Discussion

Confidential paper records should be kept in locked file cabinets except when actually being used. FAX machines used to receive confidential information should be in locked protected areas. A locked room should not be considered a secure location if the room is cleaned at night by a janitorial crew.

Computers that contain confidential information should be located in computer facilities where the access is controlled and monitored or, in rare cases, secured in locked cages in other locations.

Physical access to any facility that is sensitive or contains sensitive information should be protected by appropriate means of control. Example access controls may include smart card swipes, PIN key pads, locked doors, RFID token, and guards that check picture IDs.

The aim in these cases is to prevent the confidential information or the system containing the confidential information from being stolen.

Creating a log of the people who access secure locations is a good idea and can be a deterrent to bad behavior as long as the people know that the logs are being created. (See Section 5.2: Recording Information About the Activities of Individuals.)

Best Practices

A separate set of detailed best practices specific to physical access control systems (C-CURE) is available. Access to this information is restricted via HUID/PIN registration and approval must be sought from the site administrator.

Site is http://isites.harvard.edu/k49729

Sections of relevance : 1) C-CURE Physical Access Control Systems : IT Best Practices and 2) Facilities IP based systems : IT security considerations, best practices and resources