Facility Security Plan

1.0 Purpose

Facility security refers to the physical security of space and hardware, including access control mechanisms, visitor control, and maintenance of records, as well as the process for equipment/inventory control.

2.0 Scope

In accordance with the “security standards” incorporated into the Health Information Portability and Accountability Act, a facility security plan must be an integral part of the College of Public Health Information Technology procedures and guidelines. A documented plan for facility security reduces the risk that key information technology assets are accessed inadvertently or inappropriately by persons without authority.

The goals of the plan include:

  • Prevent unauthorized access to restricted areas.
  • Prevent the sabotage of property and/or equipment.
  • Prevent the theft of equipment, supplies, or data.
  • Encourage vigilance, as well as general awareness of security.
  • Raise alarm in reaction to security threat or incident.
  • Ensure familiarity with the security plan and procedures.
  • Coordinate responsibilities between College, Departments, and Centers.
  • Provide information to members of administration and to law-enforcement personnel, in case of an incident affecting security.
  • Provide adequate security training and awareness to faculty, staff and students.

3.0 Applicability

Facility security plan is applicable to all College of Public Health faculty, staff and students.

4.0 Guiding Principles

The guiding principles of the plan include:

  • The fundamental principle of security is access control.
  • The safety and security of faculty, staff, and students.
  • The safety and security of visitors.
  • The safety and security of hardware, software and data.

5.0 Risk Assessment

In assessing the level of risk, the collegiate Office of Information Technology Security Officer, in conjunction with departmental administrators, should consider:

  • the general layout of offices, clinics, and server rooms.
  • the location of restricted areas.
  • the location and function of each access point.
  • the emergency and standby equipment available to maintain essential services.
  • the existing security and safety equipment for protection.
  • the existing policies, procedures, and guidelines.
  • the competence and reliability of faculty, staff, and students.

6.0 Determination of Threat Levels

In determining the level of threat, the college Office of Information Technology Security Officer, in conjunction with departmental administrators, should consider:

  • the general security level of the United States.
  • the general security level of Midwest (State of Iowa).
  • the general security level of Iowa City.
  • the general security level of the University of Iowa.
  • the general security level of collegiate buildings.
  • the general security level of windows and doors.
  • the general security level of workstations and servers.
  • the general security level of laptops, PDAs and other devices.

7.0 Plan

7.1 Authority and Responsibility

The collegiate Office of Information Technology, in coordination with Principal Investigators, departmental administrators, and supervisors, is directly responsible for the physical security and integrity of critical data, such as protected health information, human resources data, and academic coursework. Furthermore, the collegiate Office of Information Technology has the right to implement the appropriate security measures to insure data security and integrity. The College, Departments, and Centers are responsible for providing the financial and leadership support required by the collegiate Office of Information Technology.

7.2 Organization and Goals

Organization is a key element to the Facility Security Plan. Policies, procedures and guidelines must be in place to complement the Facility Security Plan, such as procedures for Data Destruction and De-sanitization, Account Authorization and Access Controls, Account Termination, Password Policy, General Security Plan, Incident Handling, Backup and Restore, System/Server Monitoring and Audit, and Security Training/Education and Awareness.

In developing the Facility Security Plan, the goals include:

  • Determine the appropriate access controls.
  • Prevent unauthorized access, distribution, disclosure, and availability of data.
  • Prevent unauthorized access to facilities, hardware, and software.
  • Establish monitoring mechanisms, preferably automated, to monitor facility security and integrity.
  • Prevent unauthorized hardware devices within the facility.
  • To encourage vigilance among all faculty, staff and students for security breaches or potential breaches.
  • To provide adequate security training and/or exercises in order to be able to respond to security breaches.
  • To provide information to law enforcement officers, security officers, and the collegiate Office of Information Technology in the event of a security incident.

7.3 Access

The fundamental principle of security is access control. The collegiate Office of Information Technology highly recommends the following access control measures:

  • All major entrance doors should contain card-swipe key entry or biometric security controls.
  • All restricted areas, such as server rooms, should contain card-swipe key entry or biometric security controls.
  • Server rooms should be isolated from all other activities, contain no windows, and include a solid door that is always locked.
  • Server rooms should house a dedicated electrically box for electricity.
  • Server rooms should house a dedicated temperature control unit for proper temperature control.
  • All user accounts must abide by the University Password Policy.
  • All System Administrator accounts must have a password containing a minimum of 15 characters.
  • All workstations and laptops must automatically password lock within 20 minutes of inactivity.
  • All workstations and laptops must be password locked when leaving the physical room.
  • All restricted areas, such as areas containing protected health information, must be continually monitored for security breaches.
  • All persons authorized to handle computer data must have a user account, such as HawkID.
  • All protected computer data must have the appropriate access controls and privileges.

7.4 Security Restricted Areas

Security restricted areas are established as a security measure to control access and activities within them. A good example of a “security restricted area” is a server room, which contains highly sensitive data, such as protected health information. The purpose of security restricted areas include preventing unauthorized access, protecting critical/sensitive data, preventing theft of hardware and software, and protecting against inadvertent or purposeful damage to IT resources.

Security restricted areas should include card-swipe key entry or biometric security controls. Security restricted areas should be isolated from all other activities, contain no windows and include a solid door that is always locked. Every effort should be made to restrict physical access to a minimal number of authorized employees. Security restricted areas should be constantly monitored for security breaches. In the case of a server room, the collegiate Office of Information Technology highly recommends restricting access to qualified System Administrators.

7.5 Handling Hardware, Software, and Data

All faculty, staff, and students are required to have a HawkID and password. Authorization to facilities containing computing hardware, software, and data will be managed by departmental administrators and supervisors, in coordination with the collegiate Office of Information Technology. Access controls are required on all critical data, including protected health information, human resource information, and academic coursework. Password encryption is required by the collegiate Office of Information Technology. All attempts will be realized to physically enhance the security and handling of computing hardware, software, and data.

7.6 Monitoring Security

Monitoring and enforcement are key elements to the success of security procedures. In coordination with the Server Monitoring and Audit Plan, the collegiate Office of Information Technology strongly recommends the following security monitoring measures:

  • Implement automated threshold technologies for contacting System Administrators, such as phone paging or e-mail when an instance reaches a threshold. Good examples include GFI Network Security Monitor and GFI Security Event Log Monitor.
  • Routinely monitor event logs, such as security, application, and system logs.
  • Monitor backup and restore logs on a daily basis.
  • Routinely monitor performance of servers and workstations.
  • Routinely monitor network bandwidth, lags, and outages.
  • Routinely monitor and track inconsistent behavior of servers and workstations.
  • Implement intruder detection devices to monitor local area network.
  • Implement firewall protection.
  • Implement Systems Management Server (SMS) software, or other systems management tools, to inventory and monitor hardware and software of workstations and servers.
  • Implement Anti-Virus Management software, such as Symantec Anti-Virus Management Console, to manage and monitor for viruses across all workstations and servers.
  • Implement Windows Update Service (WUS) and/or other patch management tools to monitor and update security patches across all workstations and servers.

7.7 Monitoring, Updating, and Testing the Plan

The Facility Security Plan requires periodic testing, monitoring, and evaluation which will result in updates and enhancements to the plan. This process is of particular importance, as policies and technology change quickly. At a minimum, the Facility Security Plan will be evaluated and updated annually.

8.0 Contacts and Technical Experts

College of Public Health Office of Information Technology (384-3838)
cph-support@uiowa.edu