Information Technology Standard 06.1.0

IT Facilities Security Standard


Date of Current Revision or Creation: January 1, 2023


The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this compliance standard is to establish the requirements for safeguard the physical facilities that house information technology equipment, systems, services, and personnel.

Definitions

IT Facilities is a static, mobile or portable facility (or facilities) or a location that contains Old Dominion University information technology equipment, systems, services, and personnel.

Standards Statement

Old Dominion University implements physical security practices to prevent unauthorized physical access, damage and interference to the institution's premises and information. The protection provided should be commensurate with the identified risks.

Site Security

  • Security perimeters of IT sites are clearly defined and controls depend on the requirements of the asset and the results of a risk assessment.
  • The perimeters of the site should be physically sound and of solid construction.
  • Doors should be suitably protected against unauthorized access with suitable control mechanisms.
  • Physical security for offices, rooms and other facilities should consider all relevant health and safety standards.
  • Where applicable, sites should be unobtrusive and give minimum indication of their purpose.

Environmental Controls

  • Physical barriers should provide environmental protection.
  • Electric power, heating, fire suppression, ventilation, air-conditioning, and air purification are to be installed, as required by the IT systems and data.
  • All fire doors are to be alarmed, monitored and tested in compliance with fire safety regulations.

Physical Access Controls

  • Access to sites should be restricted to authorized personnel only.
  • Physical access to essential computer hardware, wiring, displays, and networks by the principle of least privilege, where feasible.
  • A system of monitoring and auditing physical access to sensitive IT systems is provided.
  • The Information Security Officer (ISO) is to periodically review the list of persons allowed physical access to sensitive IT systems.

Working in Secure Areas

  • Guidelines for working in secure areas should include controls for employees, contractors and third party users.
  • Personnel should only be aware of activities on a need-to-know basis.
  • Unsupervised working is secure areas should be avoided for safety reasons and to prevent opportunities for malicious activities.
  • Vacant areas should be physically locked and periodically checked.
  • Audio and video equipment is not allowed in secure areas without the authorization of the Information Security Officer.

Public Access, Delivery and Loading Areas

  • Access points for deliveries and loading are to be controlled for unauthorized access.
  • Incoming material should be inspected for potential threats before being moved to the point of use and handled in accordance with asset management procedures.

Procedures, Guidelines & Other Related Information

History

Date

Responsible Party

Action

October 2008

ITAC/CIO

Created

October 2009

ITAC/CIO

Reaffirmed

October 2010

ITAC/CIO

Reaffirmed

October 2011

ITAC/CIO

Reaffirmed

March 2012

ITAC/CIO

Revised for working in secure areas and public access and delivery

December 2012

IT Policy Office

Numbering revision

December 2016 IT Policy Office Reviewed no changes
September 2019 IT Policy Office Reviewed no changes
January 2023 IT Policy Office Reviewed no changes