- (1) Computer equipment shall be protected from unnecessary risk of access, damage, or theft.
(2) Facility access must be controlled using physical access control devices such as keys, locks, combinations, radio-frequency identification (RFID) card readers, etc.
- (a) All facilities must have at least one physical security control protecting it from unauthorized access, damage, or interference;
- (b) Facilities that process or store information classified at Level 3 (Restricted) or higher must employ multiple layers of physical security controls; and
- (c) For areas used to process or store information classified at Level 3 (Restricted) or higher, access logs for controlled entry points must be maintained.
- (3) An annual evaluation of physical security for information systems used by staff shall be conducted by the Department of Corrections ISO or their designee. The findings of this evaluation shall be used to enhance the physical security of the agency systems as needed.
- (4) Physical security guidelines for information systems shall be developed by ITS and reviewed and approved by the Department of Corrections ISO.
Statutory/Other Authority
ORS 179.040, 423.020, 423.030 & 423.075
Statutes/Other Implemented
ORS 179.040, 423.020, 423.030 & 423.075
History
DOC 5-2024, amend filed 04/29/2024, effective 04/29/2024
DOC 16-1999, f. 9-24-99, cert. ef. 10-1-99
CD 10-1997, f. & cert. ef. 6-20-97
CD-24-1992, f. 11-24-92, cert. ef. 12-1-92