Physical and Environmental Security Policy
Chapter 3438
Issued April 15, 2009; Revised January 9, 2023
Table of Contents
.010 Purpose
.020 Scope
.030 Effective Date
.040 Policy
.050 Definitions
.060 Roles and Responsibilities
.070 Implementing Procedures
.080 Related Laws, Regulations, or Policies
.100 Questions/Waivers
.010 Purpose
This policy defines the requirements for protecting university information and technology resources from physical and environmental threats in order to reduce the risk of loss, theft, damage, or unauthorized access to those resources, or interference with K-State operations.
.020 Scope
This policy applies to all university colleges, departments, administrative units, and affiliated organizations that use university information technology resources to create, access, store or manage University Data to perform their business functions.
.030 Effective Date
This policy became effective on March 31, 2009.
.040 Policy
All University information and technology resources should have appropriate physical and environmental security controls applied commensurate with identified risks.
.050 Definitions
- Core network facilities
- The cabling, equipment, and network/telecommunications rooms associated with the high speed backbone of K-State’s campus network that carries aggregated network traffic for all the buildings and external network connections (e.g., the KanREN, Internet, and Internet2 connections).
- Mobile storage devices
- Any easily movable device that stores University data, including but not limited to laptop computers, smartphones, external hard drives, and USB flash drives.
- Uninterruptable Power Supply (UPS)
- A device designed to provide power, without delay, during any period when the normal power supply is incapable of performing acceptably.
- University Data
- Any data related to Kansas State University ("University") functions that are a) stored on University information technology systems, b) maintained by K-State faculty staff, or students, or c) related to institutional processes on or off campus. This applies to any format or media (in other words, it is not limited to electronic data).
.060 Roles and Responsibilities
Responsibility for physical and environmental security of K-State information and technology resources is shared by the individuals using these systems, units that own them, and system administrators responsible for managing the systems.
.070 Implementing Procedures
- Physical Security
- Network wiring and equipment – Network wiring and equipment rooms and cabinets must be locked when unattended with access limited to authorized personnel (typically network support staff) and visitors escorted by said authorized personnel. Other network cabling and devices should likewise be physically secured where feasible. Core network facilities should have the date and time of entry and departure recorded.
- Office doors – All office doors should remain locked after hours or when offices are unattended for a prolonged period of time.
- Mobile storage devices – Mobile storage devices should be stored securely when unattended. Appropriate secure storage methods include a locking security cable attached directly to the device, storage in a locked cabinet or closet, storage in a locked private office, or the like. Encrypting data stored on mobile devices, such as whole disk encryption on laptop computers, likewise reduces the risk of a breach of University Data resulting from theft, loss, or unauthorized access. When traveling with mobile storage devices or using them in public places, appropriate security precautions should be taken to prevent loss, theft, damage, or unauthorized access. Use of tracking and recovery software on laptop computers is encouraged.
- Network wiring and equipment – Network wiring and equipment rooms and cabinets must be locked when unattended with access limited to authorized personnel (typically network support staff) and visitors escorted by said authorized personnel. Other network cabling and devices should likewise be physically secured where feasible. Core network facilities should have the date and time of entry and departure recorded.
- Environmental Security
- Electrical power – Electrical power for servers hosting enterprise and departmental services must be protected by uninterruptable power supplies (UPS) to ensure continuity of services during power outages and to protect equipment from damage due to power irregularities. Each UPS should have sufficient capacity to provide at least 30 minutes of uptime to the systems connected to it. Systems hosting confidential data should also be protected with a standby power generator where feasible.
.080 Related Laws, Regulations, or Policies
- K-State Data Classification and Security Policy
- K-State Network/Telecommunications Space Accommodations Policy - specifies physical security for network and telecommunications facilities.
- State of Kansas, ITEC Information Technology Security Standards Policy 7230A (PDF)
- ISO/IEC 27002:2013: Information technology – Security techniques – Code of practice for information security management, published by the International Standards Organization. This is an international security standard that specifies physical and environmental security controls to protect assets from loss, theft, damage, and unauthorized access.
.100 Questions/Waivers
The Vice President for Information Technology and Chief Information Officer (CIO) is responsible for this policy. The CIO or designee must approve any exception to this policy or related procedures. Questions should be directed to the Chief Information Security Officer (CISO).