1 CITY UNIVERSITY OF HONG KONG (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue:
2 Document Control Document Owner Classification Publication Date OCIO PUBLIC Revision History Version Date Summary of Changes Initial Release Distribution Copy Issued to Location Master Public
3 Contents 1 Policy Statement Objective Securing Work Areas Physical Entry Controls of Secure Area Equipment Security Responsibilities System Owner, Controller, and Secure Area Personnel Authorized Staff with Access to Sensitive Information and Facilities Visitors Summary... 4 Reference... 4
4 Page 1 of 4 1 Policy Statement The City University of Hong Kong or hereinafter referred as the University must ensure that unauthorized physical access to IT infrastructures, information, and information systems of the University are prohibited. These include the setups of all University Units. 2 Objective The objective of this document is to govern physical security controls protecting information and information facilities of the University from unauthorized access, damage, and interference. 3 Securing Work Areas Work areas are broadly referred to Offices, Rooms, Facilities, and Secure Area of the University. Work areas shall be protected by security perimeters with limited entry and exit points, while fulfilling relevant health and safety regulations and standards. The perimeter should be physically sound. There should be no gaps in the perimeter or areas where a break-in could easily occur. The external walls should be of solid construction and all external doors should be protected against unauthorized access using appropriate control mechanisms such as alarms, locks, CCTV, etc. Suitable intrusion detection systems should be professionally installed and regularly tested to cover premises. General buildings, offices, rooms and facilities should be protected by ensuring that all doors and windows remain closed and locked while unoccupied. Manned reception desks should be used to restrict access to offices of supporting and servicing units containing confidential information. Critical equipment and information should be placed in secure areas (such as filing cabinet rooms, printing rooms, computer rooms, and data centers). Access areas to secure should be restricted to authorized personnel only. The cost of implementing protection measures should commensurate with the identified level of acceptable risk. Personnel should only be aware of the existence of, or activities within, a secure area on a need-toknow basis Personnel of contracted third party service providers should be given restricted access to secured rooms and this should always be under supervision unless CCTV camera equipment monitoring the rooms.
5 Page 2 of 4 4 Physical Entry Controls of Secure Area Secure areas should be protected to ensure that they are only accessible to authorized personnel. Entry to secure areas should be handled as follows: Entrance of secure areas must be controlled by physical token, e.g. access control card, assigned to onsite personnel or authorized staff only; Visitors, including staffs and contractors, must be authorized before entering secure areas; access should be granted for specific, authorized purpose only and their access being recorded; Approval records and access log must be preserved Onsite personnel should wear physical badge; Visitors should wear physical visitor badges unless they are escorted by authorized staff of the University or onsite personnel who is wearing a badge; Visitor badges must be surrendered before leaving the secure areas; Moving of materials and equipment into and out of site must be escorted by onsite personnel, inventory being checked and logged; Transfer log shall be used to maintain a physical audit trail of change in equipment. Onsite personnel or authorized staff should document the following: o Owner, controller or custodian responsible for the equipment o Report number, Model number and Serial number equipment if available o Time in or out o Name of transferor Visitor log shall be used to maintain a physical audit trail of visitors activities. Retain this log for a minimum of three months. Onsite personnel or authorized staff should verify the identify and documents the following of visitors: o Name o Organization or company represented o Time in and out o Purpose of visiting o Signature of visitor o Signature of verifier System owner, custodian or controller should indicate the Information Classification and/or security requirements of equipment in secure area; Access to equipment in secure area shall be granted by system owner, custodian or controller Equipment Access log shall be used to maintain a physical audit trail of visitors activities. Onsite personnel or authorized staff should document the following: o Name o Equipment (e.g. Cabinet or Rack identifier) o Time start and end Visitor log and Equipment Access log should be regularly reviewed by Management to detect any unauthorized or inappropriate access CCTV cameras should be installed to monitor the access activities of secure areas. Access control and retention policy of recorded media should be defined and followed.
6 Page 3 of 4 5 Equipment Security Equipment should be protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access and equipment theft. Equipment, information or software should not be taken off-premises without prior authorization. Appropriate security measures should be applied to equipment placed in public (e.g. Express Terminals) and area off-site equipment, taking into account the various risks of working Appropriate power protection (e.g. Uninterruptable Power Supplies, Redundant Power Feeds), adequate fire protection, proper heating and cooling should be installed to prevent interruption of service or availability. Maintenance contracts should be in placed to ensure that equipment will be correctly maintained. 6 Responsibilities Clearly define responsibilities are needed for proper management and protection of physical access to the University s sensitive information and information processing facilities. This is achieved by establishment of the following roles: 6.1 System Owner, Controller, and Secure Area Personnel Authorize, control and monitor visitor s access to secure area, protected equipment, and information processing facilities; Control working in server area; Review and update access rights to secure area regularly; Control the physical security perimeter for secure area; Implement the physical entry controls for secure area; Control the isolated delivery and loading area for secure area; and Review the processes involved in the above protections. 6.2 Authorized Staff with Access to Sensitive Information and Facilities Escort authorized visitors within secure area; and Challenge and report any un-escorted strangers or anyone not wearing visible identification. 6.3 Visitors Comply with physical security standards of the University; and Obtain approvals from relevant management prior to access to the University s sensitive information or information processing facilities.
7 Page 4 of 4 7 Summary The University must restrict the physical access to its sensitive information and information processing facilities. Physical access rights are only granted on a need-to-know basis. Visitor logging must be implemented and access logs should be reviewed regularly. Reference The following documents were consulted during the preparation of this document: City University of Hong Kong (2013), Information Security Policies City University of Hong Kong (2013), Environmental Security Standard City University of Hong Kong (2013), Guidelines on Access Control of the Computer Room, https://wiki.cityu.edu.hk/sites/ccwiki/mngt/ppp/security/guide-computerroomaccesscontrol.htm
April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1 Models of IT Security Security Rules & Regulations: An Interpretation Dines Bjørner Fredsvej 11, DK 2840 Holte, Denmark Presented at Humboldt
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the
Jefferson County School District Information Technology Policies and Procedures 575 S. Water Street Monticello, FL 32344 (850) 342-0100 www.jeffersonschooldistrict.org June 2014 Table of Contents 1.0 Overview...
Information Technology Policies and Procedures Wakulla County School District March 2014 Table of contents TABLE OF CONTENTS... 1 1.0 OVERVIEW... 2 2.0 PURPOSE... 2 3.0 SCOPE... 2 4.0 ACCEPTABLE USE POLICY...
Security Criteria for C-TPAT Foreign Manufacturers in English These minimum security criteria are fundamentally designed to be the building blocks for foreign manufacturers to institute effective security
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
The Archbishop s Seminary Information Security Policy 1 Contents PURPOSE... 4 SCOPE... 4 POLICY STATEMENTS... 5 INFORMATION SECURITY POLICY... 5 THE SCHOOL S RIGHT TO ACCESS ITS PROPERTY... 5 THE SCHOOL
Online Lead Generation: Data Security Best Practices Released September 2009 The IAB Online Lead Generation Committee has developed these Best Practices. About the IAB Online Lead Generation Committee:
EUROPEAN COMMISSION HEALTH AND CONSUMERS DIRECTORATE-GENERAL Public Health and Risk Assessment Pharmaceuticals Brussels, SANCO/C8/AM/sl/ares(2010)1064599 EudraLex The Rules Governing Medicinal Products
Poplar Street Primary School ICT Security and Acceptable Use Policy E-Safety policy 2013/14 Working Together Aiming High! 1 Contents 1. Introduction... 3 2. Policy Objectives... 3 3. Application... 3 4.
HIPAA Privacy and Security Risk Assessment and Action Planning Practice Name: Participants: Date: MU Stage: EHR Vendor: Access Control Unique ID and PW for Users (TVS016) Role Based Access (TVS023) Account
Mobile Devices Security Policy 1.0 Policy Administration (for completion by Author) Document Title Mobile Devices Security Policy Document Category Policy ref. Status Policy Unique ref no. Issued by GSU
Information Security Policy The purpose of this Policy is to describe the procedures and processes in place to ensure the secure and safe use of the federation s network and its resources and to protect
FDA 21 CFR Part 11 Electronic records and signatures solutions for the Life Sciences Industry The Rule 21 CFR Part 11 Handwritten signature means the scripted name or legal mark of an individual handwritten
GmbH NOTE: The information contained in this document is the property of TC TrustCenter GmbH. This document may not be copied, distributed, used, stored or transmitted in any form or by any means, whether
Delgado Community College Information Technology Security Policy Approved: *November 5, 2010 ) Delgado Community College IT Security Policy Page 2 *November 5, 2010 Table of Contents Title Page 1.0 Introduction
Federal Trade Commission Privacy Impact Assessment Mobile Device Management System February 2015 1 1. Overview The FTC Mobile Device Management (MDM) System includes three separate components that provide
Oracle WebCenter Content 21 CFR Part 11 Certification Kim Hutchings US Data Management Phone: 888-231-0816 Email: firstname.lastname@example.org Introduction In May 2011, US Data Management (USDM) was
PCI DSS PCI Prioritized DSS Approach for for PCI DSS.0 The Prioritized Approach to Pursue PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) provides a detailed, 1 requirements
Cefic/APIC "How to do" Document ACTIVE PHARMACEUTICAL INGREDIENTS COMMITTEE GDP for APIs: How to do Document Interpretation of the WHO Guideline GOOD TRADE AND DISTRIBUTION PRACTICES FOR PHARMACEUTICAL
21 CFR Part 11 Implementation Spectrum ES INFRARED SPECTROSCOPY T E C H N I C A L N O T E Introduction Compliance with 21 CFR Part 11 is mandatory for pharmaceutical companies and their suppliers to sell
Data Security Policy Member of Staff Responsible ICT Team Author: Sunil Pindoria Dated 03/02/2015 Date of next review 03/02/2016 Page 1 CONTENTS INTRODUCTION... 3 MONITORING... 4 BREACHES... 5 DATA SECURITY...
Information and ICT Security Policy Care Excellence Partnership Updated May 2011 Due for review July 2012 Senior Information Risk Owner (SIRO) P. Tilson I:drive/Policies/Information and ICT Security Status