University Policies and Procedures Manual (previously Business Policies and Procedures Manual)
Physical Security
UPPM 87.62
For more information contact:
Information Technology Services
Contents
1.0 Overview and Purpose
1.1 Information Assurance Policies Generally
The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:
- Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
- Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
- Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.
The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:
- Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
- Dictate which security controls are mandatory based upon the categorization level;
- Define the strength, frequency, and formalization of those controls; and
- Influence audit burden and continuous monitoring rigor.
See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.
1.2 Specific Policy Overview and Purpose
Protecting the physical security of WSU facilities where IT systems are housed is critical to preventing unauthorized physical access, damage, or theft of WSU IT resources and information. By setting forth requirements for facility access, security, and environmental controls, this policy helps ensure the safety, security, and reliability of WSU’s IT infrastructure.
2.0 Applicability
This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.
Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.
3.0 Roles and Responsibilities
3.1 Chief Information Officer
The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.
3.2 Information System Owners
WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation.
3.3 Office of Information Security and Assurance (OISA)
WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).
Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.
4.0 Requirements
4.1 General Requirements
Access to WSU facilities, public area access, and visitor access is governed by UPPM 50.20.
Facilities with restricted access are required to maintain a list of individuals with authorized access.
Access authorizations are to be verified before granting entry to the facility.
Physical access logs must be maintained for designated areas.
Electronic access is to be logged in accordance with UPPM 87.50.
Keys, combinations, and other physical access devices must be kept secured and inventoried. Combinations and keys are to be changed regularly and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
Physical access to system facilities is to be monitored in accordance with UPPM 87.50.
Incidents of unauthorized or unusual activity must be documented and reported in accordance with UPPM 87.55.
Visitor access records must be maintained for system facilities. Access records are to be reviewed, and anomalies reported to the appropriate personnel.
Automatic emergency lighting that activates in the event of a power outage or disruption must be employed. Lighting must cover emergency exits and evacuation routes within the facility.
Fire detection and suppression systems must be supported by an independent energy source.
Environmental controls are to be maintained and monitored within system facilities.
System facilities are to be protected from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
Information System Owners, or their delegates, must control, authorize, and maintain records of system components entering and exiting the facility.
4.2 Moderate- and High-Impact Systems
In addition to the above, the following requirements apply to all moderate and high-impact systems.
Physical access to system distribution and transmission lines for moderate- and high-impact systems must employ additional controls to prevent accidental damage, disruption, and physical tampering.
Output devices connected to moderate- and high-impact systems must employ physical controls to prevent unauthorized individuals from obtaining the output.
Physical access to moderate- and high-impact system facilities is to be monitored using physical intrusion alarms and surveillance equipment.
Facilities with moderate- and high-impact systems must protect power equipment and power cabling from damage and destruction.
- Facilities must also provide the ability to shut off power in emergency situations. Emergency shutoff switches or devices must be made accessible to authorized personnel and protected from unauthorized activation.
Moderate- and high-impact systems are to use an uninterruptible power supply in the event of a primary power source loss.
Moderate- and high-impact system facilities must employ fire detection systems that activate automatically and notify appropriate personnel in the event of a fire.
Moderate- and high-impact system controls are to be determined and documented for alternate work sites used by employees. Employees are to be provided with a means to communicate with information security and privacy personnel in case of incidents.
4.3 High-Impact Systems
In addition to the above, the following requirements apply to all high-impact systems.
Physical access to high-impact systems must enforce additional physical access authorizations, in addition to the physical access controls for the facility.
- Additional physical access controls for high-impact systems must be monitored in accordance with UPPM 87.50.
Facilities with high-impact systems must maintain and review access records using automated mechanisms.
High-impact systems are to be provided with an alternate power supply that can maintain minimally required operational capability in the event of an extended loss of the primary power source.
High-impact system facilities must employ fire suppression systems that activate automatically and notify appropriate personnel in the event of a fire.
High-impact system facilities must detect the presence of water near the system and automatically alert appropriate personnel.
High-impact system components are to be positioned within the facility to minimize potential damage and to minimize the opportunity for unauthorized access.
5.0 Training
See UPPM 87.21 for training requirements related to UPPM Chapter 87.
In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.
_______________________
Revisions: Feb. 2026 (Rev. 651 – NEW).