Skip to content

Information Security Standards



Information Technology support staff, system administrators, and information security administrators may have information resource physical facility access requirements as part of their job duties. The granting, controlling, and monitoring of the physical access to information resource facilities is extremely important to an overall security program.


This procedure applies to facilities that house multi-user systems (i.e., a server room or a voice and data switch room) that process or store mission critical and/or confidential information. The purpose of this procedure is to provide a set of measures that will mitigate information security risks associated with Physical Access. The intended audience for this procedure includes, but is not limited to, all information resources data/owners, management personnel, and system administrators.


1. All physical security systems shall comply with applicable regulations such as, but not limited to, building codes and fire prevention codes.

2. All information resource facilities shall be physically protected in proportion to the criticality or importance of their function at the University.

3. Access to information resources facilities shall be granted only to departmental personnel, vendors, or other authorized personnel whose job responsibilities require access to that facility.

4. There shall be an approval and documentation process for granting and revocation/return of security codes, access cards, and/or key access to information resources facilities.

5. Individuals who are granted access rights to an information resource facility must sign appropriate access agreements. Individuals from other departments, such as facilities and university police will also receive information regarding appropriate physical security practices and emergency procedures.

6. Security access codes, access cards and/or keys to information resource facilities must not be shared or loaned to others. If a revocable resource, such as a card or access code, is shared, it must be deactivated upon notification.

7. Visitors must be escorted in restricted access areas of information resource facilities.

8. Physical access records shall be maintained as appropriate for the criticality of the information resources being protected. Such records shall be reviewed as needed by organizational unit heads or their designees.

9. Signage for restricted access rooms and locations must be practical, yet display minimal discernible evidence of the importance of the facility.


Last Updated March 31, 2014

Quick Links

Need an update?

To request a change to this page or to request access to make changes yourself, email