Standards Group:
YALE-MSS-4: Physical Security
YALE-MSS-4.2: Physically secure the IT System
Details
If the IT System is whole disk encrypted and requires authentication for administrative functions with a session timeout, these standards are not required.
If the IT System is located in a Critcal IT Space that meets the security standards outlined in Yale-MSS-4.1, these standards are not required.
All high risk systems should be stored in a secure area that can be locked down to only allow explicitly permitted users into the space. Below are requirements for securing that area appropriately.
High risk systems require physical security because physical access to the system can permit other methods of unauthorized access to the data or system.
Controls
- YALE-MSS-4.2.1: Limit user access to the secure area to only those who need it
- YALE-MSS-4.2.2: Review and re-certify user access to the secure area annually
- YALE-MSS-4.2.3: Access to the secure space produces a physical or electronic audit log
- YALE-MSS-4.2.4: A locking cable or equivalent physical protection for all devices when not in the user's physical custody
- YALE-MSS-4.2.5: Install privacy screen filters on computer screens that display ePHI