Article 57 – Physical and Environmental Protection Policy
49140.4 Policy Directives
-
The department shall define the control requirements for the physical environmental protection of information assets.
-
The department shall implement, manage, monitor, and regularly maintain physical security and environmental protection controls to safeguard State information assets for which they have custodianship.
-
Personnel identification systems and facility access controls shall be implemented for all personnel and visitors. Access logs shall be reviewed at minimum annually.
-
Environmental controls shall be implemented in computer rooms and data centers, including but not limited to, temperature and humidity regulators, fire detection and suppression, and electrical power conditioning.
-
Supporting controls, processes, and procedures to control physical access (e.g., security gates), handling digital media, and emergency processes and procedures shall be implemented.
-
Service records of periodic maintenance of physical and environmental protection controls (e.g., heating/cooling unit servicing) and results of tests of environmental controls (e.g., power outage) shall be retained for a minimum of six (6) months.
-
Security risks shall be identified, remediated, and reported to the department Information Security Officer (ISOInformation Security Officer).