Physical and Environmental Security

The purpose of this policy is to establish the rules to provide physical security and prevent unauthorized access and interference with the facilities and information security systems of the University, as well as to protect information and employees from exposure to various physical threats that could negatively affect information system services or cause them to cease functioning.   

This policy applies to all members of UTAS-Sur, whether on a temporary or permanent basis as well as any third parties working with or contracted by the university, it covers all environments where the university’s information systems are operated.  

Information Systems and Educational Technologies Center.

‏Assistant Vice Chancellor for UTAS – Sur.

Any violation of this policy by all members or third parties (suppliers, contractors, business partners, etc.) will be subject to disciplinary and legal actions in accordance with the laws of the Sultanate of Oman, including regulations related to cybersecurity, university’s policies, labor laws, and electronic transactions. 

The University must ensure that all its physical facilities are equipped with security measures commensurate with the risks to the information systems in those facilities.   

Secure Areas:   

The University must develop a physical security plan for its facilities, which should be divided into zones, with each zone having a level of restrictions governing access requirements.  

The surrounding areas can be classified as follows:   

• Public and Reception Areas: Limited restrictions, subject to general monitoring.   

• Secure Access Areas: Restricted access, with visitor registration and escorting. Subject to supervision.   

• Restricted Access Areas: Limited to authorized personnel only. High restrictions, especially with visitor registration and escorting. Subject to monitoring.   

 

The University must ensure the following:   

• Data centers are not located in unstable environment.  

• Data centers are not located near hazardous adjacent facilities (e.g., chemical laboratories).   

• Backup data and equipment are stored at a safe location which out of from the main site to avoid exposure to the same disaster affecting the main site.   

 

 Physical Access Control:   

• University staff, suppliers, and contractors are permitted access to the University’s physical facilities, including data centers, only after proper identification and verification in accordance with physical access authorization procedures.   

• Access to secure university’s labs must approve restricted areas. Access to areas with high security classification, such as data centers, is limited to persons with direct responsibility for the operation and maintenance of the data center.  University staff, suppliers, contractors, and other visitors must wear a unique identification badge at all times while on university premises.   

• Each visitor must have a visitor ID during their stay inside the university and must be recorded in the visiting logs. The log must include the` visitor’s name, company, purpose of visit, entry time, exit time, and date.   

• Sharing access cards among employees is prohibited.   

• Telephone directories and internal documents used to identify sensitive processing facilities are available to university staff only.   

• All visitors must be escorted while moving through secure areas by university staff.   

 

 Inspection of Information Security Materials/Items Entering and Exiting Through Secure Areas:   

• Materials entering and exiting the University must be inspected before being transferred from general access areas to their point of use. All transfer requests must be formally authorized and recorded by the Information Systems and Educational Technologies Center Team.   

 

Maintenance of Physical and Environmental Security Infrastructure:   

• University equipment must be maintained and repaired by authorized maintenance personnel.   

• The University must monitor and control any maintenance and diagnostic activities performed locally or remotely.  

• All local/remote maintenance activities and diagnostics must be monitored, and relevant University staff must review maintenance logs for various activities.   

This policy shall take effect from the approval date.