Skip to end of metadata
Go to start of metadata

Table of Contents

Overview

The term physical and environmental security refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment.

Physical and environmental safeguards are often overlooked but are very important in protecting information. Buildings and rooms that house information and information technology systems must be afforded appropriate protection to avoid damage or unauthorized access to information and systems. In addition, the equipment housing this information (e.g., filing cabinets, data wiring, laptop computers, portable disk drives) must be physically protected. Equipment theft is of primary concern, but other issues should be considered, such as damage or loss caused by fire, flood, and sensitivity to temperature extremes.

Secure Areas

Ensuring complete physical security is impossible, especially in an institution of higher education. While there are several university facilities that have extensive security safeguards in place because of the nature of the services and information contained therein, most of our buildings and rooms allow unfettered access to members of the public. General building and room security safeguards should be in harmony with the overall atmosphere of the building while factoring in threats to the information contained within.

The security of facilities housing information resources can be protected by a number of means (e.g., locked doors with limited key distribution, locked machine cabinets, glass break sensors on windows, motion detectors, door alarms, fire suppression, appropriate heating, cooling and backup power). As with all security issues, the cost of implementing such protection measures has to be weighed against the risks. In some circumstances, the simple act of ensuring that all doors and windows in the room remained closed and locked while unoccupied might suffice. In another case, the sensitivity or criticality of the information contained on and the service provided by building, room, or piece of equipment might be such that more stringent actions are taken.

Equipment Security

There are many types of equipment involved in the creation, collection, storage, manipulation, and/or transmission of information. Filing cabinets are used to store student transcripts. Computer systems are used to process and maintain intellectual property. Data networking equipment and cables are used to transmit voice and video communications. While the value of the equipment cannot be disregarded, the information stored in the device is arguably more valuable than the device itself. Physical and logical security safeguards should be based on the type of data being processed by the equipment. A sound asset management strategy is important to ensure all important equipment is tracked and secured appropriately (see Asset Management (ISO 7) for additional information).

Placement

Appropriate physical safeguards must be placed on equipment that stores or processes institutional data. In addition to physically securing this equipment, consideration must be given to other environmental related aspects that could, if not managed correctly, cause an interruption of service or availability and thus disrupt the university's mission. Careful thought must be given to ensure proper power (e.g., Uninterruptable Power Supplies, generator power backup, redundant power feeds), adequate fire protection, proper heating and cooling, and so on. These environmental safeguards must be commensurate with the sensitivity of the data contained in or processed by the equipment.

Equipment removed from university premises is particularly vulnerable to loss or theft. Therefore, the equipment must be protected when off-site, at home, or while in transit from one location to another.

Disposal and Redistribution

Information stored in equipment being disposed, redistributed, or sold must be securely removed to prevent the disclosure of the information to unauthorized parties.

Top of page

Standards

ISO NIST COBIT PCI DSS
27002: Information Security Management
Chapter 9: Physical Security
800-100: Information Security Handbook: A Guide for Managers
800-53: Recommended Security Controls for Federal Information
Systems and Organizations
800-12: An Introduction to Computer Security - The NIST Handbook
800-14: Generally Accepted Principles and Practices for Securing
Information Technology Systems

 
PO4
PO6
Requirement 9
Requirement 10
Requirement 11

Top of page

Secure Areas (ISO 9.1)

Objective: To ensure the institution appropriately protects buildings and rooms to prevent unauthorized access, damage, or interference to the information systems therein.

Critical IT equipment, cabling and so on should be protected against physical damage, fire, flood, theft etc., both on- and off-site. Power supplies and cabling should be secured. The physical facility is usually the building(s) housing the system and network components. The physical characteristics of these structures determine the level of such physical threats as fire, roof leaks, or unauthorized access. Security perimeters should be used to protect areas that contain information and information processing facilities -- using walls, controlled entry doors/gates, manned reception desks and similar measures. The facility's general geographic location determines the characteristics of natural threats, which include earthquakes and flooding; man-made threats such as burglary, civil disorders, or interception of transmissions; and damaging nearby activities, including toxic chemical spills, explosions, and fires. Physical protection against damage from fire, flood, wind, earthquake, explosion, civil unrest and other forms of natural and man-made risk should be designed and implemented.

Secure Areas Resources:

Top of page

Equipment Security (ISO 9.2)

Objective: To ensure the institution appropriately protects information systems equipment from physical and environmental threats.

IT equipment should be maintained properly and disposed of securely.

The system's operation usually depends on supporting facilities such as electric power, heating and air conditioning, and telecommunications. The failure or substandard performance of these facilities may interrupt operation of systems and may cause physical damage to system hardware or stored data. Equipment should be protected from disruptions caused by failures in supporting utilities such as HVAC, water supply and sewage. Power and telecommunications cabling carrying sensitive data should be protected from interception or damage. Maintenance contracts should be in place to make certain equipment will be correctly maintained to ensure its continued availability and integrity. Equipment, information or software should not be taken off-premises without prior authorization. Appropriate security measures should be applied to off-site equipment, taking into account the different risks of working outside the organization's premises.

All equipment containing storage media should be checked to ensure that sensitive data and licensed software have been removed or securely overwritten prior to secure disposal.

Equipment Security Resources:

Top of page

Resources

EDUCAUSE Resources

Initiatives, Collaborations, & Other Resources

Top of page


Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

Labels:
facilities facilities Delete
maintenance maintenance Delete
off-premises off-premises Delete
disposal disposal Delete
physical physical Delete
environmental environmental Delete
security security Delete
protect protect Delete
secure secure Delete
geographic geographic Delete
locations locations Delete
buildings buildings Delete
infrastructure infrastructure Delete
threats threats Delete
equipment equipment Delete
educause educause Delete
heisc heisc Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.