PE-2 Physical Access Authorizations

Description

This Control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors.

Authorization credentials include, for example, badges, identification cards, and smart cards.

Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures.

This Control only applies to areas within facilities that have not been designated as publicly accessible.

Applicability

This Control applies to facilities that house information systems (e.g., data centers, server rooms or closets) considered mission critical and which require a higher level of security due to the nature of one of the following:

  1. type of equipment
  2. type of data the equipment stores

University Unit Heads or their designees (e.g., Facility Coordinators, Area Proctors) have the responsibility for keeping an updated list of individuals with authorized access to information resource facilities.

Implementation

Director of Infrastructure or his or her designated representative(s) shall develop and keep current a list of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) and issues appropriate authorization credentials:

  1. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
  2. Issues authorization credentials for facility access;
  3. Reviews the access list detailing authorized facility access by individuals quarterly; and
  4. Removes individuals from the facility access list when access is no longer required, within 24 hours for facilities containing information classified as restricted or confidential data and within 5 business days for other facilities containing information resources.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket

News

See All News

Events

See All Events