’s information assets, and protects the interest of the University, its customers, personnel and business partners.

Policy

Sensitive information is stored securely. Appropriate security controls are in place to protect St. John’s information assets from unauthorized physical access and safeguard them against reasonable environmental hazards, active and passive electronic penetration, and to prevent unauthorized physical access, damage, and interference. A risk assessment is carried out to identify the appropriate level of protection to be implemented to secure the information being stored. 

  • Physical security begins with the building itself; and an assessment of perimeter vulnerability must be conducted. Appropriate control mechanisms are in place for the classification of information and equipment that is stored within it, which may include:
  • Alarms activated outside working hours
  • Window and door locks
  • Access control mechanisms fitted to all accessible doors (if codes are utilized, they need to be changed regularly and known only to those people authorized to access the area/building)
  • CCTV cameras (recordings need to be kept for at least 3 months)
  • Protection against damage (e.g. fire, flood, vandalism)
  • Identification and access tools/passes (e.g. badges, keys, entry codes etc.)
  • Centralized protection of keys to all secure or public areas housing IT equipment (including wireless access points, gateways, and more)
  • Offsite backup locations will be reviewed at least annually to ensure these locations are physically secure for the backups.

All internal or third-party vendor storage location security is reviewed at least annually to confirm that backup media storage is secure.

When media is no longer needed for business or legal reasons, it is destroyed using industry-standard security methods.

Media classification is implemented so that the sensitivity of data can be determined, and appropriate physical security is in place. All media inventory logs are properly maintained, and media inventories are to be performed at least annually.

Devices that capture payment card data via direct physical interaction with cards are protected from tampering and substitution by:

  • Maintaining a list of devices
  • Periodically inspecting devices to look for tampering or substitution.
  • Training personnel to be aware of suspicious behavior and to report tampering or substitution of devices. 

Definitions

The following are the definitions relevant to the policy:

  • Computing Resources: All University information processing resources including all University owned, licensed, or managed computing services, hardware, software, and use of the University network via physical or wireless connection regardless of the ownership of the computer or device connected to the network.
     
  • Institutional Data: All data owned or licensed by the University
     
  • University Community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing University network services, and other authorized users.

Compliance

The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to and reviewed and approved by the CIO, the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security. 

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by the University.

Related Policies, Standards or Regulations

  • STD-PY-001 Physical and Environmental Security for Computing Resources Standard
  • STD-PY-002 Clear Desk and Clear Screen Standard
  • 922 Information Classification Policy
  • 916 Third Party Services Policy