|Policy Category||Policy No. & Title||Policy Owner/Administrator||Effective Date||Revision Number||Revision Eff. Date||Review Cycle|
Information Governance, Security & Technology
Physical Security of Information Technology
|VP of Information Security||September 15, 2021||N/A||N/A||Every 2 years|
The purpose of this policy is to establish the requirements to protect UMGC ("University") Information Systems and Information Technology Resources from physical and environmental hazards to include theft, destruction, inappropriate physical access, and natural disasters.
Scope and Applicability
This policy applies to University facilities where servers, network and telecommunications equipment are installed and operated.
Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.
Access Account Manager: The individual who is responsible for creating, monitoring, modifying, administering, or terminating User Account privileges on any UMGC Information Systems or Information Resource.
Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.
Data Center: A facility, or portion of a facility, with the primary function to house University Information Systems.
Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.
Information Resource: Anything that is intended to generate, store, or transmit Information.
Information Systems: Inter-related components of Information Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of Information.
Information System Steward: A UMGC staff member or other individual providing services to the University who is responsible for the development, procurement, compliance, and/or final disposition of an Information System.
Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.
User: A member of the UMGC community, including but not limited to Staff and Faculty, and other individuals performing services on behalf of University, including Contractors, volunteers and other individuals who may have a need to access, use or control University Data.
Facilities with servers, data centers, and telecommunications equipment shall have both logical and physical security controls to prevent the unauthorized access and use of Information Technology Resources.
Access to data centers, server rooms and telecommunication facilities shall be authorized, documented, monitored, and periodically reviewed.
Individuals who no longer require access to facilities shall be removed from gaining physical access immediately.
University guests who need temporary access (e.g., for less than a day) shall be escorted and monitored by a UMGC staff member while inside University facilities.
Data Centers shall have the appropriate cooling, fire suppression, and redundant power services to maintain the environment in the event of an outage.
Data Centers must have locks that maintain audit trails, cameras monitoring activity, and environmental alarms to warn of threats to the computing environment.
IT physical security and emergency procedures shall be documented and reviewed as part of the risk assessment process.
Disposal of Equipment
Electronic storage media or equipment should be checked to ensure that any sensitive data and licensed software are removed or overwritten prior to disposal.
Minimum guidelines, in accordance with NIST 800-88 rev 1 Guidelines for Media Sanitation, shall be documented and data destruction records retained whether performed on or off premise.
Exceptions to this policy should be submitted to the VP of Information Security for review and approval.
Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy should notify the VP of Information Security as soon as practicable.
Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract.
UMGC X-1.02 Data Classification
UMGC X-1.04 Information Security
UMGC X-1.05 Information Security Awareness and Training
UMGC X-1.12 Acceptable Use
UMGC X-1.19A Account Management (UMGC Learner Community)
UMGC X-1.19B Account Management (UMGC Workforce)
This policy is effective as of the date set forth above and supersedes all prior policies on the subject matter hereof.