Re: Physical Security - How many IT Departments have Restricted Access?

["Peters, Kevin" <Kevin.Peters () OLC STATE OH US>]

Sean:

At a previous institution we had a Help Desk in a common area in the building that housed IT for walk in customer 
service. In the areas of computer and network support all doors were locked at all times and alarmed after hours for 
those reasons you mention. 

I am currently with a State Agency housed in a State building with other State Agencies. All visitors to the building 
must sign in at a front desk that has building security and highway patrol officers present. IDs are required and all 
bags are checked. Next the visitor must sign in at our Agency front desk. From there someone will come pick up the 
visitor. All doors into all areas of our building are locked at all times. Keycard access to key IT areas is based upon 
business need and approval by the IT Director. 

Kevin Peters
The Ohio Lottery

________________________________

From: The EDUCAUSE Security Constituent Group Listserv 
To: SECURITY () LISTSERV EDUCAUSE EDU 
Sent: Fri Nov 07 17:22:44 2008
Subject: [SECURITY] Physical Security - How many IT Departments have Restricted Access? 


Greetings, all.  I am new to the Educause Security list and I hope that I am posting this question to the right list.
 
I am the manager of a newly created IT Security group at a university and I have a question for other IT professionals 
on this list.  There has been a recent initiative that was been proposed by one of our upper management people to 
unlock the front doors of our IT department during business hours, in order to be more customer friendly and not make 
people who visit our offices feel that they are not trusted.  
 
Background: 
We've had ingress to the IT department offices restricted by badge access for many years.  Within the offices there is 
a server room that has separately-keyed badge access (representing two layers of physical security).   
 
While I acknowledge that there is a negative impact to convenience that is associated with restricting access to IT 
services premises, I have been making the argument that unlocking the doors would increase the risk to: 
 
1) unsecured hardware that may contain private data (mostly customer/user systems that are being repaired by 
workstation support) 
2) the workstations of multiple admins who are using elevated accounts to access to switches, routers and servers with 
private data on them
3) a variety of laptops, PDAs and other portable devices, owned by the IT department and our customers
4) one less layer of physical security protecting our server room
 
I'd like to hear back from IT professionals at other universities, to see where our department sits in comparison to 
the norm: is access to your IT department restricted?  If so, how is that access restricted?  If your department is not 
physically secured, what kinds of problems have you run into?
 
Thanks, in advance, for any thoughts/suggestions that you are willing to share.
 
Sean