Physical Access (Secure Research Facilities)

Description

Research involving sensitive data and/or systems needs to be physically secured and monitored in accordance with its sensitivity.

Scope

This policy applies to everyone who manages or uses a Secure Research Facility at Lehigh.

Security Requirements

NIST 800-171 references the following security requirements within the XXXX family:

• 3.10.1 Physical Access Control

  • 3.10.1 (a): Limit physical access to organizational systems, equipment, and the operating environments containing such systems and equipment to authorized individuals.

  • 3.10.1 (b): Escort visitors and monitor visitor activity.

  • 3.10.1 (c): Maintain audit logs of physical access.

  • 3.10.1 (d): Control and manage physical access devices.

• 3.10.2 Facility and Infrastructure Protection

  • 3.10.2 (a): Protect and monitor the physical facility and supporting infrastructure for organizational systems. 

• 3.10.7 Physical Access Control

  • 3.10.7 (b): Maintain physical access audit logs for entry or exit points.

  • 3.10.7 (c): Escort visitors, and control visitor activity.

• 3.10.8 Access Control for Transmission

  • Control physical access to system distribution and transmission lines within organizational facilities.

Other compliance requirements:

• HIPAA Security Rule - Physical Safeguards

  The HIPAA Security Rule establishes safeguards to protect electronic protected health information (ePHI). Within that, the Physical Safeguards specifically address physical access to ePHI and the facilities where it's stored.  

• 28 CFR Part 22 - Confidentiality of Identifiable Research and Statistical Information
  The Electronic Code of Federal Regulations (eCFR) Title 28, Part 22, pertains to the confidentiality and proper use of identifiable research and statistical information.

Implementation

1. Secure Research Facilities (SRF) need to be secured with an electronic lock and access restricted to only the individuals who need to have access to the facility including:

   1. Approved researchers (e.g. PIs and their designees)

   2. Approved technical support staff

   3. Lehigh University Police

All other individuals who need access (e.g. cleaning and maintenance staff) will need to provided access and monitored by those with approved access.

1. Secure Research Facilities are intended to limit access to authorized individuals and should not to be shared. If the physical space must be shared it should only be for other research requiring a similar level of security and there must be other physical and/or logical controls in place to restrict access. For example, using separate computers inside of a SRF for each research project.

2. Audit logs of all access need to be logged.

   1. Electronic Access Control (Preferred) - SRF should be secured with electronic access and logs will be sent to Information Security office for audit purposes monthly.

   2. Physical Key - Physical keys should only be used for emergency access to a SRF. If a physical key is used then access needs to manually recorded in access log upon entry and exit. The log needs to be immediately available upon entry and copies of the logs need to be sent to Information Security for audit purposes monthly.

3. Information Security will maintain a list of authorized users and audit access logs.

4. Maintenance Access - If maintenance or housekeeping access is required it must be conducted in the presence of personnel with authorized access to the space.

5. Unauthorized Access - Unauthorized entries should be promptly reported to the facility director and the CISO (ciso@lehigh.edu) and investigated promptly. If they are detected as part of the access log audit the facility director will be promptly notified.

Related

Definitions

 Secure Research Facilities - Physical space where research involving sensitive data (e.g. CUI, PHI/ePHI) that requires additional protection must be conducted.

Facility Director - Individual responsible for a Secure Research Facility.

Revision History