Skip Navigation
Request Info
Apply Now
Request Info
Apply Now
Skip to Menu Toggle Button

UMGC Policy X-1.23 Physical Security of Information Technology

EXPLORE MORE OF UMGC

Policy CategoryPolicy OwnerVersion Effective DateReview CyclePolicy Contact
X. Information Governance, Security & TechnologyChief Transformation OfficerAug. 29, 2023AnnualUMGC Information Security
  1. Purpose
    The purpose of this policy is to establish the requirements to protect UMGC ("University") Information Systems and Information Technology Resources from physical and environmental hazards to include theft, destruction, inappropriate physical access, and natural disasters.
  2. Scope and Applicability
    This policy applies to University facilities where servers, network, and telecommunications equipment are installed and operated.
  3. Definitions
    Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.
  4. Physical Security
    1. Facilities with servers, Data Centers, and telecommunications equipment shall have both logical and physical security controls to prevent the unauthorized access and use of Information Technology Resources.
    2. Access to Data Centers, server rooms and telecommunication facilities shall be authorized, documented, monitored, and periodically reviewed.
    3. Individuals who no longer require access to facilities shall be removed from gaining physical access immediately.
    4. University guests who need temporary access (e.g., for less than a day) shall be escorted and monitored by a UMGC staff member while inside University facilities.
    5. Data Centers shall have the appropriate cooling, fire suppression, and redundant power services to maintain the environment in the event of an outage.
    6. Data Centers must have locks that maintain audit trails, cameras monitoring activity, and environmental alarms to warn of threats to the computing environment.
    7. IT physical security and emergency procedures shall be documented and reviewed as part of the risk assessment process.
  5. Disposal of Equipment
    1. Electronic storage media or equipment should be checked to ensure that any sensitive data and licensed software are removed or overwritten prior to disposal.
    2. Minimum guidelines, in accordance with NIST 800-88 rev 1 Guidelines for Media Sanitation, shall be documented and data destruction records retained whether performed on or off premise.
  6. Exceptions
    Exceptions to this policy should be submitted to Information Security for review and approval.
  7. Enforcement
    1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy should notify Information Security as soon as practicable.
    2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract.
  8. Standards Referenced
    1. USM IT Security Standards, v.5, dated July 2022
    2. NIST SP 800-171r2 "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," dated February 2020
    3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, December 2021
  9. Related Policies
    1. UMGC X-1.02 Data Classification
    2. UMGC X-1.04 Information Security
    3. UMGC X-1.05 Information Security Awareness and Training
    4. UMGC X-1.12 Acceptable Use
    5. UMGC X-1.19A Account Management (UMGC Learner Community)
    6. UMGC X-1.19B Account Management (UMGC Workforce)
  10. Effective Date
    This policy is effective as of the Version Effective Date set forth above and supersedes all prior policies on the subject matter hereof.

By using our website you agree to our use of cookies. Learn more about how we use cookies by reading our Privacy Policy.