Determine Physical Security Needs

Begin physically securing your IT resources by determining the type of physical environment the resources are in and the classification level of the data they contain. Common types of physical environment at U-M are listed below in descending order from greatest need for physical security to least. Each description includes some examples of regulated data that may be stored in that type of environment. Even environments with the lowest physical security needs requires some basic controls.

Once you have determined the physical security requirements based on the classification(s) of data stored in that location, continue to Step 2: Assess current physical risks.

Data Centers

Data centers and network/telecommunications rooms or closets house networked servers for file storage, application hosting, data processing, and other primary computing functions, and/or equipment that provides network connectivity and security. Data centers store data at all classification levels from Restricted to Low.

U-M data centers are required to have specific requirements for granting access. Prior to being granted access to any data center, individuals must agree to the terms and conditions of the Data Center Access and Security Agreement or its equivalent.

It is important to assess what physical security controls are needed for locally-maintained server and machine rooms or closets, as well as for servers located in offices or labs. Consider whether to migrate such servers to one of the virtual server environments or cloud-based service providers offered by Information and Technology Services (ITS) for improved physical security.

Research Environments

Research environments store data that may be classified as  Restricted (for example, FISMA), High (for example, protected health information, export controlled research, sensitive indentifiable human subject research), or Moderate, as well as possibly data classified as Low. Different research environments may dictate unique security procedures and controls be put into place depending on the complexity of the location and its use. Research environments could include spaces for an individual, such as a faculty office, shared office space, computers in shared research spaces such as laboratories and clinical facilities, or workstations in public computing locations.

Clinical Environments

Clinical environments store data classified as High (for example, Protected Health Information), and possibly other classifications and types of data. Physical security controls in clinical facilities must limit physical access to electronic information systems containing protected health information (HIPAA).

Administrative Offices

Administrative offices store data that may be classified as Restricted (for example, PCI), High (for example, Social Security numbers, student loan application information),  Moderate (for example, FERPA), or Low. Although fewer controls may apply than in the environments above, it is still important to take steps to ensure that these environments are physically secure. Physical Security (DS-17) calls for individual facilities to develop and adopt specific procedures and processes to effectively carry out the controls enumerated in the Minimum Information Security Requirements section on physical security for the classification(s) of data the environment contains or processes, as well as to comply with any contractual or regulatory requirements.