Standard number: DS-17
Date issued: 7/1/2018
Date last reviewed: 10/21/2021
Date of next review: 6/30/2024
Version: 1.0
Approval authority: Vice President for Information Technology and CIO
Responsible office: Information Assurance
This Standard supports and supplements Information Security (SPG 601.27). The Standard is mandatory and enforced in the same manner as the policy. It will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.
I. Overview
The university has a complex array of physical environments and locations to secure and protect, all in an academic environment that promotes the open exchange of information to advance knowledge. Almost all of these physical environments support research, teaching and learning, clinical care, and administrative functions that require accessing or maintaining sensitive institutional data.
This Standard defines the requirements for protecting campus facilities that maintain university information resources from physical and environmental threats in order to reduce the risk of loss, theft, damage, interruption, or unauthorized access to those information resources.
Federal or state regulations or contractual agreements may require additional actions that exceed those included in this Standard.
II. Scope
This standard applies to the Ann Arbor campus, Michigan Medicine, UM-Dearborn, UM-Flint, all affiliates, and all faculty, staff, workforce members, and sponsored affiliates. It applies to all units, faculty, principal investigators, and staff who process, maintain, transmit, or store Restricted, High, or Moderate data on any device, regardless of whether that device connects to the campus network.
While this Standard applies to all university facilities, its primary focus is on those facilities that house essential network operations, data centers, research activities, and patient care. Essential network operations include the cabling, equipment, and network and telecommunications rooms associated with the university backbone that carries aggregated network traffic to and from all U-M buildings and to external network connections.
III. Roles and Responsibilities
Responsibility for physical and environmental security of the U-M information and technology resources is shared by the individuals using these systems, staff that maintain the facilities (maintenance, building services, environmental control), security staff and police, units that own them, and system administrators responsible for managing the systems.
IV. Standard
Any U-M facility at which data classified as Restricted or High is processed or stored must implement physical security controls based on the risks associated with unauthorized access and the type of facility in which the data are maintained. In addition, some regulations and contractual obligations with which U-M must comply have mandated physical security requirements.
All units are required to develop, document, implement, and train their faculty and staff on the procedures (both U-M and unit-specific) necessary to comply with this Standard.
The following categories of university physical environments are listed in order of greatest to least need for protection of information systems.
Data Centers
Data centers and network and telecommunications rooms or closets house networked servers for file storage, application hosting, data processing, and other primary computing functions. U-M data centers are required to have specific requirements for granting access. Prior to being granted access to any data center, individuals must agree to the terms and conditions of the Data Center Access and Security Agreement or its equivalent.
Research Environments
Variation in research environments may dictate differently applied security procedures and controls. For example, an animal research lab will likely have different security procedures than a materials engineering lab which in turn will have different security procedures than the Survey Research Center’s telephone facility.
What security procedures and controls are required or recommended will generally depend on the complexity of the research environment and the number of people to be granted access:
- Individual-centered research environments: faculty offices, workstations in public computing locations
- Shared or group-centered research environments: laboratories; clinical facilities
Clinical Environments
Physical security controls in clinical facilities must limit physical access to electronic information systems containing Personal Health Information (PHI).
Office Environments
Fewer controls apply to departmental or administrative office environments with multiple staff than apply to the above environments. Applicable controls are identified in Tables 1 and 2 below.
Some offices are assigned solely to an individual who has complete control over access to the space. Others are shared spaces and require more explicit physical security controls. This Standard assumes that individual facilities will develop and adopt more specific procedures and processes to effectively carry out the controls enumerated below. Not all controls are required for each type of facility.
Table 1. Access and Authorization Controls
The following controls apply when approving and maintaining authorized access to secured locations:
- These controls apply to all facilities that process, maintain, or store data classified as Restricted or High, as well as departmental or administrative office environments:
- Only authorized personnel should have access to physically secure non-public locations. Access to facilities should be based on role or responsibilities, and a determination that access is required for individuals to perform their job functions.
- Appropriate managerial staff of secured locations should develop, approve, and maintain a list of personnel with authorized access to the facility; access will be removed and the access card deactivated in response to notification of changes in staff or staff responsibility.
- Management should regularly review (at a minimum interval of 6 months) authorization lists of staff and vendors to ensure that facility access is revoked for anyone who no longer has a business need for access.
- These controls apply to all facilities that process, maintain, or store data classified as Restricted or High:
- Physical access controls must be logged and audited according to established schedule, and must include one or more of the following: multi-factor authentication (e.g. token and pin number), key-card access, biometric access controls.
- Access to secure areas will be accessible only to those with the proper permissions or authorized roles.
Table 2. Facility Security Controls
Controls to protect secured facilities from damage, interruption, misuse, unauthorized access, destruction, or theft.
These controls do not apply to faculty and staff in individual office environments.
| Control | Research Environment | Clinical Environment | Data Center |
|---|---|---|---|
| Facilities containing sensitive/critical equipment (servers, network wiring closets, etc.) must be located in access-controlled areas and secured from unauthorized access. | X | X | X |
| Anyone having ID access to a secured location must not give or loan their ID to anyone else. Individuals with access should not allow unauthorized personnel to enter with them. | X | X | X |
| Anyone in or entering a secured location must produce their ID upon request by university security staff. | X | X | X |
| Anyone in or entering a secured location must have and display a university accepted form of identification (includes visitor badges) on his/her person at all times while within the location. | X | X | |
| 24/7 video surveillance is required. | X | X | |
| Authorized vendors and visitors should always be escorted by staff members when in a facility covered by this Standard. | X | X | X |
| All physical access to facilities by vendors and/or temporary visitors must be logged, including entry time, exit time, purpose, and staff member approving the facility entry. | X | X | X |
| Food and drink are prohibited except in designated areas. | X | X | |
| Document and maintain for three years maintenance records, including documentation of repairs and modifications to the security-related physical facility components. Security-related physical components include doors, locks, walls, access cards, etc. | X | X |
These controls apply to secured facilities as well as faculty and staff in individual office environments.
| Control | Research Environment | Clinical Environment | Data Center |
|---|---|---|---|
| All office or facility doors should remain locked after hours or when offices, research environments, or data centers are unattended for more than an incidental period of time. | X | X | X |
| Physical access to workstations, printers, scanners, fax machines, and other equipment that process and display sensitive institutional data should be restricted to prevent unauthorized individuals from viewing or obtaining moderate, high, or restricted university information; output devices (e.g., printers and displays) should not be located, whenever possible, in public sections of walkways, hallways, waiting areas, etc. | X | X | X |
| Portable storage devices containing unencrypted sensitive data should be stored securely when unattended. | X | X | X |
Table 3. Environmental Security Controls
Controls to protect information assets from damage, destruction and/ or interruption due to environmental factors such as fire, humidity, water, power outage, etc.
These controls do not apply to faculty and staff in individual office environments.
| Control | Research Environment | Clinical Environment | Data Center |
|---|---|---|---|
| Develop disaster recovery and contingency planning to support restoration of data and the physical plant in the event of an emergency or disaster. | X | X | X |
| Power Equipment and Cabling: Place power equipment and cabling in safe locations to prevent environmental and/or man-made damage and destruction. | X | X | |
Emergency Shutoff
|
X | X | X |
| Implement uninterruptible power supply (UPS) to facilitate transition to long-term alternate power in the event of a primary power source loss. | X | X | |
|
X | X | X |
|
X | X | |
| Protect processing equipment from damage resulting from water leakage. | X | X | X |
V. Reporting Facility Security and IT Security Incidents
To report a non-emergency problem related to a U-M building or facility, contact the Division of Public Safety and Security at 734-763-1131. To report an emergency (e.g., crime in progress, fire), call 911.
All staff must report any serious information security incidents to the ITS Service Center within 24 hours of becoming aware of the incident.
VI. Violations and Sanctions
Violations of this Standard may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, non-reappointment, discharge, dismissal, and/or legal action. In addition, the connectivity of machines and servers to the U-M network that do not comply with this Standard may be limited or disconnected.
Discipline (SPG 201.12) provides for staff member disciplinary procedures and sanctions. Violations of this policy by faculty may result in appropriate sanction or disciplinary action consistent with applicable university procedures. If dismissal or demotion of qualified faculty is proposed, the matter will be addressed in accordance with the procedures set forth in Regents Bylaw 5.09. In addition to U-M disciplinary actions, individuals may be personally subject to criminal or civil prosecution and sanctions if they engage in unlawful behavior related to applicable federal and state laws.
Any U-M department or unit found to have violated this policy may be held accountable for the financial penalties, legal fees, and other remediation costs associated with a resulting information security incident and other regulatory non-compliance.
VII. Implementation
Information Assurance is responsible for the maintenance and interpretation of this Standard.
VIII. References
Information Security (SPG 601.27)
IX. Related NIST Security Controls
- NIST SP 800-53 Revision 4: Physical and Environmental Protection Control Family
- PE-02 Physical Access Authorizations
- PE-03 Physical Access Control
- PE-04 Access Control for Transmission Medium
- PE-05 Access Control for Output Devices
- PE-06 Monitoring Physical Access
- PE-08 Visitor Access Records
- PE-09 Power Equipment and Cabling
- PE-10 Emergency Shutoff
- PE-11 Emergency Power
- PE-12 Emergency Lighting
- PE-13 Fire Protection
- PE-14 Temperature and Humidity Controls
- PE-15 Water Damage Protection
- PE-16 Delivery and Removal
- PE-18 Location of Information Systems Components