When assessing computer security, you chould consider the following environmental and physical controls. Performing a risk analysis will help determine which specific controls are most appropriate for your area. This list was originally developed by the UC Davis Police Department. For additional information about the campus crime prevention program, please contact:
, or 530-752-6589.
User knowledge and responsibility |
| Is the responsibility for locking and unlocking the facility formally assigned? |
Yes |
No |
N/A |
| Is there a plan for responding to physical security problems? |
Yes |
No |
N/A |
| Is there a designated "Security Manager?" |
Yes |
No |
N/A |
| If so, is this person known to facility personnel? |
Yes |
No |
N/A |
| Is the evacuation plan publicly displayed throughout the facility? |
Yes |
No |
N/A |
| Is the evacuation assembly destination clearly marked on the facility evacuation plan? |
Yes |
No |
N/A |
| Do facility personnel have knowledge about the evacuation plan? |
Yes |
No |
N/A |
| Is there a way to assist evacuation of those individuals with disabilities? |
Yes |
No |
N/A |
| Do facility personnel know the identity of the department emergency coordinator? |
Yes |
No |
N/A |
| Do facility personnel know what to do if they see a suspicious individual? |
Yes |
No |
N/A |
| Do facility personnel know what to do if they see a suspicious package or a suspicious vehicle in parking lot? |
Yes |
No |
N/A |
| Are facility exits clearly marked? |
Yes |
No |
N/A |
| Are facility exits obstructed? |
Yes |
No |
N/A |
Doors |
| Are facility doors constructed of material that will discourage breakage? |
Yes |
No |
N/A |
| Are facility windows within 40" proximity to door locks? |
Yes |
No |
N/A |
| Are the exterior hinges of doors to sensitive areas exposed? |
Yes |
No |
N/A |
| Are the door frames strong and tight enough to prevent forcing/spreading? |
Yes |
No |
N/A |
| Are the door locks in good repair? |
Yes |
No |
N/A |
| Are the door strikes and strike plates adequate and properly installed? |
Yes |
No |
N/A |
| Is the mail slot within close proximity (e.g. 40") to locking mechanism? |
Yes |
No |
N/A |
| Are facility entrances and exits well lighted? |
Yes |
No |
N/A |
| Is the facility front entrance observable from street or public areas? |
Yes |
No |
N/A |
| Does the facility have sliding glass doors that are susceptible to tampering? |
Yes |
No |
N/A |
| Are automatic glass doors constructed to discourage them from being forced open? |
|
| Should facility solid doors have "peep-hole" viewers installed? |
Yes |
No |
N/A |
| If so, have the viewers been installed? |
Yes |
No |
N/A |
Latches and Entry Systems |
| Is there a latch guard installed to cover latch and strike plate? |
Yes |
No |
N/A |
| Do the door locks include a dead bolt with 1-inch throw? |
Yes |
No |
N/A |
| Is there an automated card access system in use? |
Yes |
No |
N/A |
| If so, how is user identity and authorization to use the card access system confirmed? |
Yes |
No |
N/A |
| Are employees prohibited from lending their access card to others? |
Yes |
No |
N/A |
| Are there documented procedures for handling lost access cards? |
Yes |
No |
N/A |
| Do access cards provide identification of physical location of the facility using the access system? |
Yes |
No |
N/A |
| Is access to the administrative function of the automated card access system authenticated and controlled based on assigned role/responsibilities? |
Yes |
No |
N/A |
| Are automated card access system logs maintained, regularly reviewed and retained in accordance to University policy? |
Yes |
No |
N/A |
| Is there a regularly scheduled maintenance program for the automated card access system? |
Yes |
No |
N/A |
| Are there documented administrative procedures for maintaining the logical and physical security of the automated badge access application and/or server? |
Yes |
No |
N/A |
| Do hazardous/high risk areas have window screens/grills? |
Yes |
No |
N/A |
| Are exterior areas free from concealing structures or landscaping? |
Yes |
No |
N/A |
| Are window areas lighted adequately? |
Yes |
No |
N/A |
| Are views into external windows not obscured by landscaping? |
Yes |
No |
N/A |
| Is landscaping maintained to discourage unintended facility access (e.g., into upper windows)? |
Yes |
No |
N/A |
Key Control |
| Is the issuance of keys in accordance with department key eligibility criteria? |
Yes |
No |
N/A |
| Are facility keys physically marked "Do Not Duplicate?" |
Yes |
No |
N/A |
| Are facility keys recovered from separating/transferring personnel, students, and faculty? |
Yes |
No |
N/A |
| Is there an annual reconciliation of key inventory with assignments? |
Yes |
No |
N/A |
| Is there a periodic performance of an audit of department key control records? |
Yes |
No |
N/A |
| Are specialty keys/locks in use? |
Yes |
No |
N/A |
| If so, have they been approved by emergency services personnel? |
Yes |
No |
N/A |
| Is the responsibility for maintaining key control records and issuing keys limited to a minimal number of staff members? |
Yes |
No |
N/A |
| What is done with keys that are no longer needed? |
Yes |
No |
N/A |
| What is done with unassigned keys? Are unassigned keys locked in a secured area? |
Yes |
No |
N/A |
| How are lost keys handled? |
Yes |
No |
N/A |
| Who is notified in the event of a reported lost key? |
Yes |
No |
N/A |
| Are window areas lighted adequately? |
Yes |
No |
N/A |
Theft prevention and insurance |
| Are high risk facilities, services and/or areas identified? |
Yes |
No |
N/A |
| Is there a hardware and software inventory, including information about Model/SN, RAM, Disk, HW specifications, SW description, locations, purpose/applications, and technical/administrative contact? |
Yes |
No |
N/A |
| Are maintenance records maintained? |
Yes |
No |
N/A |
| Is equipment evaluated to determine required insurance levels? |
Yes |
No |
N/A |
| Are data removed from equipment scheduled for disposal? |
Yes |
No |
N/A |
| Is a security alarm needed? |
Yes |
No |
N/A |
| Are lockdown devices installed and in use for critical/sensitive equipment? |
Yes |
No |
N/A |
| Is there participation in an "Operation Identification" program? |
Yes |
No |
N/A |
| Do student, faculty and staff participate in a campus watch program? |
Yes |
No |
N/A |
Visitors |
| Is visitor facility entry/exit logged by visitor name and date/time? |
Yes |
No |
N/A |
| Does an attendant oversee log entry? |
Yes |
No |
N/A |
| Is the log reviewed on a regular and periodic basis? |
Yes |
No |
N/A |
| Are facility visitor escorted? |
Yes |
No |
N/A |
| Is a visitor/staff identification badge required? |
Yes |
No |
N/A |
| Are visitors required to turn in their visitor badges after the visit? |
Yes |
No |
N/A |
| Are visitors required to park in designated visitor areas? |
Yes |
No |
N/A |
| Is there a documented procedure for lost visitors badge, for staff badges? |
Yes |
No |
N/A |
| How are access privileges for lost badges revoked? |
Yes |
No |
N/A |
Workstation/server temperature and Humidity, HVAC systems |
| Is there a high and low temperature warning mechanism and, if so, are the warnings logged to a recording device? |
Yes |
No |
N/A |
| Is the recording device off-site or backed-up to an off-site location on a real-time basis? |
Yes |
No |
N/A |
| Is there a high and low humidity warning mechanism and, if so, are the warnings logged to a recording device? |
Yes |
No |
N/A |
| Is the recording device off-site or backed-up to an off-site location on a real-time basis? |
Yes |
No |
N/A |
| Do HVAC systems receive maintenance on a regular basis as required by the manufacturers? |
Yes |
No |
N/A |
| Is there a log of all equipment and facility vendors, the types of maintenance that are required, the approximate times during the year that such maintenance is to occur, and an indication of the maintenance performance? |
Yes |
No |
N/A |
| Is such a log updated on a regular and periodic basis? |
Yes |
No |
N/A |
Power |
| Is there a power conditioner in use? |
Yes |
No |
N/A |
| Is there an uninterruptible power system (UPS) in use? |
Yes |
No |
N/A |
| Is the UPS using standby or online technology? |
Yes |
No |
N/A |
| What is the UPS manufacturer/model and is it listed in the facility inventory? |
Yes |
No |
N/A |
| What is specifically plugged into UPS? |
Yes |
No |
N/A |
| Does UPS volt-amp rating exceed volt-amp use requirements? |
Yes |
No |
N/A |
| Is the UPS surge factor at least 1.15 time steady state power? |
Yes |
No |
N/A |
| Does the UPS include a feature low battery alarm? |
Yes |
No |
N/A |
| What is the UPS surge energy rating? |
Yes |
No |
N/A |
| Is the UPS battery within recommended use dates? |
Yes |
No |
N/A |
| Is the UPS tested on a regular basis? |
Yes |
No |
N/A |
Fire detection and prevention |
| Does facility possess a fire detection mechanism? |
Yes |
No |
N/A |
| Does facility possess a fire prevention system? (e.g., Halon or equivalent, CO2, dry/wet sprinkler) |
Yes |
No |
N/A |
| Does facility possess water detection sensors in critical/sensitive areas? |
Yes |
No |
N/A |
| Are there equipment covers in areas protected by liquid-based fire prevention systems? |
Yes |
No |
N/A |
| Are facility workspace areas clean/organized? |
Yes |
No |
N/A |
| Are combustibles stored in proper containers and not in open work spaces? |
Yes |
No |
N/A |
| Are fire extinguishers inspections up to date? |
Yes |
No |
N/A |
| Are individuals periodically trained in extinguisher use? |
Yes |
No |
N/A |
| Are fire alarms periodically tested? |
Yes |
No |
N/A |
Removal of computer equipment |
| Is a department computer inventory periodically performed by knowledgeable staff? |
Yes |
No |
N/A |
| Is permanent removal of computer equipment properly authorized and recorded (refer to PPM 350-80 and 350-18)? |
Yes |
No |
N/A |
| Is there a written authorization for any temporary removal of computer equipment (e.g. laptop) from University facilities (PPM 350-70)? |
Yes |
No |
N/A |
| Is confidential and/or sensitive data completely removed from all storage areas on computer hardware prior to permanent removal/sale/destruction of the hardware? |
Yes |
No |
N/A |
