1.0 Revision History
PHYSICAL SECURITY POLICY
May 28, 2009
Harper P. Johnson, Director of Information
This purpose of this Physical
Security Policy is to prevent unauthorized access, theft, interference, and
damage to University data, information, or information systems.
Information – Data
elements, whether in part or combined, that are of value to the University,
such as student or employee records, intellectual property, research data, or
Information Systems – All computer and network systems owned by and/or
administered by the University. This includes all computing platforms of all
sizes from personal digital assistants (PDAs) to mainframe computers, all
peripheral devices and media, and all data contained on those systems.
System Administrator – The
individual primarily responsible for technical management of the system or
information asset within an organization or unit.
University Administrators - For the purposes of this Policy
are those individuals responsible for campus organizational units (e.g., deans,
department chairs, principal investigators, directors, or managers) or
individuals having functional ownership of data.
Visitor – One who
normally does not have regular access to protected NAU information systems
whether they are vendors, contractors, temporary employees, staff, faculty, affiliates,
4.1 This Policy applies to all Northern Arizona
University faculty, staff, students, and University Affiliates.
4.2 This Policy applies to all information
4.3 This Policy applies to data and information in
any tangible form whether it is written, filmed, typed, recorded electronically
or printed, and to all University information resources.
5.1 Appropriate physical entry controls will be
deployed to restrict access to information and information systems to only
those authorized in secured areas.
5.2 A formal documented process must be in place
to grant and revoke physical access to information and information systems in
5.3 Access lists must be periodically reviewed for
5.4 Equipment will be sited within areas to
securely protect against Natural Disasters and Environmental Hazards commensurate
5.5 Equipment sites will periodically be inspected
and environmental controls formally tested with the results documented.
5.6 A formal process must be in place to ensure
that information is completely removed or destroyed upon equipment disposal or
reassigning equipment for another use.
should not be removed from a secured area without appropriate, prior
5.8 A formal process should be in place to record
the removal from a secured area of any server or other system containing
sensitive data. The capital asset inventory number, the individual removing or
returning the machine, date and time should be documented.
6.0 Roles & Responsibilities
President of the University: The President support and authorizes this Policy for University-wide implementation.
University Administrators: University Administrators have a responsibility to ensure that this Policy is supported with their organizational units.
Director of Information Security: The Director of Information Security is responsible for developing and implementing procedures and guidelines necessary to implement this Policy
System Administrators must
evaluate the information and information systems under their responsibility to
determine the level of sensitivity, criticality, and value of those assets to
their organizational unit and implement appropriate physical barriers per
Persons who are subject to this Policy
may also be subject to the provisions of applicable NAU Personnel Policies, the
student employment handbook, and Arizona Board of Regents policies, including
provisions for discipline for violation of this Policy, as well as applicable
Arizona Board of Regents: Information Security Policy:
Arizona Board of Regents:
Information Security Guidelines:
NAU Information Security Policy:
NAU Data Classification