4.0 Physical and Environmental Security

  1. Location and Construction
  2. Access Control and Authorisation
  3. Utilities and Services
  4. Fire Protection
  5. Waste Disposal
  6. Off-site Facilities
  7. Storage Media
  8. Evacuation Procedures

4.1 Location and Construction

  1. University information facilities and equipment should be located within a building so as to minimise exposure to:

    a) fire, water, corrosive agents and smoke from adjacent areas;
    b) flooding;
    c) explosion or shock;
    d) unauthorised access;
    e) undesirable, externally-generated electromagnetic radiations; and
    f) potential hazards from physically adjacent areas.

    Example: University information facilities shouldn't be built over, under or adjacent to kitchen or toilet facilities.

  2. Where site selection cannot compensate for identified risks, reasonable precautions should be taken.

    Examples: the construction of fences and walls, installation of alarms, and the removal of natural or man-made security hazards.

  3. Buildings housing university information facilities, equipment and data must conform to relevant statutory codes and standards (eg. fire, building and electrical).

  4. Entrances to areas containing university data, hardware or software should be protected with secure doors and locking hardware.

  5. Walls of rooms containing university data, hardware or software should be constructed from the real floor to the real ceiling (eg. slab to slab).

  6. Where feasible, utility service lines providing support to university information equipment and storage areas should enter the building underground.

  7. The number of openings to areas housing university data or related hardware and software should be kept to a minimum, consistent with fire regulations.

  8. Water and sewage pipes should be routed around university information equipment and storage areas. Where this is not possible, readily-accessible water shut-off valves should be provided.

4.2 Access Control and Authorisation

  1. Areas where university data is processed and/or stored, and areas housing utilities or service facilities supporting university information equipment, including air conditioning, telephone terminal, and electrical distribution rooms, should be designated as secure areas.

  2. Access privileges to secure areas should be authorised and controlled.

  3. Unauthorised personnel and visitors who require access to secure areas should be escorted by authorised personnel at all times.

  4. Signs indicating "authorised personnel only" or a similar message should be prominently posted at all entrances to secure areas.

  5. Provisions should be made for prohibiting unauthorised access to secure areas when the area is unattended and unoccupied.

  6. Access control methods should be provided for all secure areas.

    Examples: keypad or card swipe mechanisms; staffed reception area.

  7. Surveillance methods, such as motion detectors and alarms, should be installed in all secure areas.

  8. Authorisation lists should be maintained for:

    a) access to secure areas, security containers, sensitive documents; and
    b) all access control items, including keys, codes, combinations and badges.

  9. Records, in the form of an access control log, should be kept of access to secure areas for:

    a) visitors;
    b) external maintenance and support personnel; and
    c) authorised personnel outside of normal business hours or assigned hours of work.

  10. The access control log should record the following information:

    a) identification of the person entering;
    b) employer or affiliation;
    c) identification of the individual authorising entry;
    d) restricted area to be entered;
    e) date and time of entry; and
    f) date and time of departure.

  11. All persons admitted to a secure area should wear an approved access badge or identification card (see section 3.4 for details on access badges and identification cards).

4.3 Utilities and Services

  1. The university should establish standard operating procedures for the installation, monitoring and maintenance of environmental support equipment, communications wiring and equipment, electrical wiring and equipment, plumbing and other utilities and services consistent with the manufacturers' specifications.

  2. Distribution panels for information system power and communications services outside designated secure areas should be contained in secure rooms or cabinets with locking hardware. There should be no signage indicating the presence or importance of such facilities.

  3. The university should have an uninterruptible power supply (UPS) service for essential university information systems.

  4. Air conditioning for all university information system equipment and storage areas should conform to the facility's requirements and information system equipment manufacturers specifications.

  5. Where there is a possibility of water damage, protection should include:

    a) adequate drainage to remove excess water; and
    b) water detection equipment.

  6. Openings for air conditioning systems should be protected against the intrusion of objects and pollutants.

  7. Exterior air intakes and external rooms housing air conditioning systems should be afforded the same protection as areas containing university data.

  8. Flammable and caustic materials should not be stored in areas housing university information equipment and data storage.

    Note: Materials authorised for cleaning and maintenance should be brought into university information equipment and storage areas in small quantities and in covered containers.

  9. The use of materials known to produce static electricity or magnetic forces should be prohibited in equipment and data storage areas.

4.4 Fire Protection

    1. Fire protection for university information systems and data storage areas should conform with all fire regulations governing the location.

4.5 Waste Disposal

  1. University records, orders and other documents and recording media containing university data or security control records should be destroyed in an appropriate manner (For example: burning, shredding, disintegration).

  2. Media containing university data awaiting destruction should be stored in a secure manner.

4.6 Off-site Facilities

  1. Physical and environmental security provisions for off-site storage should conform to the same standards as primary facilities.

  2. Plans for backup facilities should ensure that physical and environmental security at the backup site can be made commensurate with the primary site.

  3. The location for off-site storage should not be subject to the same exposure to a specific threat as the primary site.

4.7 Storage Media

  1. Where removable media, such as floppy diskettes, magnetic tape, optical disk, or hardcopy, are used to store university data:

    a) the media should be stored in a secure container when not in use;
    b) where confidentiality is a concern, the data should be encrypted; and
    c) the media should be tracked or controlled whenever it is stored or moved outside of a secure area.

  2. All university data, whether it is on magnetic media, optical storage media or hardcopy documents should be secured whenever the system or secure area are left unattended.

4.8 Evacuation Procedures

  1. Evacuation procedures for all areas containing university data should be developed, documented and disseminated.

  2. Procedures should ensure that appropriate security is maintained during and following the evacuation.

Contents
Background: [1] [2] [3] _Section: [1] [2] [3] [4] [5] [6] [7] [8] [9] _Annex: [1] [2] [3] [4] [Index]
Guidelines for Computer Security at CQU, A C Lynn Zelmer, PhD; Editor/Adaptor
Copyright © 1996 CQU Computer Security Committee

Central Queensland University Home Page