Section 3: Physical and Personnel ProtectionAnchor: #i1043190
This section establishes how TxDOT protects those who work with its information resources as part of its Investment Protection Policy. The effort includes adhering to the policies published in the Agency’s State Security Policy Manual and the safety controls established in the Occupational Safety Manual. Protecting individuals from evolving threats adds operational rigor to TxDOT’s approach to satisfy the “Protect” objective of the Texas CyberSecurity Framework.Anchor: #KLOHLPKK
TxDOT will manage how and when individuals can enter or exit locations where information resources are kept. Typically, this includes obvious controls such as tracking visitors, assigning badges, and ensuring that physical access to secure areas are correctly granted and revoked. In the networked environment, TxDOT will review previously granted privileges to ensure that they change as work assignments and organizational changes occur. Access to physical and networked locations will be a part of TxDOT's on-boarding and Off-boarding Processes.
Secured areas. Access to locations where physical information resources are kept is limited to authorized personnel. (See TxDOT State Security Policy Manual, Chapter 1, Section 4) the “Additional precautions include:
- accompanying visitors
- wearing and displaying badges
- logging access to the secure areas
- reviewing access logs
- reporting incidents resulting in a lack of physical security.
Entry points. Entry points are all locations from which access to a physical device or system can be gained. This includes on-site and off-site locations, offices, server rooms, wiring cabinets, etc. All entry points leading to secure areas are controlled and monitored either by security guards or electronic mechanisms. Additional precautions include:
- securing entry points at all times
- monitoring opened doors leading to secured areas
- tracking, securing and verifying keys, combinations, and other physical access devices
- reviewing and maintaining accurate inventory logs
- reporting loss or tampering of security devices.
Preventing damage. Recognizing the environmental conditions that may lead to fires, flooding, and sabotage is the first step toward protecting TxDOT’s investment in personnel. Minimal precautions include:
- following the Electrical Safety Program as outlined in the Occupational Safety Manual
- using safety equipment properly and as required
- following safety protocols described in user manuals for each device.
Individuals who use information resources must reduce risks, including:
- following common safety practices when working with electronic equipment
- identifying all significant known risks
- avoiding unnecessary or unreasonable exposures
- initiating reasonable and appropriate responses
- securing mobile devices within a locked shelf or with an approved restraining device
- using a non-interruptible, also known as “uninterruptible,” power supply units (UPS) to prevent the loss or fluctuation of electrical power
- securing sensitive or confidential information output
- ensuring output devices only create sensitive or confidential documents when authorized recipient releases it.
- verifying that tools, devices, and software entering the secure areas do not pose a threat to systems.
Information Owners who request exceptions from security controls must provide:
- documented business reasons
- accountability for ensuring TxDOT’s investment is protected.
- follow hiring procedures in the Human Resources Policy manual, Chapter 1
- submit a request whenever employees require higher privileges.
The Information Security Officer (ISO) must:
- administer the Risk Management Program
- oversee the Risk Registermonitor risks responses
- review then approve or deny exception requests
- review and track all individuals who have elevated access privileges.
Compliance and Standards
See the “Physical and Personnel Protection Standards” in the Information Security Standards manual for a list of the minimum standards necessary to comply with this objective of the Investment Protection Policy.