...
Secure Research Facilities are intended to limit access to authorized individuals and should not to be shared. If the physical space must be shared it should only be for other research requiring a similar level of security and there must be other physical and/or logical controls in place to restrict access. For example, using separate computers inside of a SRF for each research project.
Audit logs of all access need to be logged.
Electronic Access Control (Preferred) - SRF should be secured with electronic access and logs will be sent to Information Security office for audit purposes monthly.
Physical Key - Physical keys should only be used for emergency access to a SRF. If a physical key is used then access needs to manually recorded in access log upon entry and exit. The log needs to be immediately available upon entry and copies of the logs need to be sent to Information Security for audit purposes monthly.
Information Security will maintain a list of authorized users and audit access logs.
Maintenance Access - If maintenance or housekeeping access is required it must be conducted in the presence of personnel with authorized access to the space.
Unauthorized Access - Unauthorized entries should be promptly reported to the facility director and the CISO (ciso@lehigh.edu) and investigated promptly. If they are detected as part of the access log audit the facility director will be promptly notified.
Related
Definitions
Secure Research Facilities - Physical space where research involving sensitive data (e.g. CUI, PHI/ePHI) that requires additional protection must be conducted.
Facility Director - Individual responsible for a Secure Research Facility.
Revision History
Date | Version | Description | Approval |
|---|---|---|---|
1.0 | Original Document | Draft | |
| 1.01 | Revisions | Draft |
| 1.1 | CISO Approved | Approved |
| 1.1.1 | Added references to NIST 800.171 | Approved |
| 1.2 | Added 5. Unauthorized Access section | Approved |