Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 4 Next »

Description

Research involving sensitive data and/or systems needs to be physically secured and monitored in accordance with its sensitivity.

Scope

This policy applies to everyone who manages or uses a Secure Research Facility at Lehigh.

Security Requirements

NIST 800-171 references the following security requirements within the XXXX family:

  • 3.10.1 Physical Access Control

    • 3.10.1 (a): Limit physical access to organizational systems, equipment, and the operating environments containing such systems and equipment to authorized individuals.

    • 3.10.1 (b): Escort visitors and monitor visitor activity.

    • 3.10.1 (c): Maintain audit logs of physical access.

    • 3.10.1 (d): Control and manage physical access devices.

    3.10.2 Facility and Infrastructure Protection

    • 3.10.2 (a): Protect and monitor the physical facility and supporting infrastructure for organizational systems.     

Other compliance requirements:

  • HIPAA Security Rule - Physical Safeguards

    The HIPAA Security Rule establishes safeguards to protect electronic protected health information (ePHI). Within that, the Physical Safeguards specifically address physical access to ePHI and the facilities where it's stored.  

  • 28 CFR Part 22 - Confidentiality of Identifiable Research and Statistical Information
    The Electronic Code of Federal Regulations (eCFR) Title 28, Part 22, pertains to the confidentiality and proper use of identifiable research and statistical information.

Implementation

  1. Secure Research Facilities (SRF) need to be secured with an electronic lock and access restricted to only the individuals who need to have access to the facility including:

    1. Approved researchers

    2. Lehigh University Police

    3. Other individuals who need access including cleaning staff will need to provided access and monitored by those with approved access.

  2. Secure Research Facilities are intended to limit access to authorized individuals and should not to be shared. If the physical space must be shared it should only be for other research requiring a similar level of security and there must be other physical and/or logical controls in place to restrict access. For example, using separate computers inside of a SRF for each research project.

  3. Audit logs of all access need to be logged.

    1. Electronic Access Control (Preferred) - SRF should be secured with electronic access and logs will be sent to Information Security office for audit purposes monthly.

    2. Physical Key - Physical keys should only be used for emergency access to a SRF. If a physical key is used then access needs to manually recorded in access log upon entry and exit. The log needs to be immediately available upon entry and copies of the logs need to be sent to Information Security for audit purposes monthly.

  4. Information Security will maintain a list of authorized users and audit access logs.

  5. Maintenance Access - If maintenance or housekeeping access is required it must be conducted in the presence of personnel with authorized access to the space.

Definitions

 Secure Research Facilities - Physical space where research involving sensitive data (e.g. CUI, PHI/ePHI) that requires additional protection must be conducted.

Revision History

Date

Version

Description

Approval

1.0

Original Document

Draft

1.01

Revisions

Draft

1.1

CISO Approved

Approved

  • No labels