Printed on: 08/20/2018. Please go to http://policy.umn.edu for the most current version of the Policy or related document.

APPENDIX TO POLICY

Device Physical Security Standard

Objective

Physical security of the devices must be managed to maintain confidentiality, integrity and availability of University IT resources.

Security Controls

Physical Security for Devices

The following table defines baseline security controls for physical security of devices.

Control Security Level
ID Description High Medium Low
DPS.A.01 Log off devices not in use for extended periods (e.g., at night and on weekends) Required Required Optional
DPS.A.02 Secure laptops, card swipe devices (e.g., an anchoring device at the primary work location) Required Recommended Optional
DPS.A.03 Secure laptops, tablets, POS devices and other equipment when not in use (e.g., secure cabinet or safe) Recommended 1 Recommended Optional
DPS.A.04 Secure laptops, tablets, mobile devices, and removable media when traveling (e.g., keep in your possession or locked in a secure location) Recommended 1 Recommended Optional
DPS.A.05 Position device display or monitor to limit viewing of private-highly restricted or private-restricted data Required Recommended Recommended
DPS.A.06 Use tamper resistant label on devices in storage Optional 1 Optional Optional
DPS.A.07 Maintain a log that tracks placement or assignment of devices Optional 1 Optional Optional
DPS.A.08 Maintain a log of who has access to the secure storage location (e.g., locked closet) Optional 1 Optional Optional
DPS.A.09 Periodically review and assess the physical security controls for devices (suggested: annual) Optional 1 Optional Optional

1 This is required for systems in scope for credit card processing environment per PCI-DSS. This includes systems that support or store, process or transmit cardholder data.

Resources Covered

This applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted .

Individuals Covered

This applies to University community members who need to provide physical security for University devices or who use devices.

Related Information

More information on Device Physical Security

Published Date

  • November 2014

Document Feedback