Carnegie Mellon University

Guidelines for Data Protection - Physical Security

The following table defines baseline physical security controls for protecting Institutional Data.

Physical Access Control

ID Control Public Private Restricted
PS-1 Physical access to Institutional Data and/or Information Systems is authorized by an appropriate Data Steward or a delegate prior to provisioning * Required Required Required
PS-2 Physical access to information systems that store, process or transmit Institutional Data is secured in a manner that prevents unauthorized access Recommended Recommended Required
PS-3 Physical access to Institutional Data in written or paper form is secured in a manner that prevents unauthorized access * Optional Recommended Required

Datacenter Security

ID Control Public Private Restricted
PS-4 Procedures for obtaining physical access to datacenter facilities are formally documented and followed Required Required Required
PS-5 Physical access to datacenter facilities is logged and monitored Required Required Required
PS-6 Physical access to datacenter facilities is reviewed and reauthorized by a Data Steward or delegate on a periodic basis Required Required Required
PS-7 Physical access to datacenter facilities is promptly revoked when it is no longer necessary to perform authorized job responsibilities Required Required Required

Supplemental Guidance

PS-1: In addition to authorizing access to users of Institutional Data and/or Information Systems, physical access of janitorial, maintenance, police and delivery/courier personnel should also be authorized by an appropriate Data Steward or delegate.

PS-3: Institutional Data in printed or written form includes, but is not limited to, hard copies of electronic documents, hand written documents or notes and writing on a whiteboard. Physical access to workspaces, printers, fax machines and trash receptacles should all be taken into consideration. Common techniques for securing physical access include storing data in a locked office or a locked filing cabinet, installing whiteboards in a manner that obscures visual inspection from outside an office or laboratory and shredding documents prior to disposal. In certain situations, it may also be appropriate to procure dedicated printers and fax machines for processing sensitive data.