Physical Access

Information Technology support staff, system administrators, and information security administrators may have information resource physical facility access requirements as part of their job duties. The granting, controlling, and monitoring of the physical access to information resource facilities is extremely important to an overall security program.

This procedure applies to facilities that house multi-user systems (i.e., a server room or a voice and data switch room) that process or store mission critical and/or confidential information. The purpose of the implementation of this procedure is to provide a set of measures that will mitigate information security risks associated with Physical Access. The intended audience for this procedure includes, but is not limited to, all information resources data/owners, management personnel, and system administrators.

• Confidential Information: Information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.
• Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
• Mission Critical Information: information that is defined by the University or information resource owner to be essential to the continued performance of the mission of the University or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, and failure to comply with regulations or legal obligations, or closure of the University or department.

1. All physical security systems shall comply with applicable regulations such as, but not limited to, building codes and fire prevention codes.
2. All information resource facilities shall be physically protected in proportion to the criticality or importance of their function at the University.
3. Access to information resources facilities shall be granted only to departmental personnel, vendors, or other authorized personnel whose job responsibilities require access to that facility.
4. There shall be an approval and documentation process for granting and revocation/return of security codes, access cards, and/or key access to information resources facilities.
5. Individuals who are granted access rights to an information resource facility must sign appropriate access agreements.  Facilities users should also receive information regarding appropriate physical security practices and emergency procedures.
6. Security access codes, access cards and/or keys to information resource facilities shall not be shared or loaned to others.
7. Visitors must be escorted in restricted access areas of information resource facilities.
8. Physical access records shall be maintained as appropriate for the criticality of the information resources being protected. Such records shall be reviewed as needed by organizational unit heads or their designees.
9. Signage for restricted access rooms and locations must be practical, yet display minimal discernible evidence of the importance of the facility.