The following table defines baseline physical security controls for protecting Institutional Data.
Physical Access Control
|PS-1||Physical access to Institutional Data and/or Information Systems is authorized by an appropriate Data Steward or a delegate prior to provisioning *||Required||Required||Required|
|PS-2||Physical access to information systems that store, process or transmit Institutional Data is secured in a manner that prevents unauthorized access||Recommended||Recommended||Required|
|PS-3||Physical access to Institutional Data in written or paper form is secured in a manner that prevents unauthorized access *||Optional||Recommended||Required|
|PS-4||Procedures for obtaining physical access to datacenter facilities are formally documented and followed||Required||Required||Required|
|PS-5||Physical access to datacenter facilities is logged and monitored||Required||Required||Required|
|PS-6||Physical access to datacenter facilities is reviewed and reauthorized by a Data Steward or delegate on a periodic basis||Required||Required||Required|
|PS-7||Physical access to datacenter facilities is promptly revoked when it is no longer necessary to perform authorized job responsibilities||Required||Required||Required|
PS-1: In addition to authorizing access to users of Institutional Data and/or Information Systems, physical access of janitorial, maintenance, police and delivery/courier personnel should also be authorized by an appropriate Data Steward or delegate.
PS-3: Institutional Data in printed or written form includes, but is not limited to, hard copies of electronic documents, hand written documents or notes and writing on a whiteboard. Physical access to workspaces, printers, fax machines and trash receptacles should all be taken into consideration. Common techniques for securing physical access include storing data in a locked office or a locked filing cabinet, installing whiteboards in a manner that obscures visual inspection from outside an office or laboratory and shredding documents prior to disposal. In certain situations, it may also be appropriate to procure dedicated printers and fax machines for processing sensitive data.