Purpose
The purpose of this Policy is to establish the requirements to protect UMGC Information Systems and Information Technology Resources from physical and environmental hazards to include theft, destruction, inappropriate physical access, and natural disasters.
Scope and Applicability
This Policy applies to University facilities where servers, network, and telecommunications equipment are installed and operated.
Facilities with servers, Data Centers, and telecommunications equipment shall have both logical and physical security controls to prevent the unauthorized access and use of Information Technology Resources.
Access to Data Centers, server rooms and telecommunication facilities shall be authorized, documented, monitored, and periodically reviewed.
Individuals who no longer require access to facilities shall be removed from gaining physical access immediately.
University guests who need temporary access (e.g., for less than a day) shall be escorted and monitored by a UMGC staff member while inside University facilities.
Data Centers shall have the appropriate cooling, fire suppression, and redundant power services to maintain the environment in the event of an outage.
Data Centers must have locks that maintain audit trails, cameras monitoring activity, and environmental alarms to warn of threats to the computing environment.
IT physical security and emergency procedures will be documented and reviewed as part of the risk assessment process.
Disposal of Equipment
Electronic storage media or equipment should be checked to ensure that any sensitive data and licensed software are removed or overwritten prior to disposal.
Minimum guidelines, in accordance with NIST 800-88 Guidelines for Media Sanitization, shall be documented and data destruction records retained whether performed on or off premise.
Exceptions Exceptions to this policy should be submitted to Information Security for review and approval.
Enforcement
Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy should notify Information Security as soon as practicable.
Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract.
Standards Referenced
Most recent versions:
USM IT Security Standards
NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
NIST SP 800-88 “Guidelines for Media Sanitization"