Access to IT resources will be based upon demonstrated need and level of security clearance, if appropriate. Individuals shall be granted only the access authority and/or system privileges necessary to accomplish their assigned duties.
Adequate physical security measures must be provided for the protection of human resources, physical and logical assets and sensitive applications and data. Physical security measures must be selected and implemented in consideration of the sensitivity of the IT resources and their criticality to the supported functions. The physical security policies stated herein are intended to be complementary to the "DOC Physical Security Manual," DAO 207-1 and apply to the protection of IT resources.
For the purposes of these policies, controlled areas are those which encompass or allow access to potentially sensitive information resources, resources which are essential for the processing of sensitive data, or resources essential to accomplishment of organizational missions. These areas include, but are not limited to: any spaces housing computer equipment, including terminals, PCs and file servers; data storage libraries; input/output areas; data conversion areas; programmer areas and files; documentation libraries; communication equipment areas; computer maintenance areas; mechanical equipment areas; telephone closets; environmental controls and power systems; and supply storage areas. The physical security requirements of controlled areas will be determined by the results of a risk analysis and/or a DOC Office of Security physical security survey.
When automation or data communications equipment are located within user areas, the user management officials will assess the sensitivity of the data, automated resources and functions performed and, if warranted, designate the area as a controlled area.
The operational areas of major computer installations, including local area network file servers, will be designated restricted areas in which access will not be permitted unless specifically authorized or required for job performance.
Controlled and restricted areas will be protected by physical security and other means which are deemed appropriate for the sensitivity or criticality of the system as determined by the results of a risk analysis and as defined in the Sensitive System Security Plan for the system. At a minimum, access to controlled areas will be limited to those individuals having an official need to be in the area.
IT devices which are easily moved, have non-removable hard drives and are used for sensitive information will not be allowed outside of the controlled area. If the sensitive data remaining on the media has been completely erased or obliterated, the removal of these devices from the work area may be approved by the ITSO or ITSSO.
Contract maintenance personnel, and others not authorized unrestricted access but who are required to be in the controlled area, will be escorted by an authorized person at all times that they are within the controlled area.
Media used to record and store sensitive software or data will be externally identified, protected, controlled and secured when not in actual use.
Adequate environmental safeguards must be installed and implemented to protect IT system resources as deemed appropriate for the sensitivity or criticality of the system as determined by the results of a risk analysis and as defined in the Sensitive System Security Plan for the system. At a minimum, the following environmental safeguards must be considered: