Physical Security Policy

Revision Date:2009-05-28

Revision Number:1.0

Policy Information:

1.0      Revision History


Northern Arizona University 



Document No. 


Effective Date 


Revision Date 

May 28, 2009 

Revision No. 

DRAFT 1.0 

Producer:  Information Technology Services,  

Harper P. Johnson, Director of Information Security 

2.0          Purpose

This purpose of this Physical Security Policy is to prevent unauthorized access, theft, interference, and damage to University data, information, or information systems.   


3.0      Definitions

Information – Data elements, whether in part or combined, that are of value to the University, such as student or employee records, intellectual property, research data, or other information. 


Information Systems – All computer and network systems owned by and/or administered by the University. This includes all computing platforms of all sizes from personal digital assistants (PDAs) to mainframe computers, all peripheral devices and media, and all data contained on those systems. 


System Administrator – The individual primarily responsible for technical management of the system or information asset within an organization or unit. 


University Administrators - For the purposes of this Policy are those individuals responsible for campus organizational units (e.g., deans, department chairs, principal investigators, directors, or managers) or individuals having functional ownership of data. 


Visitor – One who normally does not have regular access to protected NAU information systems whether they are vendors, contractors, temporary employees, staff, faculty, affiliates, or guests. 


4.0      Applicability

4.1 This Policy applies to all Northern Arizona University faculty, staff, students, and University Affiliates. 

4.2  This Policy applies to all information systems. 

4.3 This Policy applies to data and information in any tangible form whether it is written, filmed, typed, recorded electronically or printed, and to all University information resources. 


5.0      Policy

5.1  Appropriate physical entry controls will be deployed to restrict access to information and information systems to only those authorized in secured areas.  

5.2  A formal documented process must be in place to grant and revoke physical access to information and information systems in secured areas.  

5.3  Access lists must be periodically reviewed for appropriateness. 

5.4  Equipment will be sited within areas to securely protect against Natural Disasters and Environmental Hazards commensurate with 5.1.  

5.5  Equipment sites will periodically be inspected and environmental controls formally tested with the results documented.  

5.6  A formal process must be in place to ensure that information is completely removed or destroyed upon equipment disposal or reassigning equipment for another use. 

5.7   Equipment should not be removed from a secured area without appropriate, prior authorization.  

5.8    A formal process should be in place to record the removal from a secured area of any server or other system containing sensitive data. The capital asset inventory number, the individual removing or returning the machine, date and time should be documented.


6.0      Roles & Responsibilities

President of the University: The President support and authorizes this Policy for University-wide implementation.

University Administrators: University Administrators have a responsibility to ensure that this Policy is supported with their organizational units.

Director of Information Security: The Director of Information Security is responsible for developing and implementing procedures and guidelines necessary to implement this Policy

System Administrators must evaluate the information and information systems under their responsibility to determine the level of sensitivity, criticality, and value of those assets to their organizational unit and implement appropriate physical barriers per section 5.0.


7.0          Compliance

Persons who are subject to this Policy may also be subject to the provisions of applicable NAU Personnel Policies, the student employment handbook, and Arizona Board of Regents policies, including provisions for discipline for violation of this Policy, as well as applicable legal sanctions.


8.0     References

Arizona Board of Regents:  Information Security Policy  

Arizona Board of Regents:Information Security Guidelines

NAU Information Security Policy

All ITS Policies


Policy Documents: