Section: Information Technology
Policy Number: 917Responsible Office: Information Technology
Effective Date: 5/1/19Revised: 5/1/19; 6/11/20
The protection of the physical environment is one of the most obvious and yet most important tasks within the area of information security. A lack of physical access control can undo the most careful technical precautions, and potentially put lives at risk.
St. John’s University (St. John’s) is committed to ensuring the safety of its employees, contractors and assets and takes the issue of physical security very seriously. This policy sets out the main precautions that must be taken.
This policy applies to the University Community. Adherence to this policy helps safeguard the confidentiality, integrity, and availability of St. John’s information assets, and protects the interest of St. John’s, its customers, personnel, and business partners.
Sensitive information is stored securely. Appropriate security controls are in place to protect St. John’s information assets from unauthorized physical access and safeguard them against reasonable environmental hazards, active and passive electronic penetration, and to prevent unauthorized physical access, damage, and interference. A risk assessment is carried out to identify the appropriate level of protection to be implemented to secure the information being stored.
Physical security begins with the building itself; and an assessment of perimeter vulnerability must be conducted. Appropriate control mechanisms are in place for the classification of information and equipment that is stored within it, which may include:
All internal or third-party vendor storage location security is reviewed at least annually to confirm that backup media storage is secure.
When media is no longer needed for business or legal reasons, it is destroyed using industry-standard security methods.
Media classification is implemented so that the sensitivity of data can be determined, and appropriate physical security is in place. All media inventory logs are properly maintained, and media inventories are to be performed at least annually.
Devices that capture payment card data via direct physical interaction with cards are protected from tampering and substitution by:
The following are definitions relevant to the policy:
St. John’s reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to, reviewed, and approved by the CIO, the Director of Information Security, or the equivalent officer(s).
All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security.
Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by St. John’s.