The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

1. Purpose

   The purpose of this compliance standard is to establish the requirements for safeguard the physical facilities that house information technology equipment, systems, services, and personnel.

2. Definitions

   IT Facilities is a static, mobile or portable facility (or facilities) or a location that contains Old Dominion University information technology equipment, systems, services, and personnel.

3. Standards Statement

   Old Dominion University implements physical security practices to prevent unauthorized physical access, damage and interference to the institution's premises and information. The protection provided should be commensurate with the identified risks.

   Site Security

   • Security perimeters of IT sites are clearly defined and controls depend on the requirements of the asset and the results of a risk assessment.
   • The perimeters of the site should be physically sound and of solid construction.
   • Doors should be suitably protected against unauthorized access with suitable control mechanisms.
   • Physical security for offices, rooms and other facilities should consider all relevant health and safety standards.
   • Where applicable, sites should be unobtrusive and give minimum indication of their purpose.

   Environmental Controls

   • Physical barriers should provide environmental protection.
   • Electric power, heating, fire suppression, ventilation, air-conditioning, and air purification are to be installed, as required by the IT systems and data.
   • All fire doors are to be alarmed, monitored and tested in compliance with fire safety regulations.

   Physical Access Controls

   • Access to sites should be restricted to authorized personnel only.
   • Physical access to essential computer hardware, wiring, displays, and networks by the principle of least privilege, where feasible.
   • A system of monitoring and auditing physical access to sensitive IT systems is provided.
   • The Information Security Officer (ISO) is to periodically review the list of persons allowed physical access to sensitive IT systems.

   Working in Secure Areas

   • Guidelines for working in secure areas should include controls for employees, contractors and third party users.
   • Personnel should only be aware of activities on a need-to-know basis.
   • Unsupervised working is secure areas should be avoided for safety reasons and to prevent opportunities for malicious activities.
   • Vacant areas should be physically locked and periodically checked.
   • Audio and video equipment is not allowed in secure areas without the authorization of the Information Security Officer.

   Public Access, Delivery and Loading Areas

   • Access points for deliveries and loading are to be controlled for unauthorized access.
   • Incoming material should be inspected for potential threats before being moved to the point of use and handled in accordance with asset management procedures.

4. Procedures, Guidelines & Other Related Information

   Federal and State Law

   University IT Policies

   IT Policies and Standards

5. History

   Date	Responsible Party	Action
   October 2008	ITAC/CIO	Created
   October 2009	ITAC/CIO	Reaffirmed
   October 2010	ITAC/CIO	Reaffirmed
   October 2011	ITAC/CIO	Reaffirmed
   March 2012	ITAC/CIO	Revised for working in secure areas and public access and delivery
   December 2012	IT Policy Office	Numbering revision
   December 2016	IT Policy Office	Reviewed no changes
   September 2019	IT Policy Office	Reviewed no changes
   January 2023	IT Policy Office	Reviewed no changes