Policy for physical and environmental security (A.11)

Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. (A.11.1.1)

Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. (A.11.1.2)

Individual management teams must ensure that security perimeters are established in accordance with a risk assessment of the information assets contained within the perimeter.

As a general rule, areas at the university should be secured in collaboration with Estates Projects and Development and always in accordance with their current requirements, for example regarding theft prevention, perimeter security and surveillance.

Units responsible for secure areas (e.g. server rooms or main cross connects) must ensure that the following requirements are complied with:

• Only authorised members of staff have access to secure areas and any external visitors must always be supervised by authorised staff.
• Access to secure areas must be monitored by an access log. Units responsible for local main cross connects and other technical rooms must ensure that these areas are locked.

People affiliated with Aarhus University are responsible for their guests while they are on campus and for managing any necessary access controls.

Physical security for offices, rooms and facilities shall be designed and applied. (A.11.1.3)

Estates Projects and Development sets the guidelines for the physical security of all the university's offices, rooms and facilities. The unit management team is responsible for supplementing these guidelines in accordance with the current risk assessment and for establishing any further measures required.

Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. (A.11.1.4)

AU Estates Projects and Development sets a common level for the university’s physical protection against acute situations. Unit management teams are further responsible for ensuring that their areas are safeguarded in accordance with relevant risk assessments.

Procedures for working in secure areas shall be designed and applied. (A.11.1.5)

Access points such as delivery and loading areas and other points where unauthorised persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorised access. (A.11.1.6)

In accordance with the current risk assessment, information about secure areas and their function must only be made available to people affiliated with Aarhus University in connection with a work-related need and to any another party with authorisation from the unit responsible for the area.

The unit management team is also responsible for any external parties that carry out work in the unit’s secure area in accordance the current risk assessment. The unit management team is also responsible for establishing surveillance and monitoring of critical laboratory facilities or server rooms.

A number of initiatives have been planned and established centrally in order to comply with the above requirements: The measures apply to secure areas administered by Aarhus University, including the AU data centres in Stilling and Søsterhøj as well as wiring rooms. Re. A. 11.1.1 Perimeter security: Estates Facilities at Aarhus University provides access control with electronic locks and locking systems fitted to outer doors and with the option of locks on inner doors.  Re. A.11.1.2 Secure areas: Aarhus University provides a number of secure areas. These secure areas are locked and access is only permitted for work-related purposes (with permission from the management at AU IT or with supervised access with a trusted employee from AU IT).   The unit management is responsible for defining the need for securing/establishing secure areas, and for assessing how requirements for secure areas should be met in collaboration with the Estates Facilities for the relevant faculty. Re. A. 11.1.3 Security of offices, etc.:  In many cases, the security of offices is planned and established centrally through the design of the buildings. Re. A. 11.1.4 Protection against environmental incidents: Server rooms, main wiring rooms and similar areas administered by AU IT are protected against environmental incidents such as fire, flooding, explosion, power failure and similar. Server rooms are secured with appropriately dimensioned fire-alarms and firefighting equipment. Procedures to ensure that hazardous or flammable materials are stored at an appropriate distance from secure areas.  Rooms with significant amounts of IT equipment are protected with cooling equipment.   Re. A. 11.1.5 Procedures for working in secure areas:  Secure areas administered by AU IT are subject to procedures for working in these areas. Re. A. 11.1.6 Areas for loading and unloading must be secured against unauthorised access: The central procurement procedures ensure this to a great extent, for example, IT-related procurement must take place through the IT webshop, where the loading and unloading areas will be secured in accordance with this requirement. This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.   If you have other needs based on your risk assessment, this must be ensured locally.

Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access. (A.11.2.1)

Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. (A.11.2.2)

Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. (A.11.2.3)

Equipment shall be correctly maintained to ensure its continued availability and integrity. (A.11.2.4)

For the above four items, the responsible unit must maintain, position and protect equipment and cabling in server rooms and in main cross connects that are under its administration in accordance with relevant risk assessments. The physical and environmental security of equipment in the university's other information processing facilities is the responsibility of the relevant local management team.

Equipment, information or software shall not be taken off-site without prior authorization. (A.11.2.5)

Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises. (A.11.2.6)

All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. (A.11.2.7)

Users shall ensure that unattended equipment has appropriate protection. (A.11.2.8)

A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. (A.11.2.9)

People who use equipment that belongs to the university are required to comply with the university’s information security rules.

The unit responsible for the procurement and distribution of equipment is also responsible for compliance with relevant requirements, for example for mobile devices and remote workplaces in accordance with relevant risk assessments.

A number of initiatives have been planned and established centrally in order to comply with the above requirements: Re A. 11.2.1 - A. 11.2.3 Protection of equipment: Equipment in the secure areas administered by AU IT is protected against unauthorised access, power failure and other disruption, and is protected against bugging, tapping, etc.  Re. A. 11.2.4 Maintenance of equipment: Correct maintenance of equipment administered by AU IT is ensured centrally  Re. A. 11.2.6 Security for assets outside the university: Central guidelines have been set up on how to manage information security when working remotely or while travelling. (currently being updated) Re. A. 11.2.7 Disposal: Central procedures have been set up on disposal or reuse of storage media from central level – otherwise this must be secured locally. Re. A. 11.2.8 Appropriate protection of equipment with no supervision: Equipment administered by AU is protected with a login password, encryption and a PIN code lock. Central guidelines have been set up for this, such as lock your computer (currently being updated). This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.   If you have other needs based on your risk assessment, this must be ensured locally. Besides any local needs, the following must be ensured at local level to comply with the requirements: Re. A. 11.2.5 Equipment and information: Equipment, information and software must not be taken away from the university without prior permission.  Re. A. 11.2.9 Cleared desks:  Rules for keeping desks clear must be managed locally.