DRAFT - Physical Access (Secure Research Facilities)

Owned by Eric Zematis
yesterday at 5:25 PM
2 min read

Description

Research involving sensitive data and/or systems needs to be physically secured and monitored in accordance with its sensitivity.

Scope

This policy applies to everyone who manages or uses a Secure Research Facility at Lehigh.

Security Requirements

NIST 800-171 references the following security requirements within the XXXX family:

  • 3.10.1 Physical Access Control

    • 3.10.1 (a): Limit physical access to organizational systems, equipment, and the operating environments containing such systems and equipment to authorized individuals.

    • 3.10.1 (b): Escort visitors and monitor visitor activity.

    • 3.10.1 (c): Maintain audit logs of physical access.

    • 3.10.1 (d): Control and manage physical access devices.

    3.10.2 Facility and Infrastructure Protection

    • 3.10.2 (a): Protect and monitor the physical facility and supporting infrastructure for organizational systems.     

Other compliance requirements:

  • HIPAA Security Rule - Physical Safeguards

    The HIPAA Security Rule establishes safeguards to protect electronic protected health information (ePHI). Within that, the Physical Safeguards specifically address physical access to ePHI and the facilities where it's stored.  

Implementation

  1. Secure Research Facilities (SRF) need to be secured with a lock and access restricted to only the individuals who need to have access to the facility including:

    1. Approved researchers

    2. Lehigh University Police

    3. Other individuals who need access including cleaning staff will need to provided access and monitored by those with approved access.

  2. Secure Research Facilities are not to be shared. The space and all equipment will be dedicated solely for its research purpose.

  3. Audit logs of all access need to be logged.

    1. Electronic Access Control (Preferred) - SRF should be secured with electronic access and logs will be sent to Information Security office for audit purposes monthly.

    2. Physical Key - If a physical key is used then access needs to manually recorded in access log upon entry and exit. The log needs to be immediately available upon entry and copies of the logs need to be sent to Information Security for audit purposes monthly.

  4. Information Security will maintain a list of authorized users and audit access logs.

Related

Definitions

 Secure Research Facilities - Phyical space were research involving sensitive data (e.g. CUI, PHI/ePHI) that requires must be conducted.

Revision History

 

 

 

 

 

 

 

 

Date

Version

Description

Approval

Date

Version

Description

Approval

Dec 20, 2024

1.0

Original Document

Draft

 

 

 

 

 

 

 

 

 

 

 

 

Â