Physical and Environmental Security

 Physical and Environmental Security

Safeguards for Domain 6
Information Security & Privacy Program

Physical and environmental safeguards are often overlooked but are very important in protecting information. Buildings and rooms that house information and information technology systems must be afforded appropriate protection to avoid damage or unauthorized access to information and systems. In addition, the equipment housing this information (e.g., filing cabinets, data wiring, laptop computers, portable disk drives) must be physically protected. Equipment theft is of primary concern, but other issues should be considered, such as damage or loss caused by fire, flood, and sensitivity to temperature extremes.

Standards-based expectations for this Domain IU's Implementation of Safeguards for this Domain

Secure Areas

Ensuring complete physical security is impossible, especially in an institution of higher education. While there are several university facilities that have extensive security safeguards in place because of the nature of the services and information contained therein, most of our buildings and rooms allow unfettered access to members of the public. General building and room security safeguards should be in harmony with the overall atmosphere of the building while factoring in threats to the information contained within.

The security of facilities housing information resources can be protected by a number of means (e.g., locked doors with limited key distribution, locked machine cabinets, glass break sensors on windows, motion detectors, door alarms, fire suppression, appropriate heating, cooling and backup power). As with all security issues, the cost of implementing such protection measures has to be weighed against the risks. In some circumstances, the simple act of ensuring that all doors and windows in the room remained closed and locked while unoccupied might suffice. In another case, the sensitivity or criticality of the information contained on and the service provided by building, room, or piece of equipment might be such that more stringent actions are taken.

Each unit at the university is responsible for the security of the buildings and rooms that house information and information technology systems in support of their business or role.

The process for reviewing, analyzing, requesting, installing, and maintaining physical security safeguards, as well as the expertise for performing each of these tasks, varies across campuses and units. University Public Safety and Institutional Assurance can assist units in establishing physical security policy and procedures that govern their facilities.

At IU, can I lease space in the Data Center for my departmental servers, and what other options exist? | IU Knowledge Base

The IU Intelligent Infrastructure provides hardened data center services. See especially their Service Level Expectations for descriptions of their secure practices.

For more on security related to the principle of availability, see Domain 11: Business Continuity.

The Facilities Physical Security, Safety, and Privacy Program provides facility design guidance to the university community.

The Video and Electronic Surveillance policy provides direction for units wanting to deploy video and other forms of surveillance in university facilities.

The University Architect's Office provides a Facilities Physical Security, Safety, and Privacy - Base Bid Standards document outlining standards to incorporate into facility design, for new construction and renovation.

Equipment Security

There are many types of equipment involved in the creation, collection, storage, manipulation, and/or transmission of information. Filing cabinets are used to store student transcripts. Computer systems are used to process and maintain intellectual property. Data networking equipment and cables are used to transmit voice and video communications. While the value of the equipment cannot be disregarded, the information stored in the device is arguably more valuable than the device itself. Physical and logical security safeguards should be based on the type of data being processed by the equipment.

Placement

Appropriate physical safeguards must be placed on equipment that stores or processes institutional data. In addition to physically securing this equipment, consideration must be given to other environmental related aspects that could, if not managed correctly, cause an interruption of service or availability and thus disrupt the university's mission. Careful thought must be given to ensure proper power (e.g., Uninterruptible Power Supplies, generator power backup, redundant power feeds), adequate fire protection, proper heating and cooling, and so on. These environmental safeguards must be commensurate with the sensitivity of the data contained in or processed by the equipment.

Equipment removed from university premises is particularly vulnerable to loss or theft. Therefore, the equipment must be protected when off-site, at home, or while in transit from one location to another.

The policy on Security of Information Technology Resources still applies, regardless of the placement or location of the equipment.

At IU, can I lease space in the Data Center for my departmental servers, and what other options exist? | IU Knowledge Base

The Office of Financial Management Services governs the process for removing capital equipment from university property.

While non-capital equipment is not covered by this policy, appropriate inventory and tracking methods should still be used, particularly if the non-capital equipment contains or processes sensitive information.

  • Protecting Your Laptop Computer | IU Information Security Office
  • Do you plan to travel abroad and take your university issued laptop computer, digital storage device, or any encryption products with you? The Export Control Office in the Office of Research Administration can help you determine if your university-issued electronic components require a license prior to international travel, can provide tips for international travel with information stored on electronic components, and can provide a list of sanctioned and restricted parties and entities with whom IU is prohibited by federal law from doing busin