UMGC Policy X-1.23 Physical Security of Information Technology

Purpose

The purpose of this policy is to establish the requirements to protect UMGC Information Systems and Information Technology Resources from physical and environmental hazards to include theft, destruction, inappropriate physical access, and natural disasters.

Scope and Applicability

This policy applies to University facilities where servers, network, and telecommunications equipment are installed and operated.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

1. Facilities with servers, Data Centers, and telecommunications equipment shall have both logical and physical security controls to prevent the unauthorized access and use of Information Technology Resources.
2. Access to Data Centers, server rooms and telecommunication facilities shall be authorized, documented, monitored, and periodically reviewed.
3. Individuals who no longer require access to facilities shall be removed from gaining physical access immediately.
4. University guests who need temporary access (e.g., for less than a day) shall be escorted and monitored by a UMGC staff member while inside University facilities.
5. Data Centers shall have the appropriate cooling, fire suppression, and redundant power services to maintain the environment in the event of an outage.
6. Data Centers must have locks that maintain audit trails, cameras monitoring activity, and environmental alarms to warn of threats to the computing environment.
7. IT physical security and emergency procedures shall be documented and reviewed as part of the risk assessment process.

1. Electronic storage media or equipment should be checked to ensure that any sensitive data and licensed software are removed or overwritten prior to disposal.
2. Minimum guidelines, in accordance with NIST 800-88 rev 1 Guidelines for Media Sanitation, shall be documented and data destruction records retained whether performed on or off premise.

Exceptions

Exceptions to this policy should be submitted to Information Security for review and approval.

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy should notify Information Security as soon as practicable.
2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract.

1. USM IT Security Standards, v.5, dated July 2022
2. NIST SP 800-171r3 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” dated May 2024
3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, December 2021

1. UMGC X-1.02 Data Classification
2. UMGC X-1.04 Information Security
3. UMGC X-1.05 Information Security Awareness and Training
4. UMGC X-1.12 Acceptable Use
5. UMGC X-1.19A Account Management (UMGC Learner Community)
6. UMGC X-1.19B Account Management (UMGC Workforce)