COLORADO COMMUNITY COLLEGE SYSTEM
SYSTEM PROCEDURE

Physical Security and Access Procedure


SP 6-10r

APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021

REFERENCES:

Board Policy (BP) 6-10, Cyber Security Policy
System Procedure (SP) 6-10h, Clear Desk Procedure

APPROVED:

/ Joe Garcia /
Joseph A. Garcia
Chancellor

Basis

This procedure documents Colorado Community College System and its Colleges’ (“CCCS”) position on Cyber Security requirements to:

  • Prevent unauthorized access to CCCS premises, Information Systems, and Assets;
  • Protect against damage or theft of CCCS facilities and equipment;
  • Protect against compromise or theft of information (whether physical or digital).

Application

This procedure applies to employees, personnel affiliated via third party contracts, and volunteers who have access to Information Systems and Assets that are owned or leased by CCCS.

Procedure

The System Chancellor delegates to the System Vice Chancellor for Information Technology (“IT”) responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.

Facility Security
CCCS IT equipment shall be installed in suitably protected areas with minimum indication of their purpose, with no obvious signs, outside or inside the building identifying the presence of information processing activities. The following controls shall be implemented:

  • Entrances and windows of CCCS facilities where IT equipment resides shall be locked when unattended and protected during non-business hours by security cameras and/or electronic security systems.
  • Physical access controls such as locks, keys and swipe cards ensuring the protection and safety of CCCS staff, resources, and property, are to comply with health and safety regulations.
  • Private office doors, desk drawers, personal computers, peripherals, and related equipment containing Sensitive or Restricted information shall be locked, logged out of or shut down when not in use.
  • Employees shall follow Clear Desk Procedures that ensure Restricted and Sensitive physical and electronic information is protected.
  • Hazardous or combustible materials shall be stored securely at a safe distance from secure areas.
  • Onsite IT servers and networking and telecommunications devices shall be located in secure environments to restrict unauthorized access and use.
    • Server access shall be restricted to administrators and authorized third parties who must be escorted by an administrator.
    • Servers and network components shall be protected in locked cabinets inside the technology storage room, in order to safeguard their components from access by visitors, service contractors, and employees not authorized to access the components.
    • Server cabinets will only be opened by authorized persons for maintenance procedures or updating.

Physical Access Controls

  • System IT Department (“System IT”) or the College IT Department (“College IT”) premises where Information Assets reside (server room or data center) shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
  • Access to areas where Information Assets reside shall only be granted after appropriate approvals are received.
  • CCCS employees shall use an access card, physical key or other secure method to gain entry to the facilities where System IT and College IT assets reside.
  • Employees shall immediately report lost cards or keys to their immediate supervisor and the appropriate facility manager. Upon separation from employment, employees must return their key card or physical key to the human resources or facilities department prior to leaving on the last day of work.
  • Entry logs to the facility where IT assets reside and to restricted areas within the facility shall be securely maintained and reviewed on a regular basis.
  • Visitor access to facilities or areas where IT assets reside shall be logged, controlled and monitored.
  • Visitors to facilities or areas where IT assets reside shall be escorted in restricted areas.

Revising this Procedure

CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.