Status: TDX Submitted Draft (Updated)
Last Revision Date: 21 September 2023
Statement of Purpose
Clackamas Community College’s mission often requires granting physical access to Electronic Information Resources owned and operated by the college to public individuals and entities. This introduces additional security risks. The following policy ensures that physical access to Electronic Information Resources is managed effectively and that associated risks are minimized to a level tolerable to the Leadership Cabinet.
Definitions
For the purposes of this policy, the following terms are defined:
-
Public Spaces: Areas of the campus open to students and the general public, such as external spaces, building lobbies, open computer labs, meeting/conference rooms, and auditoriums.
-
Classroom Spaces: Areas designated for instructional purposes, open to the public only during scheduled class sessions and monitored by an instructor.
-
Private Spaces: Employee workspaces restricted from general public access, including single-occupant offices, shared offices, workrooms, and employee break rooms.
-
Restricted Spaces: Areas with restricted access limited to individuals required for assigned work responsibilities, such as network closets, server rooms, and data centers.
-
Electronic Information Resources: Physical technology or mediums that provide display, computational, network access, data transmission, and/or signaling capabilities (e.g., televisions, personal computers, digital signage, wireless access points, network cabling, servers, firewalls, routers, switches, and hubs).
-
External Locations: Third-party hosted spaces leased or provided to Clackamas Community College.
-
Physical Security Steward: Individuals responsible for monitoring physical equipment access and utilization, reporting abnormalities, and adhering to documented security controls.
Policy Summary
Security controls shall be implemented for all Electronic Information Resources based on their intended purpose, level of exposure to physical access, and assessed risk.
Policy
1. Mobile and Portable Technology Resources
-
Mobile and portable technology resources must adhere to both the Clackamas Community College Mobile Device Policy and this policy when located on college premises.
-
Technology resource classification is based on primary usage:
2. Security Controls by Physical Location
A. Public Spaces – Resources Intended for Public Access
-
Examples: Kiosk computers, open computer labs, public wireless networks, guest printers, payment terminals.
-
Shall be permitted only to the extent necessary to support college missions.
-
Shall not store or process sensitive data.
-
Public-use computers must have documented controls to protect personal data confidentiality and integrity.
-
Must have an appointed steward responsible for:
-
A documented security control plan must:
-
Identify the responsible steward.
-
Justify the placement of public technology resources.
-
Define security controls and incident response procedures.
-
Communication traffic must be logically segregated and monitored.
-
Public access accounts must have minimal privileges and restricted authentication scope.
-
Application whitelisting must be implemented where possible.
B. Public Spaces – Resources Not Intended for Public Access
-
Examples: Wireless access points, network ports, digital signage.
-
Approved controls must restrict public interaction.
-
A designated steward must ensure the enforcement of security controls.
-
Communication traffic must be logically segregated and encrypted.
-
Logical configuration access must be secured with strong authentication, including MFA.
C. Classroom Spaces
-
Examples: Lab computers, projectors, podium computers.
-
Shared-credential systems must follow public access provisions.
-
Individual account systems must:
-
Have an appointed steward responsible for security monitoring.
-
Prevent permanent storage of sensitive data.
-
Minimize account permissions to required instructional functions.
-
Communication traffic must be segregated and encrypted.
-
Guest/presenter network access must be isolated from secure college networks.
-
Logical configuration access must be secured with MFA.
D. Private Spaces
-
Examples: Employee-assigned personal computers, staff printers, network jacks.
-
Access is limited to assigned users, designated workspace personnel, and maintenance staff.
-
Controls must prevent general public access.
-
Equipment must be physically secured when not in use.
-
Account timeout policies must be enforced.
-
Guest or visitor access must be supervised at all times.
E. Restricted Spaces
-
Examples: Data centers, server rooms, wiring closets.
-
Dedicated restricted spaces should be included in new construction and renovations.
-
Each restricted space must have:
-
A documented inventory of installed Electronic Information Resources.
-
A list of authorized personnel.
-
An access control plan approved by the college’s security team.
-
Routine audits of access and security measures.
-
Restricted spaces must be clearly marked.
-
Equipment removal must be approved by ITS Leadership or the Data Owner.
-
Sensitive data must be purged or destroyed before relocation.
Exemptions
External locations will be exempt if they implement security standards equivalent to or exceeding those specified in this policy.
Exceptions
Exceptions to this policy require prior written approval from the Chief Information Officer (CIO).