School of Visual Arts is hereinafter referred to as “the company.”

1.0 Overview

Information assets are necessarily associated with the physical devices on which they reside.  Information is stored on workstations and servers and transmitted on the company’s physical network infrastructure.  In order to secure the company data, thought must be given to the security of the company’s physical Information Technology (IT) resources to ensure that they are protected from standard risks.

2.0 Purpose

The purpose of this policy is to protect the company’s physical information systems by setting standards for secure operations.

3.0 Scope

This policy applies to the physical security of the company’s information systems, including, but not limited to, all company-owned or company-provided network devices, servers, personal computers, mobile devices, and storage media.  Additionally, any person working in or visiting the company’s office is covered by this policy. 

Please note that this policy covers the physical security of the company’s Information Technology infrastructure, and does not cover the security of non-IT items or the important topic of employee security.  While there will always be overlap, care must taken to ensure that this policy is consistent with any existing physical security policies.

4.0 Policy

4.1 Choosing a Site
When possible, thought should be given to selecting a site for IT Operations that is secure and free of unnecessary environmental challenges.  This is especially true when selecting a datacenter or a site for centralized IT operations.  At a minimum, the company’s site should meet the following criteria:

•           A site should not be particularly susceptible to fire, flood, earthquake, or other natural disasters.

•           A site should not be located in an area where the crime rate and/or risk of theft is higher than average.

•           A site should have the fewest number of entry points possible.

If these criteria cannot be effectively met for any reason, the company should consider outsourcing its data in whole or in part to a third-party datacenter or hosting provider, provided that such a company can cost effectively meet or exceed the company’s requirements.

4.2 Security Zones
At a minimum, the company will maintain standard security controls, such as locks on exterior doors and/or an alarm system, to secure the company’s assets.  In addition to this the company must provide security in layers by designating different security zones within the building.  Security zones should include:

Public This includes areas of the building or office that are intended for public access.

•           Access Restrictions: None

•           Additional Security Controls: None

•           Examples: Lobby, common areas of building

Company This includes areas of the building or office that are used only by employees and other persons for official company business.

•           Access Restrictions: Only company personnel and approved/escorted guests

•           Additional Security Controls: Additional access controls should be used, such as keys, keypads, keycards, or similar devices, with access to these areas logged if possible.

•           Examples: Hallways, private offices, work areas, conference rooms

Private This includes areas that are restricted to use by certain persons within the company, such as executives, scientists, engineers, and IT personnel, for security or safety reasons.

•           Access Restrictions: Only specifically approved personnel

•           Additional Security Controls: Additional access controls must be used, such as keys, keypads, keycards, or similar devices, with access to these areas logged.  Additionally, an alarm system should be considered for these areas that will alert to unauthorized access.

•           Examples: Executive offices, lab space, network room, manufacturing area, financial offices, and storage areas.

4.3 Access Controls
Access controls are necessary to restrict entry to the company premises and security zones to only approved persons.  There are a several standard ways to do this, which are outlined in this section, along with the company’s guidelines for their use.

4.3.1 Keys & Keypads
The use of keys and keypads is acceptable, as long as keys are marked “do not duplicate” and their distribution is limited.  These security mechanisms are the most inexpensive and are the most familiar to users.  The disadvantage is that the company has no control, aside from changing the locks or codes, over how and when the access is used.  Keys can be copied and keypad codes can be shared or seen during input.  However, used in conjunction with another security strategy, such as an alarm system, good security can be obtained with keys and keypads.

4.3.2 Keycards & Biometrics
The company requires that keycards or biometrics be used for access to security zones designated as private.  The company should consider using these methods for all zones, though it is not required.

Keycards and biometrics have an advantage over keys in that access policies can be tuned to the individual user.  Schedules can be set to forbid off-hours access, or forbid users from accessing a security zone where they are not authorized.  Perhaps best of all, these methods allow for control over exactly who possesses the credentials.  If a keycard is lost or stolen it can be immediately disabled.  If an employee is terminated or resigns, that user’s access can be disabled.  The granular control offered by keycards and biometrics make them appealing access control methods.

4.3.3 Alarm System
A security alarm system is a good way to minimize risk of theft, or reduce loss in the event of a theft.  The company does not mandate the use of an alarm system, however an alarm system would be an excellent way to increase the security of the site.

4.4 Physical Data Security
Certain physical precautions must be taken to ensure the integrity of the company’s data.  At a minimum, the following guidelines must be followed:

•           Computer screens should be positioned where information on the screens cannot be seen by outsiders. 

•           Confidential and sensitive information should not be displayed on a computer screen where the screen can be viewed by those not authorized to view the information.

•           Users must log off or shut down their workstations when leaving for an extended time period, or at the end of the workday.

•           Network cabling should not run through unsecured areas unless the cabling is carrying only public data (i.e., extended wiring for an Internet circuit).

•           The company recommends disabling network ports that are not in use.

4.5 Physical System Security
In addition to protecting the data on the company’s information technology assets, this policy provides the guidelines below on keeping the systems themselves secure from damage or theft.

4.5.1 Minimizing Risk of Loss and Theft
In order to minimize the risk of data loss through loss or theft of company property, the following guidelines must be followed:

•           Unused systems: If a system is not in use for an extended period of time it should be moved to a secure area or otherwise secured.

•           Mobile devices: Special precautions must be taken to prevent loss or theft of mobile devices.  Refer to the company’s Mobile Device Policy for guidance.

•           Systems that store confidential data: Special precautions must be taken to prevent loss or theft of these systems.  Refer to the company’s Confidential Data Policy for guidance.

4.5.2 Minimizing Risk of Damage
Systems that store company data are often sensitive electronic devices that are susceptible to being inadvertently damaged.  In order to minimize the risk of damage, the following guidelines must be followed:

•           Environmental controls should keep the operating environment of company systems within standards specified by the manufacturer.  These standards often involve, but are not limited to, temperature and humidity.

•           Proper grounding procedures must be followed when opening system cases.  This may include use of a grounding wrist strap or other means to ensure that the danger from static electricity is minimized.

•           Strong magnets must not be used in proximity to company systems or media.

•           Except in the case of a fire suppression system, open liquids must not be located above company systems.  Technicians working on or near company systems should never use the systems as tables for beverages.  Beverages must never be placed where they can be spilled onto company systems.

•           Uninterruptible Power Supplies (UPSs) and/or surge-protectors are required for all company systems. These devices must carry a warranty that covers the value of the systems if the systems were to be damaged by a power surge.

4.6 Fire Prevention
It is the company’s policy to provide a safe workplace that minimizes the risk of fire.  In addition to the danger to employees, even a small fire can be catastrophic to computer systems.  Further, due to the electrical components of IT systems, the fire danger in these areas is typically higher than other areas of the company’s office.  The guidelines below are intended to be specific to the company’s information technology assets and should conform to the company’s overall fire safety policy.

•           Fire, smoke alarms, and/or suppression systems must be used, and must conform to local fire codes and applicable ordinances.

•           Electrical outlets must not be overloaded.  Users must not chain multiple power strips, extension cords, or surge protectors together.

•           Extension cords, surge protectors, power strips, and uninterruptible power supplies must be of the three-wire/three-prong variety.

•           Only electrical equipment that has been approved by Underwriters Laboratories and bears the UL seal of approval must be used.

•           Unused electrical equipment should be turned off when not in use for extended periods of time (i.e., during non-business hours) if possible.

•           Periodic inspection of electrical equipment must be performed.  Power cords, cabling, and other electrical devices must be checked for excessive wear or cracks.  If overly-worn equipment is found, the equipment must be replaced or taken out of service immediately depending on the degree of wear.

•           A smoke alarm monitoring service must be used that will alert a designated company employee if an alarm is tripped during non-business hours.

4.7 Entry Security
It is the company’s policy to provide a safe workplace for employees.  Monitoring those who enter and exit the premises is a good security practice in general, but is particularly true for minimizing risk to company systems and data.  The guidelines below are intended to be specific to the company’s information technology assets and should conform to the company’s overall security policy.

4.7.1 Use of Identification Badges
Identification (ID) badges are useful to identify authorized persons on the company premises.  The company has established the following guidelines for the use of ID badges.

•           Employees: Photo ID badges are required and must be displayed at all times while on company premises. Employees must remove their badges from view when out of the office.

•           Non-employees/Visitors: Visitor badges are required.  Specific, non-generic badges must identify visitors by name and the date of the visit.  The company should investigate visitor badges that automatically expire and determine if the use of such technology is feasible for use.

•           Users must a report lost or stolen badge immediately to his or her supervisor.  A temporary badge may be utilized in such cases until the badge can be re-generated.

•           Initial badge generation will be done only at the direction of Human Resources for new hires or users changing jobs.  Users must show photo identification for identity verification.

4.7.2 Sign-in Requirements
The company must maintain a sign-in log (or similar device) in the lobby or entry area and visitors must be required to sign in upon arrival.  At minimum, the register must include the following information: visitor’s name, company name, reason for visit, name of person visiting, sign-in time, and sign-out time.

4.7.3 Visitor Access
Visitors should be given only the level of access to the company premises that is appropriate to the reason for their visit.  After checking in, visitors must be escorted unless they are considered “trusted” by the company.  Examples of a trusted visitor may be the company’s legal counsel, financial advisor, or a courier that frequents the office, and will be decided on a case-by-case basis.

4.8 Applicability of Other Policies
This document is part of the company’s cohesive set of security policies.  Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.

5.0 Enforcement

This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.

6.0 Definitions

Biometrics  The process of using a person’s unique physical characteristics to prove that person’s identity.  Commonly used are fingerprints, retinal patterns, and hand geometry.

Datacenter  A location used to house a company’s servers or other information technology assets.  Typically offers enhanced security, redundancy, and environmental controls.

Keycard  A plastic card that is swiped, or that contains a proximity device, that is used for identification purposes.  Often used to grant and/or track physical access.

Keypad  A small keyboard or number entry device that allows a user to input a code for authentication purposes.  Often used to grant and/or track physical access.

Mobile Device  A portable device that can be used for certain applications and data storage.  Examples are PDAs or Smartphones.

PDA  Stands for Personal Digital Assistant.  A portable device that stores and organizes personal information, such as contact information, calendar, and notes.

Smartphone  A mobile telephone that offers additional applications, such as PDA functions and email.

Uninterruptible Power Supplies (UPSs)  A battery system that automatically provides power to electrical devices during a power outage for a certain period of time.  Typically also contains power surge protection.

7.0 Revision History

Revision 2.0, 1/1/2015