G-27-0 Secure Space Access Policy
Employees Requesting Access
Internal employees: The following college employees may be allowed access to Secure Spaces: Campus Services, Campus Security, and ITS Staff
External Employees: Any non-college employee will need to fill out and sign the Vendor Access Request form (end of this document) to be granted access to secure spaces. Access will be provided by any authorized staff member of the internal employee groups listed above. Vendor Access Requests need to be made 48 hours in advance. The form will be returned to the Information Security Administrator (ISA) within ITS. The ISA may be required to notify Campus Security of the request.
This policy is a recommendation for dealing with access to secured physical areas housing computers, network devices and other critical infrastructure computing components that support current services. Too often physical security is overlooked by operational staff as an afterthought; physical security and compliance with guidelines can be costly and yield low benefit to all but the site's operational staff. Likewise, procedures can be difficult to follow and maintain as new technologies are deployed at the site. The implementation of any policy or guideline requires a methodical set of procedures to be developed for assisting all those affected.
Access Authorization Requests
A central point of contact should be assigned for each secure space. These contacts should be delegated by the responsible director or manager claiming responsibility for the physical area, and maintenance thereof.
An individual requiring physical access to a restricted area should fill out the Vendor Access Request form for access to the physical location - these forms may be specific to an area depending on the requirements, etc. A completed form should be sent to the appropriate contact(s) for the area.
Secure Space List
The following spaces are considered to be Secure Spaces or restricted areas and will require access with a fob, a key, or in the case of external employees, the completion of a Vendor Access Request Form, along with accompanied access by a member of the Internal Employees group in the first section.
Barber Library: 119 - Electrical
Boyle Education Center: Outside SW Corner. Enter room through door that is straight ahead. Head left - first door on the right is MDF. 2nd door on the right (with Chemetron sign) contains BEC switches.
CCB: 119 (Fire Riser/Boiler Room/Maintenance) > 119C Electrical/MDF (shared custodial space)
Chandler: 111 - padlocked with no FOB currently
DesChutes: Janitor's closet across from Classroom 3; Men's bathroom behind door
Grandview: 103 Wiring Closet - bottom of stairs across from men's room
Health Careers: 220
Jefferson: 110 - inside Tony Russell's Office
Juniper: Mechanical Room adjacent to private residence contains intermediary switch (in far back right corner). North switch is in closet between N207 and N208. South switch is in storage closet between S107 and S108.
Mazama: 107 Mechanical Room
Modoc: Outside on the west side inside the electrical room
Newberry: Back of the bookstore - east side - in the boiler room
Ochoco: 115 - Custodian Closet; 231A - Custodian Closet
Ochoco Annex: Outside north side
OSU-Cascades: 111 - 111a Telecom; 244 Telecommunications Room
Pence: 113 Workroom - Up the stairs from 105 next to wheelchair lift
Pioneer: Data Center - 105; 231; Space outside on the west side - inside Boiler Room Ponderosa: Boiler Mechanical Room next to Office 120 (light switch is outside room in hallway)
Building One: Rooms 126 > 127
Technology Center: Room 205
Redmond Technology Education Center: Room 205; AV Closet room 115B
Reservation of Access Rights
Each responsible entity for a secure space should include a disclaimer that access to secured area may be revoked temporarily or permanently for any reason, at any time. These guidelines should be included in the necessary access forms to the area and agreed to each person requesting access to the secured areas.
Emergency access to a secured site should not be permitted. Each resource should have primary and secondary authorized personnel "on call" ready to respond to a situation at all times. Proper cross-training and contact information should be developed to promote limiting of emergency access completely.
Guidelines for Use
Each access to a secure space should be made in compliance with the following guidelines in order to increase the longevity of systems. While other specific guidelines may be required for a specific site requirement, these general guidelines should retro existing installations.
- Access to all secured areas should require the use of an authorized fob or key. Where possible, all entries into the secured areas should be recorded and reviewed by the responsible parties for the area. All access should be logged, even when a group of persons enters the area.
- Fobs or keys should not be shared between authorized and unauthorized persons.
- A separate log should be kept for "sign-in" to the area. This logbook should record a name, employee identification number, time in, time out, and signature.
- Vendors, or those wishing to access the data center for a specific task, must be accompanied by an authorized person at all times.
- The secured area should only be accessed to meet a business requirement. When such a requirement is complete, leave the area. Do Not Loiter.
- A resource in use (computer, monitor, keyboard, network cable, power cable, cabinet, floorboard, etc.) should be moved only by the person directly responsible for that resource.
- Food, drink or other fluids must not be introduced to the secured areas. These items promote deterioration of computing hardware through moisture.
Physical Security Measures
The physical security measures implemented at each secured site will greatly assist in compliance with this policy. Monitoring devices and access control devices should record each entry into the secured area, both authorized and unauthorized. A log of entries should be archived for a period of two (2) years. If the site is monitored with video or audio devices, this data should too be archived.