University Rule 4-004F: Physical and Facility Security Rev. 0.

  1. PURPOSE AND SCOPE
    1. The purpose of this Physical and Facility Rule is to protect the University's premises and facilities by establishing requirements for secure operations.
    2. This Rule supports section F, titled Physical and Facility Security Rule, of the University of Utah Information Security Policy 4-004.
  2. DEFINITIONS
    The definitions provided in Policy 4-004: University of Utah Information Security Policy, apply for purposes of this Rule, including the following:
    1. Confidential - Any Information Asset which is classified as Restricted or Sensitive per the Data Classification and Encryption Rule.
    2. Information System - An Application or group of servers used for the electronic storage, processing, or transmitting of any University data or Information Asset.
    3. Restricted Data - Any data types classified as Restricted per the Data Classification and Encryption Rule.
  3. RULE
    1. Physical Security Perimeter
      1. The following will be implemented as appropriate for physical security perimeters:
        1. Security perimeter zones will be clearly defined and the controls applied to each zone should be commensurate with the security requirements of the Information Systems contained within.
        2. The security perimeters of a building must be physically sound, to include the following protections:
          1. The external walls must be of solid construction.
          2. The external doors must be protected against unauthorized access with appropriate control mechanisms including locks and/or alarms.
          3. Doors and windows must be locked when unattended.
          4. Access to security zones and buildings will be restricted to authorized personnel only.
          5. Staffed reception areas are encouraged where appropriate to further control physical access to the building.
          6. Fire doors on a security perimeter must be alarmed and monitored.
    2. Physical Entry Controls
      1. To ensure that only authorized personnel have access to a secure area, the following physical entry controls will be implemented:
        1. A log must be available to record the following Visitor activities:
          1. Visitor name
          2. Date and time of entry
          3. Visitor's organization
          4. The University personnel accountable for Visitor
          5. Purpose of visit
          6. Time of departure
        2. Staff, faculty, other permanent or temporary employees, contractors, vendors, and visitors are encouraged to wear a form of visible identification.
        3. Access to security zones storing or processing Restricted data will have additional controls to authenticate and validate authorized personnel:
          1. Access control examples include access cards, control code panels, etc.
          2. Authorized access will be logged and monitored.
          3. Authorized access will be regularly reviewed, updated, and revoked as appropriate.
          4. Unauthorized photographic, video, audio or other recording equipment are not allowed.
    3. Protecting Against Natural and Facility Threats
      1. To avoid damage from natural and facility threats, the following controls must be implemented:
        1. Storage of hazardous or combustible materials must be maintained at a safe distance from secure areas.
        2. Fire-fighting equipment appropriate to the area must be provided and suitably placed.
        3. Back-up utilities, equipment and media must be maintained at a safe distance from secure areas to avoid damage from a disaster.
    4. Information System Location and Protection
      1. To further protect the University's Information Systems from natural and facility threats, the following controls should be implemented:
        1. Assign equipment location to minimize unnecessary access into work areas.
        2. Position equipment storing or processing Confidential data to minimize the line-of-sight viewing angle of unauthorized personnel.
        3. Isolate equipment that requires special and/or elevated protection.
        4. Adopt controls to monitor and minimize the risk of the following physical threats as appropriate:
          1. Theft
          2. Fire and smoke
          3. Water and humidity
          4. Temperature fluctuations
          5. Vibration
          6. Electrical supply or other electrical interference
        5. Ensure that the following supporting utilities are adequate for the Information Systems they are supporting:
          1. Electricity
          2. Water supply
          3. HVAC
          4. Back-up UPS
        6. Ensure that only University Information Systems are plugged in to power outlets and/or network and communications ports in University data centers.
    5. Cabling Security
      1. To protect power and network cabling from interception or damage, the following controls should be implemented:
        1. Where possible, power and telecommunication lines into the University's facilities will be underground.
        2. Protect network cabling by utilizing conduit or avoiding routing network cabling through public areas.
        3. Segregate power cables from network cabling to prevent interference.
        4. Cable labeling is encouraged to reduce handling errors.
        5. Open ports shall not be utilized without authorization.
    6. Information System Maintenance
      1. To ensure maintenance activities of the University's Information Systems that support availability and integrity are conducted in a secure manner, the following controls should be implemented:
        1. Maintain equipment in accordance with the manufacturer's specifications.
        2. Confirm that maintenance personnel are authorized to conduct repairs and servicing of identified equipment.
        3. Require authorized maintenance personnel to fill out an entry and exit log for the facility when on-site repairs are conducted.
        4. Keep records and/or logs of equipment faults and the resulting preventative and corrective maintenance.
    7. [Note: Parts IV-VII of this Rule (and all other University Regulations) are Regulations Resource Information--the contents of which are not approved by the Academic Senate or Board of Trustees, and are to be updated from time to time as determined appropriate by the cognizant Policy Officer and the Institutional Policy Committee, as per Policy 1-001 and Rule 1-001.]
  4. RULES, PROCEDURES, GUIDELINES, FORMS, and OTHER RELATED RESOURCES
    1. Rules
      1. TBD
    2. Procedures
      1. Policy 4-004 Procedures
    3. Guidelines
      1. TBD
    4. Forms
    5. Other Related Resources Material
  5. REFERENCES
      1. 45 C.F.R. 164: Health Insurance Portability and Accountability Act (HIPAA): Security and Privacy
      2. Family Educational Rights and Privacy Act of 1974 ("FERPA", 20 U.S.C. § 1232g)
      3. Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541)
      4. ISO 27002:2013, Information Technology - Security Techniques - Code of Practice for Information Security Controls
      5. NIST 800 Series, Federal Information Security Standards
      6. Policy 3-070: Payment Card Acceptance
      7. Policy 4-001: University Institutional Data Management
      8. Policy 4-003: World Wide Web Resources Policy
      9. Policy 5-111: Disciplinary Actions and Dismissal of Staff Employees
      10. Policy 6-400: Code of Student Rights and Responsibilities
      11. Policy 6-316: Code of Faculty Rights and Responsibilities
      12. Pub. 111-5, Division A, Title XIII, Subtitle D: Health Information Technology for Economic and Clinical Health Act (HITECH Act)
      13. Omnibus HIPAA Rule: 45 CFR Parts 160 and 164 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule
  6. CONTACTS
    1. The designated contact Officials for this Policy are:
      1. Policy Owner (primary contact person for questions and advice): Chief Information Security Officer, 801-213-3397
      2. Policy Officer; Chief Information Officer, 801-581-3100
    2. These officials are designated by the University President or delegee, with assistance of the Institutional Policy Committee, to have the following roles and authority, as provided in University Rule 1-001:
    3. A 'Policy Officer' will be assigned by the President for each University Policy, and will typically be someone at the executive level of the University (i.e., the President and his/her Cabinet Officers). The assigned Policy Officer is authorized to allow exceptions to the Policy in appropriate cases.... "
    4. "The Policy Officer will identify an 'Owner' for each Policy. The Policy Owner is an expert on the Policy topic who may respond to questions about, and provide interpretation of the Policy; and will typically be someone reporting to an executive level position (as defined above), but may be any other person to whom the President or a Vice President has delegated such authority for a specified area of University operations. The Owner has primary responsibility for maintaining the relevant portions of the Regulations Library... .[and] bears the responsibility for determining -requirements of particular Policies... ." University Rule 1-001-III-B & E
  7. HISTORY
    1. Current version: Revision 1, effective date: April 4, 2016
      1. Approved by Academic Senate: May 4, 2015
      2. Approved by Board of Trustees: May 12, 2015
      3. Background information for this version

Rule: 4-004F Rev: 0
Date: April 4, 2016