|
Scope:
Finance, Administration and Technology
|
Policy Administration:
Information Security Officer
|
|
Applies to:
Facilities within the University where information technology (IT) resources and business operations are located
|
Version:
Version 1.0 as of 2019-10-31
|
|
Approved by:
Executive Vice President of Finance, Administration and Technology
|
Approved on:
2019-10-31
|
1. PURPOSE
The purpose of this policy is to ensure that adequate controls are in place in order to protect Information Technology facilities, monitor them and minimize the risk of unauthorized use, damage, theft and non-compliance with University policies, contractual commitments and regulatory obligations. Information Technology Facilities include but are not limited to; buildings, rooms, closets and tunnels where the following technology assets, infrastructure and operations are located:
- Workspaces of Information Technology Services Personnel
- Service Desks
- General Purpose and Education Technology Computer Labs
- Storage Areas for Technology Assets Under the Custodianship of Information Technology Services
- Data Centers (Including Off-site Disaster Recovery)
- Network Electronics and Wiring Closets
- Access to Conduits for Communications Cables
2. POLICY STATEMENT
Effective September 1, 2020, Information Technology (IT) facilities where operations, infrastructure and assets (under the custodianship of Information Technology Services) are located must be housed in a secure location, protected with appropriate access controls and monitored for any unauthorized access, damage, and interference in accordance with the Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense and in proportion to the level of acceptable risk. At a minimum, physical access to designated locations will be limited to the minimum necessary to fulfill job responsibilities in compliance with University policies on issuance of key and card access to buildings, rooms and other secured locations:
- Employees requiring admittance to an IT facility in order to perform their job responsibilities will only be granted access privileges after obtaining authorization from the requestor’s administrative area supervisor (or designee) and issued keycard access in accordance with the University’s policies and procedures for granting access to buildings and rooms. Key access will only be provided where keycard access does not provide the required access.
- Temporary access will be granted to individuals, such as contractors and consultants in accordance with the University’s policies and procedures for granting access to buildings and rooms after obtaining authorization from the requestor’s administrative area supervisor to perform pre-approved work within specified IT facilities.
- At no time, should any individual manually access an IT facility when card access is available. Additionally, where written logs at the entrances of IT facilities are maintained all visitors will be required to sign in and out when entering or leaving. Security cameras at the entrances of data centers will record video of people entering or leaving these areas.
- All systems housed within a data center should be considered secure; requiring a username and password with appropriate access levels. At no time, should a system remain logged in and unattended.
- Lost or stolen keys and/or keycards must be reported immediately to the appropriate administrative area supervisor. Keys and keycards must not be given to anyone else and shall be returned upon termination, transfer to another department or upon request of the administrative area supervisor.
Additionally, Information Technology Services in conjunction with other appropriate offices reserves the right to terminate access privileges for any individual not in compliance with this or any other applicable University policy.
3. ASSIGNED ROLES AND RESPONSIBILITIES
| Role |
Assigned Responsibilities |
| Information Security Officer |
Conducts an internal audit every 6 months to ensure appropriate access levels and controls are in place and maintained in accordance with this policy by conducting a periodic review of access logs from the keycard access system, sign-in logs at the entrances of designated locations and the recorded chain of custody for all keys and keycards issued to employees, contractors and consultants. Reports any findings of inadequate controls and/or unauthorized access to IT facilities to the ITS Coordinator of Business Operations and Chief Information Officer. Researches the necessity, feasibility, and cost of enhanced and/or additional controls (e.g. replacing door locks, video surveillance etc.) and provides recommendations to the Chief Information Officer accordingly. |
| ITS Coordinator of Business Operations |
Manages the process by which key and/or keycard access are issued, monitored and maintained for all ITS employees, contractors and consultants (only). Documents a complete, current and accurate recorded chain of custody for all keys and keycards issued to these individuals (only) including the IT facilities they have been granted authorized access privileges to. Initiates changes to key and keycard access privileges upon notification of termination of employment or a shift in job responsibilities for any employee, contractor or consultant under ITS supervision (only). |
| ITS Directors |
Initiates all requests for authorized access to IT facilities on behalf of employees, contractors and consultants under their administrative supervision and their subordinates by submitting them in writing according to a process implemented and managed by ITS Coordinator of Business Operations (who will present requests to the Chief Information Officer for consideration). Notifies the ITS Coordinator of Business Operations whenever key and keycard access privileges need to change or be removed upon termination of employment or a shift in job responsibilities, and whenever a key and/or keycard has been reported lost or stolen.
|
| Assistant Vice President of Facilities and Capital Planning (or Designee) |
Approves or revokes access to IT Facilities for all employees, contractors, and consultants under the direct supervision of Facilities and ensures that documentation is maintained for tracking keys and keycards that are issued to these individuals consistent with this Policy. |
| Chief of University Police (or Designee) |
Approves or revokes access to IT Facilities for all employees, contractors, and consultants under the direct supervision of Campus Police and ensures that documentation is maintained for tracking keys and keycards that are issued to these individuals consistent with this Policy. |
| Associate Vice President and Chief Information Officer |
Approves or revokes access to IT Facilities for all employees, contractors, and consultants under the direct supervision of Campus Police and ensures that documentation is maintained for tracking keys and keycards that are issued to these individuals consistent with this Policy. |
| Building or Property Managers (or Designee) |
Information Technology Services does not oversee access to any off-campus IT facilities which is the responsibility of the designated building or property managers residing in these locations. Ensures a complete, current and accurate recorded chain of custody is maintained for all keys and keycards issued granting access to IT facilities. |
4. RELATED UNIVERSITY PROGRAMS, POLICIES, OPERATIONAL PLANS AND PROCEDURES
| Documentation Name |
Documentation Steward |
| University Policy on Key and Keycard Access[i] |
Framingham State University Chief of Police |
| University Policy on Fixed Assets and Inventory Management |
Assistant Vice President of Facilities and Capital Planning |
| Comprehensive University Information Security Program |
Information Security Officer |
5. APPLICABLE LAWS, REGULATIONS, AND CONTRACTUAL OBLIGATIONS
| Statutory, Regulatory, Contractual, Executive Order |
Authority |
| MGL 94H-2 - Regulations to Safeguard Personal Information of Commonwealth Residents |
Massachusetts General Law (MGL) |
| 201 CMR 17 - Standards for the Protection of Personal Information of Residents of the Commonwealth |
Code of Massachusetts Regulations (CMR) |
| Payment Card Industry Data Security Standard (PCI/DSS)[i] |
Payment Card Industry Security Standards Council |
6. ENFORCEMENT OF POLICY VIOLATIONS
Failure to comply with this policy, intentionally or unintentionally, may result in one or more of the following:
- Termination, without notice, of access privileges to information and technology facilities.
- Disciplinary action, up to and including termination of employment.
- Civil or criminal penalties as provided by law.
7. REVIEW AND REVISION HISTORY
Information security policies must be reviewed annually by the Information Security Officer. If a policy has been revised, then it must have all necessary approvals before being published. In the last column, indicate whether the activity was a review or a revision; if a revision, summarize the changes.
| Date |
Name and Title |
Summary of Review and Revision |
| 2019-08-08 |
Roy Galang, Information Security Officer |
The “Data Center Access Policy” was updated following a review prompted by the 2019-07-31 draft report from an assessment of the Framingham State University (FSU) Facilities and Capital Planning Department, Inventory Control Office (ICO) – Fixed Asset Inventory function to include additional “IT facilities”. |
| 2019-08-13 |
Patrick Laughran, Associate Vice President and Chief Information Officer |
Upon further review and consideration, it became apparent that the “Data Center Access Policy” had become inadequate in several respects and therefore this new “Policy on Restricting and Monitoring of Physical Access to Information Technology Facilities” will replace it. This new policy draft attempts to more clearly define assigned roles and responsibilities, and better align with University policies on building, room and key/keycard access. |
| 2019-08-23 |
Patrick Laughran, Associate Vice President and Chief Information Officer |
Changes incorporated from responses to a request for comment sent to the Information Technology Services Leadership Team. |
| 2019-09-06 |
Patrick Laughran, Associate Vice President and Chief Information Officer |
Changes incorporated from responses to a request for comment sent to the Associate Vice President of Facilities and Capital Planning, Chief of University Police and Assistant Vice President of Human Resources. |
| 2019-10-31 |
Patrick Laughran, Associate Vice President and Chief Information Officer |
Changes incorporated from the Associate Vice President of Facilities and Capital Planning and Executive Vice President of Finance, Administration and Technology. |
[1] https://www.framingham.edu/student-life/university-police/fsu-card-access-and-key-request/index
[1] The standards are maintained by the Payment Card Industry Security Standards Council, an independent entity established by the major card brands in 2006. ... This is industry self-regulation, so you can't go to jail for non-compliance with PCI DSS – but you can lose the ability to process payment cards. See https://www.lbmc.com/blog/6-myths-about-pci-compliance-regulations/