91探花

Search within:

Physical security standard

Purpose

The purpose of this standard is to define controls to maintain the confidentiality, integrity, and availability of OHIO resources through the prevention of loss, damage, theft, or compromise of university data and assets.

Scope

This standard applies to any systems or paper records containing OHIO data, and provides a minimum baseline for physical security. Any standards or policies that require more stringent physical security for specific systems or locations supersede this standard. All OHIO faculty, staff, students and third-party associates are responsible for ensuring that university data is secured.

Standard

Device security

  • No authentication credentials should be stored in the area on or around a system. (For example, credentials should not be written on a sticky note on a computer or under a keyboard).
  • Unattended devices must have the user profile locked.
  • Mobile devices such as laptops, or portable media must be stored securely when not in use such as in a locked cabinet, or secured via laptop lock, or secured behind a locked door so that it is removed from publicly accessible areas.
  • Devices with OHIO data stored on them should utilize encryption at either the file level or disk level based on the sensitivity of the data, per the information security standard Acceptable Encryption.
  • Units should maintain an asset inventory list of their devices containing model, serial number, Media Access Control (MAC) address, and its unique asset tag if applicable.

Location security

  • Locations that store sensitive data or devices containing sensitive data should be secured via doors with key or card swipe.
  • Users should be aware of their surroundings and be cognizant of the visibility of data on computer screens and surrounding workstations.
    • Adhere to a clean desk policy ensuring that documents containing sensitive information are not left out where data can be visible to individuals that are not authorized to access it. For example, turn over documents on your desk, when not in use, and store paper documents and removable media in locked cabinets or desk drawers when unattended.
  • Upon employee retirement, termination or transfer, access to physical locations must be removed.

References

  • Policy 91.005 Information Security
  • Policy 91.006 Information Security Risk Management
  • Policy 93.001 Data Classification
  • NIST 800 Series Publications
  • Information Security Standard: Acceptable Encryption

Exceptions

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.

Request an exception:

Complete Exception request form.

Governance

This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:

  • Information Technology: Ed Carter (Chair)
  • Human Resources: Michael Courtney
  • Faculty: Hans Kruse
  • Finance and Administration: Chad Mitchell
  • Associate Dean: Shawn Ostermann
  • Regional Higher Education: Larry Tumblin
  • Research and Sponsored Programs: Maureen Valentine
  • Enterprise Risk Management and Insurance: Larry Wines

History

Draft versions of this policy were circulated for review and approved May 6, 2021.