PE-1: Physical and Environmental Protection – Policy and Procedures
NIST Baseline: Low
DIR Required By: 07/20/2023
Review Date: 07/24/2024
Purpose –
Tarleton State University (Tarleton) information resource facilities include data centers and server rooms. The Physical and Environmental Protection Policy and associated controls describe the requirements for managing risks associated with physical access to these facilities.
Scope and Roles –
This policy applies to information resources owned or managed by Tarleton. The intended audience includes the Tarleton Chief Information Officer (CIO), Chief Information Security Officer (CISO), and information resource owners and custodians.
Compliance –
Physical and Environmental Protection controls are implemented to ensure compliance with the Texas Department of Information Resources (DIR) Security Control Standards Catalog as required by Title 1 Texas Administrative Code §202.76 and Texas A&M University System (TAMUS) Regulation 29.01.03, Information Security.
Implementation –
- Information resource owners and custodians, in coordination with the Tarleton CISO, shall develop, document, and disseminate a policy and set of controls that addresses the Physical and Environmental Protection Policy for information resources under their control. These controls and policy should:
- Address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Be consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
- Information resource owners and custodians are responsible for any procedures to facilitate the implementation of the Physical and Environmental Protection Policy and associated controls in order to ensure the proper physical and environmental protection of Tarleton information resource facilities;
- The CISO, or their designee, shall review and update the Physical and Environmental Protection Policy and associated controls as necessary;