The objectives of Aarhus University's policies and rules regarding physical and environmental security are:
Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. (A.11.1.1)
Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. (A.11.1.2)
Individual management teams must ensure that security perimeters are established in accordance with a risk assessment of the information assets contained within the perimeter.
As a general rule, areas at the university should be secured in collaboration with Estates Projects and Development and always in accordance with their current requirements, for example regarding theft prevention, perimeter security and surveillance.
Units responsible for secure areas (e.g. server rooms or main cross connects) must ensure that the following requirements are complied with:
People affiliated with Aarhus University are responsible for their guests while they are on campus and for managing any necessary access controls.
Physical security for offices, rooms and facilities shall be designed and applied. (A.11.1.3)
Estates Projects and Development sets the guidelines for the physical security of all the university's offices, rooms and facilities. The unit management team is responsible for supplementing these guidelines in accordance with the current risk assessment and for establishing any further measures required.
Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. (A.11.1.4)
AU Estates Projects and Development sets a common level for the university’s physical protection against acute situations. Unit management teams are further responsible for ensuring that their areas are safeguarded in accordance with relevant risk assessments.
Procedures for working in secure areas shall be designed and applied. (A.11.1.5)
Access points such as delivery and loading areas and other points where unauthorised persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorised access. (A.11.1.6)
In accordance with the current risk assessment, information about secure areas and their function must only be made available to people affiliated with Aarhus University in connection with a work-related need and to any another party with authorisation from the unit responsible for the area.
The unit management team is also responsible for any external parties that carry out work in the unit’s secure area in accordance the current risk assessment. The unit management team is also responsible for establishing surveillance and monitoring of critical laboratory facilities or server rooms.
A number of initiatives have been planned and established centrally in order to comply with the above requirements: The measures apply to secure areas administered by Aarhus University, including the AU data centres in Stilling and Søsterhøj as well as wiring rooms.
This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University. If you have other needs based on your risk assessment, this must be ensured locally. |
Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access. (A.11.2.1)
Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. (A.11.2.2)
Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. (A.11.2.3)
Equipment shall be correctly maintained to ensure its continued availability and integrity. (A.11.2.4)
For the above four items, the responsible unit must maintain, position and protect equipment and cabling in server rooms and in main cross connects that are under its administration in accordance with relevant risk assessments. The physical and environmental security of equipment in the university's other information processing facilities is the responsibility of the relevant local management team.
Equipment, information or software shall not be taken off-site without prior authorization. (A.11.2.5)
Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises. (A.11.2.6)
All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. (A.11.2.7)
Users shall ensure that unattended equipment has appropriate protection. (A.11.2.8)
A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. (A.11.2.9)
People who use equipment that belongs to the university are required to comply with the university’s information security rules.
The unit responsible for the procurement and distribution of equipment is also responsible for compliance with relevant requirements, for example for mobile devices and remote workplaces in accordance with relevant risk assessments.
A number of initiatives have been planned and established centrally in order to comply with the above requirements:
This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University. If you have other needs based on your risk assessment, this must be ensured locally. Besides any local needs, the following must be ensured at local level to comply with the requirements:
|
QUESTION GUIDE
Consider the question guide as a tool to navigate the requirements of the policy:
Security of AU property including:
Secure areas at Aarhus University are defined as areas containing either sensitive or confidential information and information processing facilities. Such areas are found both centrally and locally.
Overview of systems established in the secure areas offered centrally by the university.