Here's a concise summary of the university's physical security policy:
Objective: Ensure the security and integrity of physical information systems and minimize risks to safety and confidentiality.
Scope: Physical information system resources and the physical security of personnel.
General Rules:
- Security Zoning:
- Public areas: Open to all.
- Limited areas: Authorized personnel and permitted visitors.
- Secure areas: Restricted access, requiring senior management approval.
- Institution Duties (General):
- Establish controls for each zone.
- Implement visitor instructions.
- Protect energy sources and provide backups.
- Provide and test fire extinguishing systems.
- Securely store backup media and equipment.
- Institution Duties (Asset Management):
- Secure assets in controlled areas.
- Monitor and protect assets.
- Consider equipment location and security measures.
- Institution Duties (Visitor Instructions):
- Accompany visitors in sensitive areas.
- Issue visitor permits.
- Request device deposits.
- Organize entry and exit to avoid sensitive areas.
Simulation:
- Acceptable Practice:
- Clear security zoning.
- Robust data center protection (alarms, surveillance, access control).
- Strict visitor procedures (registration, accompaniment, device deposits).
- Asset protection (registration, monitoring, authorized maintenance, secure disposal).
- Result: Systems and sensitive information are protected, safe environment.
- Unacceptable Practice:
- Lack of security zoning.
- Weak data center protection (no monitoring, open doors, no logs).
- Neglected visitor procedures (no registration, uncontrolled access).
- Lack of asset protection (no records, unauthorized maintenance, insecure disposal).
- Result: Increased security risks, data theft or loss.
Conclusion:
- Following accepted practices ensures protection.
- Unacceptable practices lead to security vulnerabilities.
