Department:              UW Medicine Information Technology Services

 

Policy Number:       

SEC-04.01 – Server System Location Standard

 

Effective Date:          June 11th, 2007

 

Review Date:                        April 27th, 2007

 

 

Purpose

The purpose of this standard is to explain and establish requirements for physical safeguards for UW Medicine[1] Server Systems. 

 

Definitions

See UW Medicine Information Security policy: SEC-REF UW Medicine Information Security Program Glossary of Terms.

 

Standard

It is the responsibility of the System Owner to place their Server System in a facility that provides the required controls and to implement and maintain any supplementary controls not provided by the facility.  Server Systems must be housed in designated areas that provide adequate physical security and environmental controls. Such areas must have a defined security perimeter, with appropriate entry controls, and must be physically protected from unauthorized access, damage and interference.

 

I).      Physical and Environmental Security Controls

 

Server Systems that do not have high confidentiality, integrity, or availability requirements should conduct a risk assessment to evaluate the controls that should be implemented.  Server Systems that have high confidentiality, integrity or availability requirements must meet the appropriate controls to reduce the risks from unauthorized physical access, environmental threats, and hazards.

 

A)    Physical access controls include:

1.      Defined security perimeter and signage

2.      Controlled access points, e.g., locking doors

3.      Access logging, e.g., magnetic swipe cards

4.      Vendor and guest access is granted only while in the company of UW Medicine authorized staff

5.      Logging for equipment moving in and/or out of facility

 

B)    Environmental controls include:

1.      UPS[2] and power conditioning

2.      Backup generator power

3.      Temperature monitoring and cooling

4.      Fire/smoke detection and suppression systems

5.      Protection from water damage

6.      Seismic protections

7.      No food or drink allowed in contact with or close proximity of servers

 

 

 

References:

 

I.                    45 CFR Parts 164; Section 164.310(a)(1) Facility Access Controls

 

 

 

UW Medicine IT Services:                                                   Date:                         

                                                            James S. Fine, M.D., CIO, ISO


[1] For purposes of HIPAA, UW Medicine includes the following entities: University of Washington Medical Center and Clinics; Harborview Medical Center and Clinics; UW Medicine Neighborhood Clinics (University of Washington Physicians Network); UW Physicians Sports Medicine Clinic; Hall Health Primary Care Center; University of Washington Physicians; UW Medicine Eastside Specialty Center; as well as certain services and activities that support UW Medicine that are performed by non-healthcare components of the University of Washington as defined within Privacy Policy PP-01 Use & Disclosure of Protected Health Information – Organizational Requirements.  UW School of Medicine is subject to the UW Medicine Information Security Program.

 

[2] UPS – uninterruptible power source