Physical and Environmental Security Policy
Issued April 15, 2009
Table of Contents
.030 Effective Date
This policy defines the requirements for protecting university information and technology resources from physical and environmental threats in order to reduce the risk of loss, theft, damage, or unauthorized access to those resources, or interference with K-State operations.
This policy applies to all university colleges, departments, administrative units, and affiliated organizations that use university information technology resources to create, access, store or manage University Data to perform their business functions.
This policy became effective on March 31, 2009.
All University information and technology resources should have appropriate physical and environmental security controls applied commensurate with identified risks.
Core network facilities - the cabling, equipment, and network/telecommunications rooms associated with the high speed backbone of K-State’s campus network that carries aggregated network traffic for all the buildings and external network connections (e.g., the KanREN, Internet, and Internet2 connections). As of February 2009, the five core network rooms are located in the Power Plant, Hale, West, and Coles on the Manhattan campus and the Technology Center (room 191) on the Salina campus.
Mobile storage devices - Any easily movable device that stores University Data, including but not limited to laptop computers, Personal Digital Assistants (PDAs), Smartphone’s, external hard drives, and USB flash drives.
Uninterruptable Power Supply (UPS) – A device designed to provide power, without delay, during any period when the normal power supply is incapable of performing acceptably.
University Data – Any data related to Kansas State University ("University") functions that are a) stored on University information technology systems, b) maintained by K-State faculty staff, or students, or c) related to institutional processes on or off campus. This applies to any format or media (in other words, it is not limited to electronic data).
Responsibility for physical and environmental security of K-State information and technology resources is shared by the individuals using these systems, units that own them, and system administrators responsible for managing the systems.
Network wiring and equipment – Network wiring and equipment rooms and cabinets must be locked when unattended with access limited to authorized personnel (typically network support staff) and visitors escorted by said authorized personnel. Other network cabling and devices should likewise be physically secured where feasible. Core network facilities should have the date and time of entry and departure recorded.
Office doors – All office doors should remain locked after hours or when offices are unattended for a prolonged period of time.
Mobile storage devices – Mobile storage devices should be stored securely when unattended. Appropriate secure storage methods include a locking security cable attached directly to the device, storage in a locked cabinet or closet, storage in a locked private office, or the like. Encrypting data stored on mobile devices, such as whole disk encryption on laptop computers, likewise reduces the risk of a breach of University Data resulting from theft, loss, or unauthorized access. When traveling with mobile storage devices or using them in public places, appropriate security precautions should be taken to prevent loss, theft, damage, or unauthorized access. Use of tracking and recovery software on laptop computers is encouraged.
Electrical power – Electrical power for servers hosting enterprise and departmental services must be protected by uninterruptable power supplies (UPS) to ensure continuity of services during power outages and to protect equipment from damage due to power irregularities. Each UPS should have sufficient capacity to provide at least 30 minutes of uptime to the systems connected to it. Systems hosting confidential data should also be protected with a standby power generator where feasible.
Kansas State University Data Classification and Security Policy
K-State Network/Telecommunications Space Accommodations Policy specifies physical security for network and telecommunications facilities/its/itpolicies/accommodation.pdf
State of Kansas Information Technology Policy 7230 – General Information Technology Enterprise Security Policyhttp://www.da.ks.gov/itec/Documents/itecitpolicy7230.htm
State of Kansas Default Information Technology Security Requirements http://www.da.ks.gov/itec/Documents/ITECITPolicy7230A.pdf, March 2006
ISO/IEC 27002:2005, "Information technology – Security techniques – Code of practice for information security management"http://www.iso.org/iso/catalogue_detail?csnumber=50297, published by the International Standards Organization. This is an international security standard that specifies physical and environmental security controls to protect assets from loss, theft, damage, and unauthorized access.
The Vice Provost for Information Technology Services (VPITS) is responsible for this policy. The VPITS or designee must approve any exception to this policy or related procedures.
Questions should be directed to the Chief Information Security Officer.