State of Vermont. Physical Security for Computer Protection Policy



Similar documents
State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

CITY UNIVERSITY OF HONG KONG Physical Access Security Standard

HIPAA Security Alert

ISO IEC ( ) INFORMATION SECURITY AUDIT TOOL

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

INFORMATION & COMMUNICATIONS TECHNOLOGY (ICT) PHYSICAL & ENVIRONMENTAL SECURITY POLICY

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

PBGC Information Security Policy

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Music Recording Studio Security Program Security Assessment Version 1.1

Integration of Visitor Management with Access Control Systems

Select Agent Program Workshop November 16, Agricultural Select Agent Program (USDA/APHIS) CDC Select Agent Program (HHS/CDC)

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Level I - Public. Technical Portfolio. Revised: July 2015

Importers must have written and verifiable processes for the selection of business partners including manufacturers, product suppliers and vendors.

Service Children s Education

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

Intermec Security Letter of Agreement

HIPAA Information Security Overview

Supplier Information Security Addendum for GE Restricted Data

PENN STATE DATA CENTERS POLICY IMPLEMENTATION AND PROCEDURES MANUAL

INFORMATION TECHNOLOGY POLICY

C-TPAT Importer Security Criteria

HIPAA Security. assistance with implementation of the. security standards. This series aims to

New River Community College. Information Technology Policy and Procedure Manual

Data Management Policies. Sage ERP Online

Risk Assessment Guide

State HIPAA Security Policy State of Connecticut

C-TPAT Self-Assessment - Manufacturing & Warehousing

System Security Plan University of Texas Health Science Center School of Public Health

Information Security Policy Best Practice Document

Manage and secure your workplace by controlling who, what, when, why, where and how people are allowed in your facility. Marquee

SECURITY VULNERABILITY CHECKLIST FOR ACADEMIC AND SMALL CHEMICAL LABORATORY FACILITIES

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

WAREHOUSE SECURITY BEST PRACTICE GUIDELINES CUSTOMS-TRADE PARTNERSHIP AGAINST TERRORISM

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

IOWA LABORATORIES FACILITIES PHYSICAL SECURITY PLAN

8.1.6 POLICY ON KEYS AND OTHER BUILDING ACCESS DEVICES. Policy Statement COLLEGE OF CHARLESTON POLICY ON

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

State of Vermont. Digital Media and Hardware Disposal Standard. Date: Approved by: Policy Number:

Physical Security. Paul Troncone CS 996

MINIMUM SECURITY GUIDELINES FOR SOURCE MANUFACTURER/WAREHOUSEMEN C-TPAT INFORMATION

Customs & Trade Partnership Against Terrorism (C TPAT)

ABBVIE C-TPAT SUPPLY CHAIN SECURITY QUESTIONNAIRE

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

File 6: Appendix A, 36 CFR 1234 (formally numbered as 36 CFR 1228 subpart K) Federal Facility Security Standards (version 2.0 issued May 15, 2014)

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

welcome to Telect s Minimum Security Criteria for Customs-Trade Partnership Against Terrorism (C-TPAT) Foreign Manufacturers Training Presentation

IM-93-1 ADP System Security Requirements and Review Process - Federal Guidelines

Audit, Finance and Legislative Committee Mayor Craig Lowe, Chair Mayor-Commissioner Pro Tem Thomas Hawkins, Member

VISTA Operations Management Systems COMPLETE SECURITY SOLUTIONS FOR ANY RETAIL BUSINESS. Value Beyond Security

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Disaster Recovery Plan Checklist

Data Centers and Mission Critical Facilities Access and Physical Security Procedures

ISO Controls and Objectives

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

REVIEWED ICT DATA CENTRE PHYSICAL ACCESS AND ENVIROMENTAL CONTROL POLICY

Global Supply Chain Security Recommendations

Supplier Security Assessment Questionnaire

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

BNA FEDERAL CREDIT UNION DISASTER RECOVERY PLAN

Security-in-Depth 4/26/2013. Physical Security Webinar. DCO Meeting Room Navigation. Host: Danny Jennings

Security Criteria for C-TPAT Foreign Manufacturers in English

Report on FTHC, LLC d/b/a Miami Data Vault s Description of its Data Center System and on the Suitability of the Design and Operating Effectiveness

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

COVERAGE ENHANCEMENT ENDORSEMENT

HIPAA ephi Security Guidance for Researchers

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Seventh Avenue Inc. 1

FINAL May Guideline on Security Systems for Safeguarding Customer Information

DFA EXTERNAL AGENCY POLICY AND FORMS FOR ACCESS CONTROL

Information Security Network Connectivity Process

Secure Data Center Operations Gilbert Held Payoff

MARULENG LOCAL MUNICIPALITY

SITECATALYST SECURITY

Transcription:

State of Vermont Physical Security for Computer Protection Policy Date Approved: 04-02-10 Approved by: Tom Pelham Policy Number: 0501.012005

Contents 1.0 Introduction... 3 1.1 Authority... 3 1.2 Purpose... 3 1.3 Scope... 4 2.0 Policy... 4 2.1 Use of Secure Areas to Protect Data and Information... 4 2.2 Physical Access management to protect data and information... 4 3.0 Policy Notification... 5 Page 2 of 5

1.0 Introduction 1.1 Authority The State of Vermont is authorized to undertake the development of enterprise architecture policies and standards. The Department of Information and Innovation (DII) was created in VSA 22 901 (1), to provide direction and oversight for all activities directly related to information technology, including telecommunications services, information technology equipment, software, accessibility, and networks in state government. Managers, employees, records personnel, third party vendors and all others who connect to or handle State of Vermont networks and data are responsible for reviewing this policy in concert with business, legal, and information technology staff to ensure that the policy (1) meets legal requirements specific to the agency and its data and (2) can be effectively carried out by agency employees. If laws or regulations require more stringent requirements than stated in this policy, the internal policy created by the agency must explicitly state the more stringent requirements. Agencies shall not develop an internal policy with requirements lower than the minimum requirements listed in this policy. 1.2 Purpose State office locations that include computers and other types of information technology resources must be safeguarded against unlawful and unauthorized physical intrusion, as well as fire, flood and other physical threats. This includes but is not limited to; security doors, key entry areas, external doors that are locked from closing until opening of the building, locked and/or barred windows, security cameras, registration of visitors at entrances, security guards, and fire protection. Information Security issues to be considered are: Unlawful access may be gained with the intent of theft, damage, or other disruption of operations. Unauthorized and illegal access may take place covertly (internal or external source) to steal, damage, or otherwise disrupt operations. Destruction or damage of physical space may occur due to environmental threats such as fire, flood, wind, etc. Loss of power may result in the loss of data, damage to equipment and disruption of operations. Page 3 of 5

1.3 Scope This policy addresses threats to critical IT resources that result from unauthorized access to facilities owned or leased by the State of Vermont, including offices, data centers and similar facilities that are used to house such resources. 2.0 Policy All information resource facilities must be physically protected in proportion to the criticality or importance of their function. Physical access procedures must be documented, and access to such facilities must be controlled. Access lists must be reviewed at least quarterly or more frequently depending on the nature of the systems that are being protected. 2.1 Use of Secure Areas to Protect Data and Information Use physical methods to control assess to information processing areas. These methods include, but are not limited to, locked doors, secured cage areas, vaults, ID cards, and biometrics. Restrict building assess to authorized personnel. Identify areas within a building that should receive special protection and be designated as a secure area. An example would be a server room. Use entry controls. Security methods should be commensurate with security risk. Ensure that physical barriers are used to prevent contamination from external environmental sources. For example: Water tight walls in flood zones. Proper ventilation in areas exposed to chemical vapors. Compliance with fire codes. Installation, use and maintenance of air handling, cooling, UPS and generator backup to protect the IT investment within data rooms. 2.2 Physical Access management to protect data and information Access to facilities that house critical state IT infrastructure, systems and programs must follow the principle of least privilege access. Personnel, including full and part-time staff, contractors and vendors staff should be granted access only to facilities and systems that are necessary for the fulfillment of their job responsibilities. The process for granting physical access to information resources facilities must include the approval of the CIO, or his or her designee. Access reviews must be conducted at least quarterly, or more frequently depending on the nature of the systems that are being protected. Removal of individuals who no longer require access must then be completed in a timely manner. Page 4 of 5

Access cards and keys must be appropriately protected, not shared or transferred and returned when no longer needed. Lost or stolen cards/keys must be reported immediately. Security clearance for visitors. This could include, but is not limited to, a sign in book, employee escort within a secure area, ID check and ID badges for visitors. 3.0 Policy Notification Each state agency is responsible for ensuring that employees are aware of where policies are located on websites. Agencies are also responsible for notifying employees of policy change or the creation of new policies that pertain to the agency/department function. Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information