Skip to content

Rule R4-004F: Physical and Facility Security

Revision 1. Effective date: September 12, 2023

View PDF

  1. Purpose and Scope
  2. Definitions
  3. Rule
    1. Physical Security Perimeter
    2. Physical Entry Controls
    3. Protecting Against Natural and Environmental Threats
    4. Information System Location and Protection
    5. Cabling Security
    6. Information System Maintenance
  4. Policies/ Rules, Procedures, Guidelines, Forms and other Related Resources
  5. References
  6. Contacts
  7. History

  1. Purpose and Scope‌

    1. Purpose

      The purpose of this Physical and Facility Rule is to protect the University’s premises and facilities by establishing requirements for secure operations.

    2. Scope

      The scope of this rule is all University administrative units, including colleges, divisions, departments, and centers, and all members of the University community, including students, staff, faculty, other permanent or temporary employees, contractors, research collaborators, vendors, and third-party agents.

      This rule supports section F, titled Physical and Facility Security Rule, of the University of Utah Information Security Policy 4-004.

  2. Definitions‌

    The definitions provided in Policy 4-004 apply for this rule.

  3. Rule‌

    1. Physical Security Perimeter‌

      1. The following will be implemented as applicable for physical security perimeters:

        1. security zones will be clearly defined, and the Controls applied to each zone should be commensurate with the physical security requirements of the Information Systems contained within; and

        2. the security perimeters of a building must be physically sound and include the following protections:

          1. the external walls must be of solid construction;

          2. the external doors must be protected against unauthorized access with appropriate Control mechanisms including locks and/or alarms;

          3. doors and windows must be locked when unattended;

          4. access to physical security zones and buildings will be restricted to authorized personnel only;

          5. staffed reception areas are encouraged where appropriate to further control physical access to the building; and

          6. fire doors on a physical security perimeter must be alarmed and monitored.

    2. Physical Entry Controls‌

      1. To ensure that only authorized personnel have access to secure areas, the following physical entry Controls shall be implemented:

        1. a visitor log that records the following:

          1. visitor name;

          2. visitor’s date and time of entry;

          3. visitor’s organization;

          4. the University personnel accountable for the visitor;

          5. the purpose of visit; and

          6. the time of the visitor’s departure.

      2. Staff, faculty, other permanent or temporary employees, contractors, vendors, and visitors shall wear a form of visible identification.

      3. Access to security zones where Restricted Data is stored or processed requires the following additional Controls to authenticate and validate authorized personnel:

        1. access Controls, such as access cards, control code panels, etc.;

        2. regular logging and monitoring of authorized access; and

        3. regularly reviewing, updating, and revoking authorized access as appropriate.

      4. Unauthorized photographic, video, audio, or other recording equipment is prohibited in security zones.

    3. Protecting Against Natural and Environmental Threats‌

      1. All departments and units shall avoid damage from natural and environmental Threats by storing hazardous or combustible materials a safe distance from secure areas, providing and placing suitable fire-fighting equipment appropriate to the area, and maintaining back-up utilities, equipment, and media a safe distance from secure areas.

    4. Information System Location and Protection‌

      1. To further protect the University’s IT Resources and Information Systems from natural and environmental Threats, IT Technicians shall implement the following Controls:

        1. Place IT Resources and Information Systems in a location with limited access;

        2. position IT Resources and Information Systems that store or process Restricted or Sensitive Data in a way that minimizes the ability of unauthorized people to view the equipment;

        3. isolate IT Resources and Information Systems that require special and/or elevated protection;

        4. adopt Controls to monitor and minimize the Risk of the following physical Threats as appropriate:

          1. theft;

          2. fire and smoke;

          3. water and humidity;

          4. temperature fluctuations;

          5. vibration; and

          6. electrical supply or other electrical interference;

        5. ensure that the following supporting utilities are adequate for the Information Systems they are supporting:

          1. electricity;

          2. water supply;

          3. HVAC; and

          4. back-up Uninterruptible Power Supply (UPS); and

        6. ensure that only University Information Systems are plugged in to power outlets and/or network and communications ports in University data centers.

    5. Cabling Security‌

      1. To protect power and network cabling from interception or damage, IT Technicians shall implement the following Controls:

        1. where possible, power and telecommunication lines connected to University’s facilities shall be underground;

        2. protect network cabling by utilizing conduit or avoiding routing network cabling through public areas;

        3. segregate power cables from network cabling to prevent interference;

        4. label cables to reduce handling errors; and

        5. network ports not in use shall be disabled.

    6. Information System Maintenance‌

      1. To ensure maintenance activities of the University’s Information Systems that support availability and integrity are conducted in a secure manner, IT Technicians shall implement the following Controls:

        1. maintain equipment in accordance with the manufacturer’s specifications;

        2. confirm that maintenance personnel are authorized to conduct repairs and servicing of identified equipment;

        3. require authorized maintenance personnel to fill out an entry and exit log for the facility when on-site repairs are conducted; and

        4. keep records and/or logs of equipment faults and the resulting preventative and corrective maintenance.

          Sections IV- VII are for user information and are not subject to the approval of the Academic Senate or the Board of Trustees. The Institutional Policy Committee, the Policy Owner, or the Policy Officer may update these sections at any time.

  4. Policies/ Rules, Procedures, Guidelines, Forms, and other Related Resources‌

    1. Policies/ Rules.

      1. Policy 4-004: University of Utah Information Security Policy

    2. Procedures, Guidelines, and Forms. [ reserved ]

    3. Other Related Resources. [ reserved ]

  5. References‌

    1. 45 C.F.R. 164: Health Insurance Portability and Accountability Act (HIPAA): Security and Privacy

    2. Family Educational Rights and Privacy Act of 1974 ("FERPA", 20 U.S.C. § 1232g)

    3. Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541)

    4. ISO 27002:2013, Information Technology - Security Techniques - Code of Practice for Information Security Controls

    5. NIST 800 Series, Federal Information Security Standards

    6. Policy 3-070: Payment Card Acceptance

    7. Policy 4-001: University Institutional Data Management

    8. Policy 4-003: World Wide Web Resources Policy

    9. Policy 5-111: Disciplinary Actions and Dismissal of Staff Employees

    10. Policy 6-400: Student Rights and Responsibilities

    11. Policy 6-316: Code of Faculty Rights and Responsibilities

    12. Pub. 111-5, Division A, Title XIII, Subtitle D: Health Information Technology for Economic and Clinical Health Act (HITECH Act)

    13. Omnibus HIPAA Rule: 45 CFR Parts 160 and 164 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule

    14. Utah Board of Higher Education Policy R345 Information Technology Resources Security

  6. Contacts‌

    The designated contact officials for this Regulation are:

    1. Policy Owner(s) (primary contact person for questions and advice): Chief Information Security Officer

    2. Policy Officer(s): Chief Information Officer

      See Rule 1-001 for information about the roles and authority of policy owners and policy officers.

  7. History‌

    Revision History

    1. Current version. Revision 1.

      1. Approved by President Randall as an Interim Rule on September 12, 2023 with effective date of September 12, 2023. Rule finalized with no changes after Board of Trustees approval of Policy 4-004 revisions on November 14, 2023.

      2. Legislative History

      3. Editorial Revisions

    2. Previous Revisions

      1. Revision 0. Effective date April 6, 2016.

    3. Renumbering

      1. Not applicable.

Last Updated: 11/15/23