1. K-State home
  2. »Policies
  3. »PPM
  4. »3400
  5. »Physical and Environmental Security Policy

Policies

Internal Audit Office

Kansas State University
5 Anderson Hall
Manhattan, KS 66506-0118

 

785-532-7308
785-532-0186
internalaudit@k-state.edu

Physical and Environmental Security Policy

Chapter 3438
Issued April 15, 2009

Table of Contents

.010 Purpose
.020 Scope
.030 Effective Date
.040 Policy
.050 Definitions
.060 Roles and Responsibilities
.070 Implementing Procedures
.080 Related Laws, Regulations, or Policies
.100 Questions/Waivers

.010 Purpose

This policy defines the requirements for protecting university information and technology resources from physical and environmental threats in order to reduce the risk of loss, theft, damage, or unauthorized access to those resources, or interference with K-State operations.

.020 Scope

This policy applies to all university colleges, departments, administrative units, and affiliated organizations that use university information technology resources to create, access, store or manage University Data to perform their business functions.

.030 Effective Date

This policy became effective on March 31, 2009.

.040 Policy

All University information and technology resources should have appropriate physical and environmental security controls applied commensurate with identified risks.

.050 Definitions

  1. Core network facilities - the cabling, equipment, and network/telecommunications rooms associated with the high speed backbone of K-State’s campus network that carries aggregated network traffic for all the buildings and external network connections (e.g., the KanREN, Internet, and Internet2 connections). As of February 2009, the five core network rooms are located in the Power Plant, Hale, West, and Coles on the Manhattan campus and the Technology Center (room 191) on the Salina campus.

  2. Mobile storage devices - Any easily movable device that stores University Data, including but not limited to laptop computers, Personal Digital Assistants (PDAs), Smartphone’s, external hard drives, and USB flash drives.

  3. Uninterruptable Power Supply (UPS) – A device designed to provide power, without delay, during any period when the normal power supply is incapable of performing acceptably.

  4. University Data – Any data related to Kansas State University ("University") functions that are a) stored on University information technology systems, b) maintained by K-State faculty staff, or students, or c) related to institutional processes on or off campus. This applies to any format or media (in other words, it is not limited to electronic data).

.060 Roles and Responsibilities

Responsibility for physical and environmental security of K-State information and technology resources is shared by the individuals using these systems, units that own them, and system administrators responsible for managing the systems.

.070 Implementing Procedures

  1. Physical Security

    • Network wiring and equipment – Network wiring and equipment rooms and cabinets must be locked when unattended with access limited to authorized personnel (typically network support staff) and visitors escorted by said authorized personnel. Other network cabling and devices should likewise be physically secured where feasible. Core network facilities should have the date and time of entry and departure recorded.

    • Office doors – All office doors should remain locked after hours or when offices are unattended for a prolonged period of time.

    • Mobile storage devices – Mobile storage devices should be stored securely when unattended. Appropriate secure storage methods include a locking security cable attached directly to the device, storage in a locked cabinet or closet, storage in a locked private office, or the like. Encrypting data stored on mobile devices, such as whole disk encryption on laptop computers, likewise reduces the risk of a breach of University Data resulting from theft, loss, or unauthorized access. When traveling with mobile storage devices or using them in public places, appropriate security precautions should be taken to prevent loss, theft, damage, or unauthorized access. Use of tracking and recovery software on laptop computers is encouraged.

  2. Environmental Security

    • Electrical power – Electrical power for servers hosting enterprise and departmental services must be protected by uninterruptable power supplies (UPS) to ensure continuity of services during power outages and to protect equipment from damage due to power irregularities. Each UPS should have sufficient capacity to provide at least 30 minutes of uptime to the systems connected to it. Systems hosting confidential data should also be protected with a standby power generator where feasible.

.080 Related Laws, Regulations, or Policies

  1. Kansas State University Data Classification and Security Policy

  2. K-State Network/Telecommunications Space Accommodations Policy specifies physical security for network and telecommunications facilities/its/itpolicies/accommodation.pdf

  3. State of Kansas Information Technology Policy 7230 – General Information Technology Enterprise Security Policyhttp://www.da.ks.gov/itec/Documents/itecitpolicy7230.htm

  4. State of Kansas Default Information Technology Security Requirements http://www.da.ks.gov/itec/Documents/ITECITPolicy7230A.pdf, March 2006

  5. ISO/IEC 27002:2005, "Information technology – Security techniques – Code of practice for information security management"http://www.iso.org/iso/catalogue_detail?csnumber=50297, published by the International Standards Organization. This is an international security standard that specifies physical and environmental security controls to protect assets from loss, theft, damage, and unauthorized access.

.100 Questions/Waivers

The Vice Provost for Information Technology Services (VPITS) is responsible for this policy. The VPITS or designee must approve any exception to this policy or related procedures.

Questions should be directed to the Chief Information Security Officer.