Helpful Links

Navigate OHIO

Connect With Us

Tech Help Desk
Alden Library 4th floor
30 Park Place
Athens, OH 45701
help.ohio.edu

Physical security standard

Purpose

The purpose of this standard is to define controls to maintain the confidentiality, integrity, and availability of OHIO resources through the prevention of loss, damage, theft, or compromise of university data and assets.

Scope

This standard provides a minimum baseline for physical security and applies to any systems or paper records containing OHIO data. Any standards or policies that require more stringent physical security for specific systems or locations supersede this standard. All OHIO faculty, staff, students and third-party associates are responsible for ensuring that university data is secured.

Standard

Device security

  • Authentication credentials shall not be stored in the area on or around a system. (For example, credentials are not be written on a sticky note on a computer or under a keyboard).
  • The user profile must be set to locked when devices are unattended.
  • Mobile devices such as laptops, or portable media must be stored securely when not in use such as in a locked cabinet, or secured via laptop lock, or secured behind a locked door so that it is removed from publicly accessible areas.
  • Devices with OHIO data stored on them must utilize encryption at either the file level or disk level based on the sensitivity of the data, per the Information Security Standard Acceptable Encryption.
  • Units should maintain an asset inventory list of their devices containing model, serial number, Media Access Control (MAC) address, and its unique asset tag if applicable.

Location security

  • Locations that store sensitive data or devices containing sensitive data should be secured via doors with lock and key or card swipe.
  • Users should be aware of their surroundings and be cognizant of the visibility of data on computer screens and surrounding workstations.
    • Users must adhere to a clean desk policy, ensuring that documents containing sensitive information are not left out where data can be visible to individuals that are not authorized to access it. For example, turn over documents on your desk, when not in use, and store paper documents and removable media in locked cabinets or desk drawers when unattended.
  • Access to physical locations must be removed upon employee retirement, termination or transfer.

References

Exceptions

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.

Request an exception:

Complete Exception request form.

Governance

This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:

  • Audit, Risk, & Compliance: Josh Gonzalez, Chief Privacy Officer 
  • Audit, Risk, & Compliance: Larry Wines, Director of Enterprise Risk Management & Insurance 
  • Faculty: Hans Kruse, Instructor; Emeritus (Scripps College) 
  • Faculty: Brian McCarthy, Professor; Senior Associate Dean (College of Arts & Sciences) 
  • Faculty: Shawn Ostermann, Associate Professor (College of Engineering) 
  • Faculty: Bruce Tong, Assistant Professor of Instruction (Scripps College) 
  • Finance: Julie Allison, Associate Vice President, Finance 
  • Human Resources: Michael Courtney, Senior Associate General Counsel/Director of Employee & Labor Relations 
  • Information Technology: Ed Carter (Chair), Chief Information Security Officer and Senior Director, Information Security & Digital Accessibility 
  • Regional Higher Education: Larry Tumblin, Director of Information Technology for Regional Higher Education 
  • Research: Kimberly Littlefield, Associate Vice President for Research Administration 

History

Draft versions of this policy were circulated for review and approved March 16, 2026.