Section: Information Technology
Policy Number: 917Responsible Office: Information Technology
Effective Date: 5/1/19Revised: 5/1/19
The protection of the physical environment is one of the most obvious yet most important tasks within the area of information security. A lack of physical access control can undo the most careful technical precautions, and potentially put lives at risk.
St. John’s University (St. John’s) is committed to ensuring the safety of its employees, contractors and assets and takes the issue of physical security very seriously. This policy sets out the main precautions that must be taken.
This policy applies to the University Community. Adherence to this policy helps safeguard the confidentiality, integrity and availability of the University’s information assets, and protects the interest of the University, its customers, personnel and business partners.
Sensitive information is stored securely. Appropriate security controls are in place to protect St. John’s information assets from unauthorized physical access and safeguard them against reasonable environmental hazards, active and passive electronic penetration, and to prevent unauthorized physical access, damage, and interference. A risk assessment is carried out to identify the appropriate level of protection to be implemented to secure the information being stored.
All internal or third-party vendor storage location security is reviewed at least annually to confirm that backup media storage is secure.
When media is no longer needed for business or legal reasons, it is destroyed using industry-standard security methods.
Media classification is implemented so that the sensitivity of data can be determined, and appropriate physical security is in place. All media inventory logs are properly maintained, and media inventories are to be performed at least annually.
Devices that capture payment card data via direct physical interaction with cards are protected from tampering and substitution by:
The following are the definitions relevant to the policy:
The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to and reviewed and approved by the CIO, the Director of Information Security, or the equivalent officer(s).
All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security.
Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by the University.