Physical security controls are implemented to protect the system resources from unauthorized access and disruption. Your policy and procedures should include defined controls on the following system resources and personnel:
- Computer Operations Areas. You should inventory and define all areas that house computer operations, including data centers, server rooms, wiring closets, power sources, storage, backup files, etc. The policy should state the persons or groups of persons who are entitled to access these areas and restrict access to all others. Access restriction can be accomplished by locks and keys, access control cards, entrance and exit guards, etc. The policy should also require access restriction signs on these areas and a log of all persons granted access.
- Facility Access During Disaster or Emergency. Your contingency and emergency access plans should include guidelines on persons entitled to access the building or computer operations areas to restore operations and lost data. This policy should restate those guidelines.
- Electronic Protected Health Information. Your minimum necessary and general workforce obligation policies should contain specific guidelines and restrictions on who can access what protected health information, including electronic protected health information, and for what purposes.
- Maintenance and Operations. Your policy should include procedures for providing supervision or authorization for maintenance and operations personnel to access both electronic data and physical operations areas. The policy should require physical supervision, at least for nonworkforce vendors and maintenance persons, and procedures for granting, monitoring, and removing temporary access passwords to the system.
- Portable Computers. Your policy should include procedures for the checking out portable computers, if used, and the storage of this equipment when not in use. You should also consider whether electronic protected health information should ever be transferred to or stored on portable computers.