Purpose
The purpose of this policy is to establish the requirements to protect UMGC ("University") Information Systems and Information Technology Resources from physical and environmental hazards to include theft, destruction, inappropriate physical access, and natural disasters.
Scope and Applicability
This policy applies to University facilities where servers, network, and telecommunications equipment are installed and operated.
Facilities with servers, Data Centers, and telecommunications equipment shall have both logical and physical security controls to prevent the unauthorized access and use of Information Technology Resources.
Access to Data Centers, server rooms and telecommunication facilities shall be authorized, documented, monitored, and periodically reviewed.
Individuals who no longer require access to facilities shall be removed from gaining physical access immediately.
University guests who need temporary access (e.g., for less than a day) shall be escorted and monitored by a ÐÒ¸£±¦µ¼º½ staff member while inside University facilities.
Data Centers shall have the appropriate cooling, fire suppression, and redundant power services to maintain the environment in the event of an outage.
Data Centers must have locks that maintain audit trails, cameras monitoring activity, and environmental alarms to warn of threats to the computing environment.
IT physical security and emergency procedures shall be documented and reviewed as part of the risk assessment process.
Disposal of Equipment
Electronic storage media or equipment should be checked to ensure that any sensitive data and licensed software are removed or overwritten prior to disposal.
Minimum guidelines, in accordance with NIST 800-88 rev 1 Guidelines for Media Sanitation, shall be documented and data destruction records retained whether performed on or off premise.
Exceptions Exceptions to this policy should be submitted to Information Security for review and approval.
Enforcement
Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy should notify Information Security as soon as practicable.
Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract.
Standards Referenced
USM IT Security Standards, v.5, dated July 2022
NIST SP 800-171r2 "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," dated February 2020
Cybersecurity Maturity Model Certification (CMMC), v.2.0, December 2021
Effective Date This policy is effective as of the Version Effective Date set forth above and supersedes all prior policies on the subject matter hereof.
By using our website you agree to our use of cookies. Learn more about how we use cookies by reading our Privacy Policy.