Purpose

To ensure that Information Technology (IT) resources are protected by physical and environmental security measures that prevent physical tampering, damage, theft, or unauthorized physical access. This standard is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).

Scope

This standard applies to all UTHSC IT Resources operated both on-site and off-site of UTHSC that can store, transmit, and/or process UTHSC information with a level 1, 2, or 3 classification ranking. In addition, this standard also extends to the related facilities in which these resources are located, as well as to all units, faculty, principal investigators, and staff who process, maintain, transmit, or store data on any device, regardless of whether that device connects to the campus network.

Definitions

Device: any hardware component capable of executing code, including but not limited to desktops, laptops, tablets and other portables, servers, and computing appliances. This encompasses local, fixed, and removable storage systems and media including, but not limited to, magnetic, solid state, and optical drives; removable disks; USB disks and other devices; memory cards and sticks; CD-ROMs; DVDs; EPROM; magnetic tape; digital photographs; slides; negatives; and other forms of media or storage devices both currently used and that may become available in the future. UTHSC Information Technology (IT) Resource: Any data, device, or other component of the information environment that supports information-related activities. Assets generally include hardware (e.g. servers and switches), software (e.g. mission critical applications and support systems) and information.

Responsibilities

The Office of Cybersecurity is responsible for setting basic security standards for the IT resource.

Owner/custodian of the IT Resource is responsible for the physical security of the IT Resource and related facilities according to the referenced standards and practices in collaboration and coordination with UTHSC leadership and other pertinent UTHSC organizations and agencies.

Data Owner is ultimately responsible for the data and information being collected and maintained by his or her department or division, usually a member of senior management.

Owners of original copies of records must ensure the information has met the records-retention requirements before requesting or authorizing the destruction of media containing original information.
Owners of duplicative copies of records may destroy the records when they no longer have value for the University, provided the owner of the copy makes certain an original exists in compliance with applicable retention laws.

Data Custodian is responsible for the removal and/or destruction of any information with a level 3 classification rating in collaboration with the owner’s designee or delegate. The custodian is also responsible for ensuring a retrievable and exact copy is made of any information with a level 3 classification rating when required or needed and in collaboration with the owner’s designee or delegate.

UTHSC community are responsible for maintaining the physical security of the facility, their work area, and IT Resources to prevent unauthorized access, tampering, and theft.

Standard

UTHSC IT Resources that store, process, or transmit UTHSC information with a level 1, 2, or 3 classification ranking per GP-002-Data & System Classification shall be physically secured from unauthorized access and environmental threats that may compromise the security of the Resource.
1. Facilities containing UTHSC information with a level 1, 2, or 3 classification ranking equipment (servers, network wiring closets, etc.) must comply with the sections of this Standard.
2. Physical access to workstations, printers, scanners, fax machines, and other equipment that process and display UTHSC information with a level 1, 2, or 3 classification ranking shall be restricted to prevent unauthorized individuals from viewing UTHSC information with a level 1, 2, or 3 classification ranking; output devices (e.g., printers and displays) should not be located, whenever possible, in public sections of walkways, hallways, waiting areas, and/or similar environments.
UTHSC IT Resources are categorized according to the highest categorization of the information/data stored, processed, or transmitted with the IT Resource.
Failure to comply with this policy will be reported as an information security violation and may result in loss of network and system privileges for the computer and/or disciplinary action per GP-001.04-Information Security Violations for the individual violating the policy.

Servers and Server Rooms

Servers are required to be protected by backup and off-site data storage.
Data owners/custodians and system owner/custodians are responsible for maintaining the physical security of these devices.
Servers shall be located in a room specifically designed for housing server computers and ancillary equipment and secured commensurate with the categorization of the information.
Servers and systems that process information with a level 3 classification rating, or that are deemed critical for the operation of UTHSC must be housed in a totally enclosed facility (server room) designed and designated for housing server computers and associated ancillary equipment. The server room will meet the following standards:
1. Access:
  1. Entry to a server room shall be restricted to authorized personnel having responsibility for installing or maintaining the assets in the server room. Others requiring access shall be escorted and supervised by authorized personnel.
  2. All entry points affording access to server rooms shall be locked at all times.
  3. Access to server rooms shall be restricted by key, code, or electronic card. An auditable process for issuing keys, codes, and/or cards shall be documented.
  4. Access codes, if used, shall be changed every 6 months.
  5. Server rooms shall be continuously monitored by surveillance equipment.
2. Usage:
  1. New or refurbished server rooms shall not be shared with electrical service or unrelated services.
  2. Server rooms shall not be used for storage.
  3. Server rooms shall not be used as a “pass-through” to another room.
  4. Provisions for staff performing functions related to server room operations may be located in the Server Room.
3. Physical safeguards:
  1. Server rooms will be constructed to meet University of Tennessee facilities standards.
  2. An uninterruptable power source (UPS) with built-in surge suppression must be installed with sufficient duration to switch over to alternative power in case of a power failure.
  3. Emergency power off switches must be installed.
  4. Automated emergency lighting must be installed.
  5. A fire detection and suppression system must be installed and maintained.
  6. Server room temperatures and humidity shall be controlled at all times within levels specified by dedicated climate-control equipment separate from the building climate-control equipment.
  7. Water sensors shall be installed in appropriate locations to ensure detection of water intrusion from broken water pipes or other sources of water leakage.
  8. All detection and monitoring systems shall be tested and maintained on a regular basis as recommended by the manufacturer, and the occurrence of the tests documented. Fire suppression must be tested in compliance with State Fire Marshall requirements and in a manner that does not disrupt operations. All detection and monitoring devices shall alert the appropriate personnel.
  9. UPS systems shall be tested and maintained on a schedule recommended by the manufacturer, and the occurrence of the tests documented.
  10. There shall be no eating, drinking, or use of tobacco products allowed in server rooms at any time.
4. Maintenance Records:
  1. Documentation of all repairs and modifications to physical components related to security (e.g. doors, hardware, locks, etc.) shall be maintained by the operator of the facility and retained for a period of six years.

End-User IT Resource

To prevent unauthorized access, tampering, and/or theft of UTHSC IT Resources, UTHSC workforce members must secure their work area whenever they are not available to monitor the area.
1. If leaving their device, users will lock the device by whatever means available for the operating system, i.e. using Ctrl+Alt+Delete or Windows+L for Windows devices.
2. Devices will auto-lock after an inactivity period of ten (10) minutes.
End-user UTHSC IT Resources must include physical access controls that limit physical access and protect the equipment when on-site, off-site, at home, or while in transit from one location to another.
1. The IT Resource must be placed out of view or access of unauthorized individuals.
Display devices, i.e. monitors, in public areas need to be equipped with privacy safeguards or located so that unauthorized individuals cannot easily observe displayed information.
Physical security controls in clinical facilities must limit physical access to electronic information systems containing Personal Health Information (ePHI).
Physical security controls must be implemented based on the classification of data and the risks associated with unauthorized access. In addition, some regulations and contractual obligations with which UTHSC must comply have mandated physical security requirements.

Storage Devices and Media

Media will be classified according to the highest data classification stored on the media.
Any information with a level 3 classification rating received on media, as defined in the policy scope, shall be handled in one of the following ways:
1. Stored in a secure storage facility meeting the security requirements commensurate with the categorization of the information (GP-002- Data & System Classification).
2. Copied to a secured server that stores information per the section above titled Servers & Server Rooms.
3. Destroyed per GP-005.01- Disposal or Destruction of Electronic & Non-Electronic Media.
All media containing information with a level 3 classification rating shall be sanitized according to GP-005.01- Disposal or Destruction of Electronic & Non-Electronic Media before transferring custody of the media outside of the Unit for re-use or disposal.
University, State of Tennessee, and federal records-retention requirements must be met prior to destruction of information or transfer of custody of media for purposes of disposal.

Telecom Rooms

Network communications equipment will be installed in communications closets specifically designed and designated as such.
1. Access:
  1. Communication closets shall be locked at all times.
  2. Entry to a communications closet shall be restricted to personnel having responsibility for installing or maintaining the equipment in, or the safety of, the communications closet. Others requiring access shall be escorted and supervised by authorized personnel.
  3. Access to communications closets shall be restricted by key, code, or electronic card. An auditable process for issuing keys, codes, and/or cards shall be documented.
2. Usage:
  1. Telecom rooms shall not be shared with electrical service or unrelated services.
  2. If not feasible to avoid sharing of current communications closets, communications equipment shall be housed in a locked box appropriate to the purpose or segregated by fencing. Appropriate access controls shall be used.
  3. Telecom rooms shall not be used for storage.
  4. Telecom rooms shall be entered from a main corridor and not blocked by any other room.
3. Physical safeguards:
  1. Telecom rooms will be constructed to meet University of Tennessee telecommunication standards.
  2. Doors should not have intake grills. If necessary for ventilation, grills shall be installed so that they cannot be removed from the outside of the door.
  3. All detection and monitoring systems shall be tested on a regular basis as recommended by the manufacturer, and the occurrence of the tests documented. Fire suppression must be tested in compliance with State Fire Marshal requirements and in a manner that does not disrupt operations. All detection and monitoring devices shall alert the appropriate personnel.
  4. An uninterruptible power source (UPS) with built-in surge protection shall be installed.
  5. UPS systems shall be tested on a schedule recommended by the manufacturer and the occurrence of the tests documented.
  6. A backup plan shall exist in case of an air conditioning failure for those closets that are air-conditioned. All new constructed telecom rooms shall have a split system air conditioner and shall be monitored on the campus BAS system.
  7. There shall be no eating, drinking, or use of tobacco products allowed in the communications closets at any time.
4. Maintenance Records:
  1. Documentation of all repairs and modifications to physical components related to security (e.g. doors, hardware, locks, etc.) shall be maintained by the operator of the facility and retained for a period of six years.
The following guidelines are suggested in addition to the above standards:
1. Communications closets should not have windows.
2. Water detectors and related infrastructure should be placed in the closet.
3. There should be no external signs making the Communications closets identifiable.

Exceptions

1. Exceptions to this Standard should be requested using the process outlined in GP-001.02 Security Exceptions and Exemptions to ITS Standards and Practices.