• Section 1 - Purpose / Objectives
• Section 2 - Scope / Application
• Section 3 - Definitions
• Section 4 - Policy Statement
• Section 5 - Procedures
• Roles/Responsibilities
• Procedures
• Section 6 - Guidelines

Section 1 - Purpose / Objectives

(1) This procedure specifies appropriate physical security measures to be used to protect computer systems, personnel, and data and communications systems located in secure locations. Access to such areas must be restricted to those who have an approved need to be there.

(2) All critical and sensitive information handling activities must take place in areas that are physically secured and protected against unauthorised access, interference, damage and to minimise equipment theft.

(3) Servers, routers, switches, PABX and related hardware, shall be located in a room with appropriate levels of access control. Monitoring of access and removal of equipment is a requirement, as other security controls (e.g. passwords) can be bypassed if physical security is not maintained.

Section 2 - Scope / Application

(4) The scope of this Procedure:

1. This procedure applies to all VU staff and visitors authorised to access Controlled Areas at VU.
2. This procedure specifies levels of access and monitoring to protect servers, routers, switches and other related hardware, including data and software stored on these devices, located in Controlled Areas.

Section 3 - Definitions

(5) Nil

Section 4 - Policy Statement

(6) Nil

Section 5 - Procedures

Roles/Responsibilities

Procedures

(7) A controlled area at VU is:

1. Primary computer rooms (Data Center) currently located at Footscray Park, Building D and Sunshine, Whitten Building;
2. Communication closets (Comms Rooms) housing central network equipment located within all buildings of the University.

(8) Security Access to Controlled Areas in IT Procedures:

1. Physical access to a controlled area containing critical computing equipment must be:
   1. Restricted to University staff and authorised visitors who need access as part of their job function;
   2. Authorised by the Security and Assurance Manager;
   3. Enforced through physical security barriers and electronic security techniques;
   4. Recorded in an on-going security access log, capturing details of time, date and identity of staff member/visitor.
2. Authorised visitors who require access to a controlled area as part of a specific job function, such as vendor maintenance, must:
   1. Complete an appropriate induction and training program, unless exempted by the Director of IT Operations or nominee;
   2. Be escorted in the Controlled Area at all times. Where it is inappropriate for an on-going escort, for example for extended periods of time, this will be recorded in the access log and signed by the Security and Assurance Manager;
   3. Be authorised by the Director of IT Operations or nominee;
   4. Be recorded in an on-going security access log, capturing details of time, data, identity, escorting staff member and reason for the visit;
   5. Wear approved identification at all times.
3. The Security and Assurance Manager, or delegate, will keep a register/log of those approved to access the controlled area.
4. Outside normal working hours physical access to controlled areas will be via electronic key pads.
5. No equipment is to be relocated or removed from the controlled areas without explicit permission of the Security and Assurance Manager, or delegate.
6. Authorised equipment being installed in or removed from a controlled area will be recorded in a register.
7. Registers for controlled areas shall be maintained so that they can be audited as required.
8. IT staff must have clear passage to all controlled areas at all times.
9. Controlled areas will not be used for storage or any purpose other than that approved by IT.

Section 6 - Guidelines

(9) Nil