Physical & environmental security

Ensuring complete physical security is impossible, especially in an institution of higher education. While there are several university facilities that have extensive security safeguards in place because of the nature of the services and information contained therein, most of our buildings and rooms allow unfettered access to members of the public. General building and room security safeguards should be in harmony with the overall atmosphere of the building while factoring in threats to the information contained within.

The security of facilities housing information resources can be protected by a number of means (e.g., locked doors with limited key distribution, locked machine cabinets, glass break sensors on windows, motion detectors, door alarms, fire suppression, appropriate heating, cooling and backup power). As with all security issues, the cost of implementing such protection measures has to be weighed against the risks. In some circumstances, the simple act of ensuring that all doors and windows in the room remained closed and locked while unoccupied might suffice. In another case, the sensitivity or criticality of the information contained on and the service provided by building, room, or piece of equipment might be such that more stringent actions are taken.

Each unit at the university is responsible for the security of the buildings and rooms that house information and information technology systems in support of their business or role.

The process for reviewing, analyzing, requesting, installing, and maintaining physical security safeguards, as well as the expertise for performing each of these tasks, varies across campuses and units. University Public Safety and Institutional Assurance can assist units in establishing physical security policy and procedures that govern their facilities.

At IU, can I lease space in the Data Center for my departmental servers, and what other options exist? | IU Knowledge Base

The IU Intelligent Infrastructure provides hardened data center services. See especially their Service Level Expectations for descriptions of their secure practices.

For more on security related to the principle of availability, see Domain 11: Business Continuity.

The Facilities Physical Security, Safety, and Privacy Program provides facility design guidance to the university community.

The Video and Electronic Surveillance policy provides direction for units wanting to deploy video and other forms of surveillance in university facilities.

Capital Projects provides a Facilities Physical Security, Safety, and Privacy - Base Bid Standards document outlining standards to incorporate into facility design, for new construction and renovation.

Placement

Appropriate physical safeguards must be placed on equipment that stores or processes institutional data. In addition to physically securing this equipment, consideration must be given to other environmental-related aspects that could, if not managed correctly, cause an interruption of service or availability and thus disrupt the university's mission. Careful thought must be given to ensure proper power (e.g., Uninterruptible Power Supplies, generator power backup, redundant power feeds), adequate fire protection, proper heating and cooling, and so on. These environmental safeguards must be commensurate with the sensitivity of the data contained in or processed by the equipment. Equipment removed from university premises is particularly vulnerable to loss or theft. Therefore, the equipment must be protected when off-site, at home, or while in transit from one location to another.

Disposal and Redistribution

Information stored in equipment being disposed, redistributed, or sold must be securely removed to prevent the disclosure of the information to unauthorized parties.

Each unit at the university is responsible for the security of the buildings and rooms that house information and information technology systems in support of their business or role.

The process for reviewing, analyzing, requesting, installing, and maintaining physical security safeguards, as well as the expertise for performing each of these tasks, varies across campuses and units. University Public Safety and Institutional Assurance can assist units in establishing physical security policy and procedures that govern their facilities.

At IU, can I lease space in the Data Center for my departmental servers, and what other options exist? | IU Knowledge Base

The IU Intelligent Infrastructure provides hardened data center services. See especially their Service Level Expectations for descriptions of their secure practices.

For more on security related to the principle of availability, see Domain 11: Business Continuity.

The Facilities Physical Security, Safety, and Privacy Program provides facility design guidance to the university community.

The Video and Electronic Surveillance policy provides direction for units wanting to deploy video and other forms of surveillance in university facilities.

Capital Projects provides a Facilities Physical Security, Safety, and Privacy - Base Bid Standards document outlining standards to incorporate into facility design, for new construction and renovation.

Placement

The policy on Security of Information Technology Resources still applies, regardless of the placement or location of the equipment.

At IU, can I lease space in the Data Center for my departmental servers, and what other options exist? | IU Knowledge Base

The Office of Financial Management Services governs the process for removing capital equipment from university property.

Financial Management Services Policy ACC–140 : Off-Premise Capital Equipment Control

While non-capital equipment is not covered by this policy, appropriate inventory and tracking methods should still be used, particularly if the non-capital equipment contains or processes sensitive information.

Protecting Your Laptop Computer | IU Information Security Office

Do you plan to travel abroad and take your university issued laptop computer, digital storage device, or any encryption products with you? The Export Control Office in the Office of Research Administration can help you determine if your university-issued electronic components require a license prior to international travel, can provide tips for international travel with information stored on electronic components, and can provide a list of sanctioned and restricted parties and entities with whom IU is prohibited by federal law from doing business with. Contact them at export@iu.edu.

Disposal and Redistribution

University Purchasing governs the disposal and redistribution of university property.

• University Purchasing Policy P - 14.0 : Disposal and Redistribution of University Property
• University Purchasing Policy P - 14.1 : Sale of Computing Equipment
• Securely Removing Data | IU Information Security Office
• Protecting Data in Copiers and Multifunction Devices | IU Information Security Office

In addition to digital media, information classified as Critical stored in paper form must also be securely destroyed. The IU Office of Procurement Services maintains a list of contracted vendors; there is at least one vendor located near each IU campus.