Skip to main content.
Information Technologies Security Program
IT Security Program Home > Information Technologies Security Program Home Page > Physical Security

Physical Security

Physical Security refers to those practices, technologies and/or services used to ensure that physical security safeguards are applied. Physical security safeguards take into account:

  • the physical facility housing the information resources,
  • the general operating location, and
  • the support facilities that underpin the operation of the information systems.

Appropriate physical safeguards need to be established based on risks related to geographic location, including natural threats (such as flooding), man-made threats (such as burglary or civil disorders), and threats from nearby activities (such as toxic chemical processing or electromagnetic interference). Physical safeguards also need to ensure that the appropriate levels of supporting infrastructure, such as electric power, heating, and air-conditioning, are sustainable as required by the information resources.

Physical access controls may be used to restrict and monitor the entry and exit of personnel to/from a room, a data center, or a building. Physical access controls may range from badges and locks to biometric devices and vibration detectors. Physical access controls need to be considered for those areas containing system hardware, as well as for those areas that house network wiring, electric power, backup media, source documents, etc.

Physical security safeguards provide a first line of defense for information resources against physical damage, physical theft, unauthorized disclosure of information, loss of control over system integrity, and interruption to computer services.

[Adapted from materials provided by the Virginia Alliance for Secure Computing
and Networking (VA SCAN -- see http://www.vascan.org )]

University Standards for Physical Security

  • Mission critical system facilities must be located in a secure location that is locked and restricted to authorized personnel only.
  • Access to critical computer hardware, wiring, displays and networks must be controlled by rules of least privilege.
  • System configurations (i.e., hardware, wiring, displays, networks) of critical systems must be documented. Installations and changes to those physical configurations must be governed by a formal change management process.
  • A system of monitoring and auditing physical access to critical computer hardware, wiring, displays and networks must be implemented (e.g. badges, cameras, access logs).