Contents
4.1 Physical and Environmental Security Objectives
Sec. 5 Compliance and Enforcement
Sec. 1 Purpose
This Policy sets the objectives for Physical and Environmental Security and the corresponding UTS 165.3.1 Physical and Environmental Security Standard (UT Credential Required) requirements which are located within the UTS 165 Standards SharePoint site* (UT Credential Required).
Sec. 2 Scope
This Policy contains the objectives for configuring and enforcing the appropriate protections to secure and maintain IT facilities to protect critical assets, system components, other devices, data, and the IT facilities themselves from a variety of threats including but not limited to security threats, physical and environmental disasters or disruptions, and user and third party related security threats that could impact UT System infrastructure.
Refer to the UTS 165 Definitions (UT Credential Required) for the definitions of the italicized terms used in this Policy.
Sec. 3 Authority
The System Administration and Institutional roles that have the authority to implement, enforce, and support the Objectives set forth in UTS 165 parent policy.
Sec. 4 Policy Objectives
4.1 Physical and Environmental Security Objectives
4.1.1 Physical Security Perimeters & Protections:
Physical security perimeters and required physical security controls must be defined and implemented for all IT facilities that contain assets, telecommunication systems, data, supporting electrical and mechanical infrastructure, and / or users to prevent unauthorized access, damage, or interference with UT Institution data and to protect the safety of users. As part of this, building access points for users, vendors, visitors and physical security protections at the perimeter of IT facilities and within IT facilities based on the presence of assets, data, or users, vendors, or visitors must be defined.
Compliance References:
NIST 800-53: PE-02, PE-03, PE-20
TAC202: N/A
DIR: PE-2, PE-3
Supporting Documents:
UTS 165.3.1 Physical & Environmental Security Standard (UT Credential Required)
4.1.2 Physical Access Provisioning, Review, & Removal:
Processes must be defined and implemented to authorize and provision physical access privileges to IT facilities, issue physical access credentials, review physical access privileges, and remove physical access privileges when no longer required.
Compliance References:
NIST 800-53: PE-02, PE-03
TAC202: N/A
DIR: PE-2, PE-3
Supporting Documents:
UTS 165.3.1 Physical & Environmental Security Standard (UT Credential Required)
4.1.3 Physical Security Monitoring:
Methods to continuously monitor UT Institution IT facilities, including physical access points external and internal to the IT facility, must be defined and implemented to detect unauthorized physical access and respond accordingly.
Compliance References:
NIST 800-53: PE-03, PE-06, PE-13, PE-16
TAC202: N/A
DIR: PE-3, PE-6, PE-13, PE-16
Supporting Documents:
UTS 165.3.1 Physical & Environmental Security Standard (UT Credential Required)
4.1.4 Visitor Control:
Requirements and procedures for visitor physical access to UT Institution IT facilities must be defined and implemented to control and monitor visitor access.
Compliance References:
NIST 800-53: PE-08, PE-08(03)
TAC202: N/A
DIR: PE-8
Supporting Documents:
UTS 165.3.1 Physical & Environmental Security Standard (UT Credential Required)
4.1.5 Protecting Against Physical & Environmental Threats:
Design and maintenance requirements for UT Institution IT facilities must be defined and implemented to protect against physical and environmental threats that could lead to adverse security outcomes that effect confidentiality, integrity, and / or availability in telecommunications, equipment, and other mechanical and electrical components that support critical business operations, such as natural disasters, theft, intrusion, attacks, accidents, and other intentional or unintentional physical threats.
Compliance References:
NIST 800-53: PE-13, PE-14, PE-17
TAC202: N/A
DIR: PE-13, PE-14, PE-17
Supporting Documents:
UTS 165.3.1 Physical & Environmental Security Standard (UT Credential Required)
4.1.6 Supporting Utilities:
Controls to protect IT facilities and equipment from disruptions that effect confidentiality, integrity, and / or availability in supporting utilities must be defined and implemented to prevent against loss, damage, or compromise of UT Institution assets and data or interruption of critical business operations.
Compliance References:
NIST 800-53: PE-12, PE-13, PE-13(01), PE-15
TAC202: N/A
DIR: PE-12, PE-13, PE-15
Supporting Documents:
UTS 165.3.1 Physical & Environmental Security Standard (UT Credential Required)
Sec. 5 Compliance and Enforcement
UTS 165 was developed with consideration of and alignment to applicable laws and regulations, including the Texas Administrative Code Chapter 202 Subchapter C, the Texas Department of Information Resources (DIR) Security Controls Catalog, NIST 800-53 Revision 5.1.1 Security and Privacy Controls for Information Systems and Organizations, and other Privacy regulatory obligations and frameworks. Further, the objectives and requirements established in UTS 165 reflect industry best practices and internal systemwide business goals.
It is the collaborative responsibility of the roles outlined in the Authority section of this Policy to enforce these UTS 165 objectives and ensure compliance with the corresponding UTS 165 Standard requirements.
Compliance with UTS 165 Policies and Standards is mandatory unless otherwise contractually documented and agreed, or an exception to a Standard requirement is granted. In the limited and unlikely circumstance that compliance with a requirement in UTS 165 cannot be met and no feasible remediation exists,exception to an otherwise required security control may be granted by the Institutional Information Security Officer (ISO) as authorized by applicable law and UT System and Institution Policy. Users must submit an exception request to their ISO to evaluate the exception request, assess the potential risks associated with non-compliance, and determine the feasibility of granting an exception. Exceptions must be based on an assessment of business requirements weighed against the likelihood of an unauthorized exposure, and the potential adverse consequences for users, other organizations, or the Institution were an exposure to occur. If an exception is granted by the ISO, compensating controls may be implemented to offset the risk of the exception. All approved exceptions must be documented at the Institution-level to maintain an exception log, and Institutions must develop and document their own exceptions related processes in accordance with this Policy. Note that exceptions will not be granted to requirements contained in UTS 165.1.6 Acceptable Use Standard.
Violations of UTS 165 may lead to disciplinary action, up to and including in-voluntary separation from employment.
*Note: If you have accessed any of UT System’s resources in Office 365, you will already have access to this site. You can self-register for UT System guest access by sending a blank email from your UT institutional email address to utguest@utsystem.edu. After 15 minutes, your guest account will automatically be created and you will be able to access the UT Systemwide Contracts site with your UT institutional ID.
