600 Physical and Environmental Security

601: Physical Areas Containing Protected Information

Information Security Policies & Procedures Manual
Section 600: Physical and Environmental Security
Effective: 03/20/2014

Purpose

The purpose of this section is to outline specific physical security policies and procedures which overlap with Information Security.

Background

In general, physical security is the responsibility of Public Safety on campus.  There are, however, areas where special attention is needed where Information Security can be effected.  Specifically, the buildings where central servers are housed, office space where Protected Information is regularly accessed and visible to people in the immediate proximity, when electronic storage media is surplused from the university, and where Protected Information is physically transported such as when tape backups are taken off site.

Policies and Procedures

 

601-01 Milne Computer Center and Banner Systems

The machine room within Milne Computer Center is to be considered a restricted area where only authorized personnel are allowed.  Standard security measures such as name badges and audited door access codes shall be employed for physical access to the room.  Given the critical nature of the Banner systems, the facility shall also be equipped with standby emergency power (both stored and generated) and shall be monitored 7 days a week; 24 hours a day for availability.

 

601-02 Disposal of Surplus Property

All electronic storage media are subject to the OSU Policy on Disposal of Data Storage Equipment maintained by OSU Business Services.  This policy states that information shall be purged from all electronic media prior to surplus.

 

601-03 Transportation of Protected Information

All physical transportation of Protected Information shall be done by a trusted courier who can provide document and pouch-level traceability.  In the case where Personal Information for more than 1000 individuals is to be transported either in paper or electronic form; sealed pouches for paper documents and lock boxes for transport of tapes/CDs are required.

602: Protecting Information Stored on Paper

Information Security Policies & Procedures Manual
Section 600: Physical and Environmental Security
Effective: 01/11/2010

Background

Paper documents that include Protected Information or Sensitive Information such as social security numbers, student education records, an individual's medical information, benefits, compensation, loan, or financial aid data, and faculty and staff evaluations are to be secured during printing, transmission (including by fax), storage, and disposal.

Procedure

University employee and supervisor responsibilities include:

Do not leave paper documents containing Protected Information or Sensitive Information unattended; protect them from the view of passers-by or office visitors.

Store paper documents containing Protected Information or Sensitive Information in locked files.

Store paper documents that contain information that is critical to the conduct of University business in fireproof file cabinets. Keep copies in an alternate location.

Do not leave the keys to file drawers containing Protected Information or Sensitive Information in unlocked desk drawers or other areas accessible to unauthorized personnel.

All records are subject to OUS records retention policies and should be only be disposed of in accordance with the retention schedule defined within those policies.  More information can be found at http://osulibrary.oregonstate.edu/archives/schedule/ .  Once the retention schedule has been met, shred confidential paper documents and secure such documents until shredding occurs. If using the University pulping service, ensure that the pulping bin is locked and that it is accessed only by individuals identified by Business Services as those who are responsible for picking up pulping bins and who will be attentive to the confidentiality requirements.

  • Make arrangements to retrieve or secure documents containing Protected Information or Sensitive Information immediately that are printed on copy machines, fax machines, and printers.  If at all possible, documents containing Protected Information should not be sent by fax.  Those documents should be sent via a trusted courier service and secured in transit as per OSU ISM 601-03.
  • Double-check fax messages containing Sensitive Information:
    • Recheck the recipient's number before you hit 'start.'
    • Verify the security arrangements for a fax's receipt prior to sending.
    • Verify that you are the intended recipient of faxes received on your machine.