URP: I.19.i Information Security Physical Access Authorizations

Tags techurp

STATEMENT OF PURPOSE
This document establishes the information security physical and environmental protection 
regulations and procedures. The purpose of these regulations and procedures are to mitigate Texas 
Woman’s University’s (TWU) risks from physical security and environmental threats through the 
establishment of an effective information security physical security and environmental controls 
program.

DEFINITIONS
Physically Secured is locked in a location that denies access to unauthorized personnel. Critical 
Information Systems include, but not limited to, servers, sans, core routers, and telecommunication 
switches. Facilities that house critical information systems are generally referred to as server 
rooms or data centers.

SCOPE
The scope of these regulations and procedures are applicable to all information resources owned or 
operated by TWU. All users are responsible for adhering to this policy. If needed or appropriate, 
information regarding roles, responsibilities, management commitment, and coordination among 
organizational entities are embedded within these procedures.

REGULATIONS AND PROCEDURES
The State of Texas has chosen to adopt the physical and environmental protection principles 
established in NIST SP 800-53 “Physical and Environmental Protection,” Control Family guidelines. 
The following subsections outline the physical and environmental protection standards that 
constitute TWU’s regulations and procedures.
PE-1 Physical and Environmental Protection:
○ Regulations:
▪ TWU must develops, document, and disseminate physical and environmental protection regulations 
and procedures that address purpose, scope, roles, responsibilities, management commitment, 
coordination among organizational entities, and compliance.
○ Procedures:
▪ The Office of Technology (OOT) will maintain physical and environmental protection regulations 
and procedures that address purpose, scope, roles, responsibilities, management commitment, 
coordination among organizational entities, and compliance.
PE-2 Physical Access Authorization:
○ Regulations:
▪    TWU must:

• Develop, approve, and maintain a list of individuals with authorized access to facilities where 
information systems reside;
•     Issue authorization credentials for facility access;
•     Review the access list detailing authorized facility access by individuals;
• Remove individuals from the facility access list when access is no longer required.
○ Procedures:
▪ Facility access is managed using the universities card swipe system and centrally managed key 
program.
▪     System Owners shall verify user access lists annually.
PE-3 Physical Access Control:
○ Regulations:
▪     For areas with critical information systems TWU must:
•     Enforce physical access authorization;
•     Maintain physical access audit logs;
•     Escort and monitor visitors;
•     Change locks or update card swipe systems when keys or cards are lost.
○ Procedures:
▪     Information systems are physically secured in an appropriate manner.
• Non-critical information systems are protected by locks that are managed by Facilities 
Management.
• Critical information systems are protected by card swipe access that are managed by DPS and 
Housing.
▪     OOT shall escort and/or monitor visitors of critical system facilities.
▪     Users must report lost cards or keys to the Department of Public Safety (DPS).
PE-6 Monitoring Physical Access:
○ Regulations:
▪ TWU must monitor physical access to facilities where critical information systems reside.
○ Procedures:
▪ Critical information system facilities entry logs are automatically captured and stored in the 
University’s CBORD system.
PE-12 Emergency Lighting:
○ Regulations:
▪ TWU must employ and maintain automatic emergency lighting for facilities with critical 
information systems that activate in the event of a power outage or disruption and that covers 
emergency exits and evacuation routes within the facility.
○ Procedures:
▪ OOT critical information system facilities have battery and gas generators for emergency backup 
power.
▪ OOT critical information system facilities have emergency that activate in the event of a power 
outage or disruption and that covers emergency exits and evacuation routes within the facility.
PE-14 Temperature and Humidity Controls:
○ Regulations:

▪ TWU must maintain and monitor temperature and humidity levels within facilities where critical 
information systems reside.
○ Procedures:
▪ TWU Facilities Management maintain, repairs, and monitors the systems that control the 
temperature and humidity in facilities with critical information systems.
▪ OOT uses an automated temperature and humidity monitoring systems, alerts are sent to the OOT 
Security Team. OOT Security Team then notifies the appropriate staff to respond.
PE-15 Water Damage Protection:
○ Regulations:
▪ TWU must protect facilities with critical information systems from damage resulting from water 
leakage by providing shutoff valves that are accessible, working properly, and known to key 
personnel.
○ Procedures:
▪ Facilities Management ensures facilities with critical information systems have master shutoff or 
isolation valves that are accessible and are working properly
▪ Users must watch an orientation video before receiving access to facilities with critical 
information systems. The orientation video shows users where the water shutoff values are located.

APPLICABILITY
TWU Students, Faculty, Staff, and Guest TWU Student

COMPLIANCE
Violation of this policy may result in disciplinary action, which may include termination for 
employees and temporaries; a termination of employment relations in the case of contractors or 
consultants; termination of access; legal action; termination for interns and volunteers; 
disciplinary review; suspension or expulsion (in the case of a student).

SPECIAL NOTES
Department of Information Resources Security Standards Catalog 
http://publishingext.dir.texas.gov/portal/internal/resources/DocumentLibrary/Security%20C 
ontrol%20Standards%20Catalog.pdf

Owner:        Associate Provost for Technology
 

Details

Article ID: 56377
Created
Fri 6/22/18 10:49 AM
Modified
Mon 3/25/19 11:17 AM