4-OP-H-25.08 IT Physical Security Standard

I. Purpose

This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It defines the requirements for protecting all campus facilities that maintain University information resources from physical and environmental threats in order to reduce the risk of loss, theft, damage, interruption, or unauthorized access to those resources.

Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with this Standard or obtain an exception in accordance with the 4-OP-H-25.20 Request for Exception to IT Security Policy.

II. Definitions

Consolidated University Unit – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.

Information Security Incident - a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.

Full IT Glossary

III. Standard

FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.

University Units are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.

Controls supporting this Standard include, but are not limited to:

NIST Cybersecurity Framework and Controls

Function	Category	Desired Outcome (Subcategory)
Protect (PR)	(PR.AC) Identity Management and Access Control (Physical Assets): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access.	PR.AC-2: Physical access to assets is managed and protected
		PR.AC-6: Identities are proofed and bound to credentials, and asserted in interactions when appropriate
	Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.	PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met
		PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
Detect (DE)	Security Continuous Monitoring (DE.CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.	DE.CM-2: The physical environment is monitored to detect potential cybersecurity events
		DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
	Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.	DE.DP-3: Detection processes are tested
Respond (RS)	Analysis (RS.AN): Analysis is conducted to ensure effective response and support recovery activities.	RS.AN-1: Notifications from detection systems are investigated

Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.

Roles and Responsibilities

Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
Information Technology Services (ITS)
ITS maintains and operates the FSU Enterprise Network and provides upstream external connectivity.

For more information, see IT Roles and Responsibilities.

Physical Security Of Facilities

This Standard applies to all campuses of the University. It applies to all units, faculty, principal investigators, staff, vendors, and contractors who process, maintain, transmit, or store institutional data on any device, whether or not that device connects to the campus network.

This Standard applies to all University facilities. This document specifically outlines requirements for those facilities that encompass the University’s essential network operations and data centers, research activities, and patient care. Essential network operations are defined as the cabling, equipment, and network and telecommunications rooms associated with the University backbone that carries aggregated network traffic to and from all FSU buildings and to external network connections.

Any FSU facility that processes or stores data classified as High Risk or Moderate Risk, as defined by the 4-OP-H-25.01 Data Security Standard, must comply with the 4-OP-H-25.02 Information Privacy Standard and must implement physical security controls based on the identified risks associated with unauthorized access and the type of facility in which the data is maintained. Physical access to information resource facilities (e.g., data centers and communication closets) must be restricted to authorized personnel only. In addition, some regulations and contractual obligations with which FSU must comply have mandated physical security requirements. Research grants, contracts, and other project charters may require that controls such as NIST 800-171 or Cybersecurity Maturity Model Certification (CMMC) are required for the project. Those standards and associated controls supersede the requirements specified in this document.

Users are responsible for safeguarding brass keys, security tokens, smart cards, identification badges, or other devices used for authentication and access to secured IT facilities. Users must not share access devices used to provide access to secure data or computing facilities. The loss or suspected compromise of any such device must be immediately reported to the University Unit/CUU DDDH or ITS manager responsible for the facility.

Protected Facilities

The following physical environments must be protected:

Data Centers and other Secure Infrastructure Facilities
Data centers and network and telecommunications rooms housing networked servers for file storage, application hosting, data processing, and other primary computing functions must be secured according to this Standard. Peripheral equipment and mechanical room locations are also included.

Clinical Environments
Physical security controls are critical in clinical facilities, both to help ensure patient safety and to limit physical access to electronic information systems containing Personal Health Information (PHI).

Research Environments

Individual-centered research environments, including faculty offices and workstations in public computing locations.
Shared or group-centered research environments including laboratories and clinical environments. Variation in research environments may dictate different applied security procedures.

Office Environments
Some offices are assigned solely to an individual who has complete control over access to the space. Others are shared spaces and require more explicit physical security controls.

Access Controls For Physical Security Of Facilities

ITS and CUUs/University Units must implement access and authorization controls to protect facilities they manage that maintain University information resources from physical and environmental threats, as required by this Standard:
Physical Access Authorization
ITS and CUU / University Unit ISMs must:

develop, approve, and maintain a list of individuals with authorized access to the facility where the information system resides.
authorize credentials for facility access

Access to secure facilities requires approval by the University Unit/CUU DDDH or ITS manager responsible for the facility. Access to the FSU Telecommunications Room is managed by the ITS Network and Communications Technologies Director as defined by the Telecommunications Room Management Plan.

Brass keys to secured areas will only be approved:

based on an individual’s role or responsibilities and requirement to perform their job functions
based on justification due to unavoidable technical requirements
with approval of the key holder’s University Unit/CUU DDDH
with approval of the ITS Network and Communications Technologies Director

Brass keys will be issued by the Key Shop. ITS will maintain a record of all individuals who have been authorized access. The Key Shop will maintain a record of individuals who have been issued keys.

Physical Access Controls
ITS and University Unit/CUU ISMs must:

enforce access at entry and exit points by verifying authorization. A photo ID may be required upon request by university security staff who are charged with maintaining the security of the facility.
remove individuals from the facility access list when access is no longer required, according to the 4-OP-H-25.07 IT Access, Authorization and Authentication Standard
test physical access devices no less than annually to ensure proper function
maintain access audit logs
escort visitors and monitor visitor activity
secure brass keys, lock combinations and other physical access devices
inventory physical access devices at least annually
change combinations and brass keys when keys are lost, combinations are compromised, or individuals are transferred or terminated
control access to output devices that may provide visibility to High Risk or Moderate Risk data (e.g. monitors, printers, scanners, copiers, facsimile machines, etc.)
coordinate with the FSU Police Department and ISPO for the installation of cameras or any monitoring devices. System information such as University Unit, location, purpose, device type, manufacturer, and location of surveillance storage (memory card, on-prem hard drive, cloud, etc.) must be provided.

Environmental Controls
ITS and CUU / University Unit ISMs must, as appropriate:

protect IT resources from environmental hazards (e.g., temperature, humidity, dust, etc.) in accordance with manufacturers’ specifications
include facilities in disaster recovery and contingency planning to support restoration of data and infrastructure in the event of an emergency or disaster. (See 4-OP-H-25.12 IT Disaster Recovery Planning Standard).
place power equipment and cabling in safe locations to prevent environmental and/or manmade damage and destruction
protect emergency power shutoff capability from unauthorized activation
implement uninterruptible power supply (UPS) to facilitate transition to long-term alternate power in the event of a primary power source loss
install and maintain fire detection and suppression devices that are supported by an independent power source
install and maintain fire detection devices/system that activates automatically and notifies emergency personnel in the event of a fire. Physical access controls must allow employees to egress from secured areas and not allow them to return until the fire detection devices are re-armed.
protect equipment from damage resulting from water leakage

Incident Reporting

Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.