Purpose - The UTSA Physical Access Standard establishes the rules for the granting, control, monitoring and removal of physical access to information resource (IR) facilities.

Audience - The UTSA Physical Access Standard applies to all individuals within the UTSA enterprise who are responsible for the installation and support of IR, individuals charged with IR security and data owners. The standard applies to multi-user and centralized computing facilities, as well as to individual workstations and kiosks.

1. All physical security systems must comply with all applicable regulations such as, but not limited to, building codes and fire prevention codes.

2. All multi-user computer and communications equipment must be located in locked rooms to prevent tampering and unauthorized use.

3. Access to IR facilities must be granted only to the UTSA support personnel and contractors whose job responsibilities require access to that facility.

4. The process for granting card and/or key access to IR facilities must include the approval of the manager of the facility.

5. Each individual who is granted access rights to an IR facility must receive training in emergency procedures for that facility and must sign the appropriate access and non-disclosure agreements.

6. Access cards and/or keys must not be shared by or loaned to others.

7. Access cards that are no longer required must be returned to the person responsible for the IR facility. Cards must not be reallocated to another individual, thereby circumventing the return process.

8. Lost or stolen access cards and/or keys must be reported to the person responsible for the IR facility.

9. Where possible, cards and/or keys must not have identifying information other than a return mail address.

10. All IR facilities that allow access to visitors will track that access with a sign in/out log.

11. Card access records and visitor logs for mission-critical IR facilities must be kept for a period of one year for review. Timelines are based upon the criticality of the IR being protected.

12. Visitors must be escorted while in access-controlled areas of IR facilities.

13. The manager of the IR facility must review access records and visitor logs for the facility on a periodic basis and investigate any unusual access.

14. The manager of the IR facility must review card and/or key access rights for the facility on a periodic basis and remove access for individuals who no longer require access.

15. Signage for restricted access rooms and locations must be practical, yet minimal. The signs should emphasize the relative importance of security in the location.

16. If the user has access to sensitive information on his/her computer system, the user must not leave their PC, workstation, or terminal unattended without first logging out or invoking a password-protected screen saver.

17. If there has been no activity on a computer terminal, workstation or PC for ten minutes, the system must automatically blank the screen and suspend the session. Re-establishment of the session must take place only after the user has provided the proper password.

18. All information storage media (such as hard disk drives, floppy disks, magnetic tapes and CD-ROMs) containing sensitive information must be physically secured when not in use.