Body
PURPOSE
Pacific University has adopted this Facilities Access and Maintenance Control Policy and Procedures to ensure the confidentiality, integrity, and availability of all Protected Data we create, receive, maintain, or transmit as required by federal or state regulatory requirements, including but not limited to FERPA, GLBA, HIPAA, PCI, and other regional or local applicable laws and regulations.
University colleges, schools, and departments should follow these procedures to comply with the Facilities Access and Maintenance Control Policy, Policy Number POL-UIS4506.
PROCEDURE
Access to server rooms by university workforce members
- Access to server rooms containing Protected Data by university personnel will be restricted such that only authorized personnel are permitted to enter.
- Access will be recorded and monitored on a regular basis (weekly).
- Access records for server rooms with ID card access controls will be sent to the Chief Information Security Officer for regular review.
- Server rooms without ID card access controls require all university personnel to sign in/out using the Activity Log sheet located in each area. These logs will be reviewed periodically, and the review documented by an entry on the Activity Log indicating the date and time. Activity Log sheets are not to be removed from the area.
- Documentation will be stored according to UIS practices.
Access to server rooms by non-university employees such as guests or outside contractors
- Guests or outside contractors who access server rooms containing Protected Data must be accompanied by a university employee at all times.
- Server rooms with ID card access controls: Members of the workforce who have badge access will use their badges to obtain access to the server rooms. Guests or outside contractors must sign in/out on the Activity Log sheet.
- Server rooms without ID card access controls require all university personnel, and guests and outside contractors to sign in/out using the Activity Log sheet located in each area.
Maintenance Records for services performed in server rooms
- The facilities office will retain records on the maintenance of equipment and facilities related to the protection of PHI.
- Facility maintenance records, which describe security repairs or enhancements, will be kept for each healthcare facility or server room in a location determined by Facilities department.
- Records retention requirement is six (6) years.