861.00 Physical Security for Information Resources

Purpose

The purpose of the Physical Security Policy is to establish the rules for granting, controlling, monitoring, and removing physical access to Salish Kootenai College Information Resource facilities. Information Resource facilities are buildings and rooms which contain servers, network devices, etc.

Audience

This policy applies to all individuals that install, support, maintain, or are otherwise responsible for the physical security of Salish Kootenai College Information Resources as defined in Policy 860.00, Information Security.

  1. General
    1. Physical security systems must comply with all applicable regulations, including but not limited to building codes and fire prevention codes.
      1. Physical access to all Salish Kootenai College restricted facilities must be documented and managed.
      2. All Information Resource facilities must be physically protected in proportion to the criticality or importance of their function at Salish Kootenai College.
      3. Access to Information Resources facilities must be granted only to Salish Kootenai College support personnel and contractors whose job responsibilities require access to that facility.
      4. All facility entrances where unauthorized persons could enter the premises must be controlled. 
      5. Secure areas must be protected to reduce the risks from environmental threats, hazards, and unauthorized access opportunities. This includes:
        1. information processing facilities handling confidential information should be positioned carefully to reduce the risk of information being viewed by unauthorized persons during their use;
        2. controls should be adopted to minimize the risk of potential physical and environmental threats;
        3. environmental conditions, such as temperature and humidity, should be monitored for conditions that could adversely affect the operation of information processing facilities.
      6. Equipment must be protected from power failures and other disruptions caused by utility failures.
      7. Restricted access rooms and locations must have no signage or evidence of the importance of the location.
      8. All Information Resources facilities that allow access to visitors will track visitor access with a sign-in/out log.
      9. Card access records and visitor logs for Information Resource facilities must be kept for routine review based on the criticality of the Information Resources being protected.
      10. Visitors in controlled areas of Information Resource facilities must be accompanied by authorized personnel at all times.
      11. Personnel responsible for Information Resource physical facility management must review access records and visitor logs for the facility periodically and investigate any unusual access.
  2. Access Cards and Codes
    1. Process for Access Cards and Codes
      1. The process for granting card and/or key access to Information Resource facilities must include the approval of physical security personnel.
      2. Each individual granted access to an Information Resource facility must sign the appropriate access and non-disclosure agreements.
      3. Cards and codes must not be reallocated to another individual, bypassing the return process.
      4. Physical security personnel must remove the card and/or key access rights of individuals that change roles within Salish Kootenai College or are separated from their relationship with Salish Kootenai College.
      5. Physical security personnel must review card and/or key access rights for the facility periodically and remove access for individuals that no longer require access.
  3. Utility Systems
    1. All utility systems in use at the facility must be identified and documented with detailed procedures for overall maintenance requirements. 
    2. Maintenance and testing activities must be performed per manufacturers’ specifications and documented to provide an audit trail of all activities.  
    3. Utility systems must be secured from unauthorized access.  
    4. Utility systems must be set to alarm malfunctions.
    5. Emergency systems, lighting, fire suppression, and emergency power systems must be in place and regularly tested to ensure functionality. 
    6. Critical utilities must be configured redundantly to ensure continued functionality. 
  4. Housekeeping Staff
    1. Requirements for Housekeeping Staff
      1. Housekeeping/cleaning staff must go through standard information security awareness training.
      2. Where external or third parties are used for cleaning services, the third party must be insured and bonded.
      3. Housekeeping/cleaning staff must be (supervised/monitored) while performing required duties.
      4. Housekeeping/cleaning staff must wear ID badges and be assigned a unique identifier that provides an audit trail on access to areas of the facility.  
      5. If housekeeping/cleaning staff need to gain access to restricted areas, specific clearance from security staff must be obtained. 
  5. Loading Docks
    1. Procedures for delivery and receipt of packages must be documented.
    2. Delivery areas must be secured and isolated from public areas. 
    3. Delivery areas must be locked when unattended. 
    4. Unauthorized personnel must be accompanied at all times within delivery areas.
    5. Surveillance cameras must be secured and adequately cover delivery areas.  
    6. Incoming deliveries must be registered, isolated, and inspected for evidence of tampering before being moved to internal areas.
    7. All discovered evidence of tampering must immediately be reported to physical security personnel.  

References

  • ISO 27002: 7, 9, 11, 13, 16
  • NIST CSF: PR.AC, PR.IP, PR.PT, DE.CM
  • Policy 705.00, Incident Management and Recovery 

History:

Adopted 3/17/2023

Theme: Overlay by Kaira
Salish Kootenai College is accredited by the Northwest Commission on Colleges and Universities. Salish Kootenai College | PO Box 70 | 58138 US Highway 93 | Pablo, MT 59855 | 406.275.4800.