APPENDIX TO POLICY
Device Physical Security Standard
Physical security of the devices must be managed to maintain confidentiality, integrity and availability of University IT resources.
Physical Security for Devices
The following table defines baseline security controls for physical security of devices.
|DPS.A.01||Log off devices not in use for extended periods (e.g., at night and on weekends)||Required||Required||Optional|
|DPS.A.02||Secure laptops, card swipe devices (e.g., an anchoring device at the primary work location)||Required||Recommended||Optional|
|DPS.A.03||Secure laptops, tablets, POS devices and other equipment when not in use (e.g., secure cabinet or safe)||Recommended 1||Recommended||Optional|
|DPS.A.04||Secure laptops, tablets, mobile devices, and removable media when traveling (e.g., keep in your possession or locked in a secure location)||Recommended 1||Recommended||Optional|
|DPS.A.05||Position device display or monitor to limit viewing of private-highly restricted or private-restricted data||Required||Recommended||Recommended|
|DPS.A.06||Use tamper resistant label on devices in storage||Optional 1||Optional||Optional|
|DPS.A.07||Maintain a log that tracks placement or assignment of devices||Optional 1||Optional||Optional|
|DPS.A.08||Maintain a log of who has access to the secure storage location (e.g., locked closet)||Optional 1||Optional||Optional|
|DPS.A.09||Periodically review and assess the physical security controls for devices (suggested: annual)||Optional 1||Optional||Optional|
1 This is required for systems in scope for credit card processing environment per PCI-DSS. This includes systems that support or store, process or transmit cardholder data.
This applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted .
This applies to University community members who need to provide physical security for University devices or who use devices.
More information on Device Physical Security
- November 2014