Device Physical Security Guideline

On This Page

UC Berkeley security policy mandates the compliance against Minimum Security Standard for Electronic Information for devices handling covered data.  The recommendations below are provided as optional guidance to assist with achieving the Device Physical Security requirement.

Requirements

Resource Custodians must secure covered devices from unauthorized physical access.

  • Access must be restricted to those that need to maintain the covered devices and/or media.
  • Restricted areas must be clearly marked for authorized personnel only.
  • Restricted areas must be secured by locked doors.
  • Access to the restricted areas must produce a physical or electronic audit trail.

Description of Risk

Attackers with physical access to covered devices can access data without authorization.

Recommendations

Physical security must be in place to control physical access to restricted areas and facilities containing covered devices. Covered devices such as server hardware, desktop computers and storage media should be locked behind cabinets or tied down to physical restraints that prevent unauthorized removal from restricted area.  Access to areas containing covered device should be granted to personnel with a need-to-know based on job function.  

Restricted areas should display signs to give clear indication that access is for authorized personnel only. Facilities containing covered device should give minimum indication of their purpose, with no obvious signs identifying the presence of covered data or related functions.  

Physical access control devices such as key card reader, doors and cabinet locks, should be tested prior to use and on a periodic basis (e.g. annually).  Resource proprietors and custodians should produce physical or electronic audit trails to record all personnel's physical access to restricted area for the purpose of security incident investigation. Inventory of who has access to physical access control devices should be regularly reviewed and any inappropriate access identified during the review should be removed promptly. 

Additional guidance on preventing physical theft of computer equipment, including laptops commonly used for individual or privileged access devices, can be found in the article Preventing laptop theft.