Northeastern University Physical Protection Standard
Document Metadata
Related Policy: Northeastern University Information Security Policy
Responsible Office: Office of Information Security (OIS)
Purpose and Scope
Northeastern University is committed to securing its data and providing clear and concise guidance on protecting the many information technology (IT) systems we use. Given the widespread use and diversity of the types of IT systems employed within Northeastern University, it is paramount that a technology-agnostic set of standards are in place and uniformly applied across all IT systems.
This standard establishes the minimum physical protection criteria to carry out and meet the intent of the directives within Northeastern University’s Information Security Policy. This standard applies to all organizations (e.g., academic entities, entities other than Colleges and Departments, legally separate but wholly owned entities) of Northeastern University.
IT systems are considered in the scope of this standard if they utilize any of the following: Northeastern’s Network, ITS troubleshooting or administration, OIS incident response or investigation, or a Northeastern Microsoft account (e.g., @northeastern.edu).
Physical Protection Overview
This domain focuses on the Physical Protection (PE). PE uses multiple security measures in a layered defense to limit the physical access to IT systems, equipment, and operating environments that contain Northeastern University data.
Roles and Responsibilities
The following high-level functional roles support the physical protection processes for IT systems. In some cases, there may be more than one functional role associated with a specific process or task; similarly, more than one person may perform some roles. The following describe the roles and responsibilities associated with physical protection within the Northeastern University environment.
Authorized Individual
Any appropriately cleared individual with a requirement to access a location where information is processed, transmitted, or stored.
Chief Information Security Officer (CISO)
Individual responsible for the overall Northeastern University information security program.
System Administrator
An organization or individual responsible for setting up and maintaining a IT system, appliance, or specific IT system elements. This role revolves around hands on management of the IT system, usually more technical in nature than the System Owner. They are also responsible for implementing approved secure baseline configurations, incorporating secure configuration settings for IT products, and conducting/assisting with configuration monitoring activities as needed.
Depending on the size of the IT system, these responsibilities can be split across multiple skill-based domains listed below. These domains can be managed by separate teams across Northeastern University depending on the skills necessary to carry out the listed responsibilities.
- Infrastructure: manages any servers that are not aligned to a specific department, like security or network.
- Network: manages all hardware and IT systems related to managing network communications.
- Security: manages all IT systems that ensure and confirm security of the environment. Sentinel, Defender, Tenable, Azure, Intune, Windows Cloud PC, etc.
- Desktop: manages the physical workstations and the software installed on them.
- Identity: manages IT systems that control identity-based access, like Entra ID.
System Owner
An individual or organization responsible for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an IT system. Also responsible for maintaining the appropriate operational security posture for an IT system or enclave and for ensuring the information assurance of a program or organization. Depending on the size of the IT system, these responsibilities can be assigned to someone with a role closely aligned to that of an Information System Security Officer.
Also responsible for monitoring and granting physical access privileges for other authorized individuals.
Standard
This standard is scoped primarily around a subset of the National Institute of Standards and Technology (NIST) 800-171 controls to protect the confidentiality, integrity, and availability of information. The related NIST controls have been tagged (e.g., 3.10.1) in the text below to identify where each listed responsibility inherits its requirements from.
As the physical protection capability is matured over time, additional controls may be considered to augment confidentiality and address the availability and integrity of information. Additionally, when implementing the criterion of this document, organizations may choose to implement stricter criteria; however, the criterion cannot be lessened without formal exception by the Northeastern University Chief Information Security Officer (CISO) as described in the Compliance section of this standard.
Limit Physical Access
(3.10.1) Physical Boundaries and Access Control
The System Owner is responsible for defining the physical boundaries of the organization’s information environments (e.g., IT systems, equipment, and operating). Physical boundary protections are required to prevent unauthorized access to IT systems processing Northeastern University data. To ensure physical boundaries are identified and protected, organizations will appoint a System Owner. The System Owner is responsible for developing, approving, and maintaining a list of authorized Individuals (e.g., employees, faculty) with physical access to IT systems; and managing access to the environment using physical access control devices (e.g., badge readers, electronic locks, physical locks). The System Owner is also responsible for reviewing all physical access authorization credentials, recording the date, and who performed it on an annual basis. The System Owner must review the physical visitor access records once per quarter, at a minimum.
(3.10.3) Visitor Access and Monitoring
Any individual requiring physical access to a Northeastern University information environment not on the approved access list is considered a visitor. Visitors of Northeastern University IT systems may include Northeastern University faculty, service teams, or students not on the Northeastern University information environment’s approved access list but have a valid business purpose for access.
The System Owner is responsible for permitting visitor access and maintaining access logs to monitor visitors’ access prior to distributing temporary credentials (e.g., visitor badge). Visitor temporary credentials must be conspicuously displayed to easily identify visitors throughout the environment until their departure. Additionally, an authorized Individual is responsible for escorting all visitors within the Northeastern University IT system environment. To ensure visitors remain in designated spaces for which they are authorized, the System Owner is responsible for employing means to monitor (e.g., escorts, guards, CCTV, visitor log, physical access device logs) visitor activity throughout the information environment.
(3.10.4) Physical Access Logs
The System Owner is also responsible for maintaining physical access logs of authorized Individuals for a minimum of twelve months. These logs may be procedural (e.g., written visitor logs), automated (e.g., badge reader logs), or both. Logs should include sufficient information for identifying who accessed the Northeastern University IT system environment and when such environment was accessed. These physical access logs should be reviewed by the System Owner once per quarter, at a minimum.
(3.10.5) Physical Access Device Management
The System Owner is responsible for defining and authorizing physical access devices (e.g., badges, keys, combinations) that provide access to the IT system environment. The System Owner is responsible for issuing and revoking physical access devices using procedural (e.g., updated key assignment lists) or automated means (e.g., updating electronic access control lists). Additionally, the System Owner is responsible for securely storing and monitoring physical access devices prior to issuing the access device to an authorized Individual. Once received, the authorized individual is responsible for securely controlling and storing any physical access devices assigned to them until such a time as the access device is returned to the System Owner. The System Owner is responsible for reviewing the physical access device list once a year.
Definitions
The following definitions have been derived from industry standard definitions provided by the National Institute of Standards and Technology (NIST) Computer Security Resource Center Glossary and, where appropriate, tailored for Northeastern University’s IT environment.
- Information Technology (IT)
- Computing and/or communications hardware and/or software components and related resources that can collect, store, process, maintain, share, transmit, or dispose of data. IT components include computers and associated peripheral devices, computer operating IT systems, utility/support software, and communications hardware and software.
- Organization
- An entity of any size, complexity, or positioning within an organizational structure (e.g., school, department, lab, operational elements).
- Visitors
- An individual who enters a controlled environment and is not on the authorized access list.
Compliance
This standard complies with the directives defined in the Northeastern University Information Security Policy. The university recognizes that on rare occasions there might be compelling reasons to consider allowing an organization to operate outside of the criterion defined in this standard, as derived from the Northeastern University Information Security Policy. To facilitate this consideration the System Owner must submit a petition for a risk-based policy exception in writing, including supporting rationale, and forward it to the Northeastern University CISO for review and approval. All approved risk-based policy exceptions must be formally documented by the Northeastern University CISO and indicate the exception duration (e.g., temporary, long-term). The Northeastern University CISO is responsible for disseminating and communicating all risk-based exception approvals and rescissions to the relevant stakeholders in a timely manner.
Change and Review Log
| Date | Description | Version | Editor |
|---|---|---|---|
| 12/23/2024 | Initial Draft | 0.1 | Esau Johnson |
| 1/24/2025 | Manager review before stakeholder review | 0.2 | Brad Wing |
| 9/3/2025 | Final draft approved by CISO | 1.0 | Brad Wing |
Appendix A. Northeastern University Physical Protection Standard Summary
The table below summarizes the Northeastern University IT system environment minimum criteria for enabling physical protection capabilities within the Northeastern University IT system environments.
- The first column “Northeastern University Practice ID” identifies the related Northeastern University practice ID as defined in the NIST 800-171.
- The “Northeastern University Practice Statement” column includes the Northeastern University practices required to be met for that control.
- The third column, “Derived Requirement”, provides a description of the requirement derived from the high-level Northeastern University practice statement. Derived requirements were developed from analysis of the intent of the practice and the logical components required to satisfy the practice. In some instances, an Northeastern University practice statement may be derived into several requirements to be addressed to satisfy the Northeastern University practice.
- The final column, “Northeastern University IT system environment Criteria”, defines the minimum criteria (e.g., configurations, actions, responsibilities, practices, etc.) which the university will implement to satisfy the related Northeastern University practice.
| NU Practice ID | NU Practice Statement | Derived Requirement | NU Environment Criteria |
|---|---|---|---|
| 3.10.1 | Limit physical access to organizational IT systems, equipment, and the respective operating environments to authorized individuals. | Identify IT system information Environments | The System Owner is responsible for: Defining the physical boundaries of the organization’s information environments (e.g., IT systems, equipment, and operating). |
| Identify Authorized Individuals | The System Owner is responsible for: Developing, approving, and maintaining a list of authorized Individuals (e.g., employees, faculty) with physical access to IT systems. | ||
| Control Physical Access | The System Owner is responsible for: Managing access to the environment using physical access control devices (e.g., badge readers, electronic locks, physical locks). Reviewing all physical access authorization credentials, recording the date, and who performed it on an annual basis. Reviewing the physical visitor access records once per quarter, at a minimum. | ||
| Escort Visitors | Authorized Individuals are responsible for: Escorting all visitors within the Northeastern University IT system environment | ||
| 3.10.3 | Escort visitors and monitor visitor activity. | Monitor Visitors | The System Owner is responsible for: Employing means to monitor (e.g., escorts, guards, CCTV, visitor log, physical access device logs) visitor activity throughout the information environment. |
| 3.10.4 | Maintain audit logs of physical access. | Maintain Physical Access Logs | The System Owner is responsible for: Maintaining physical access logs of authorized Individuals for a minimum of twelve months. These logs may be procedural (e.g., written visitor logs), automated (e.g., badge reader logs), or both. These physical access logs should be reviewed by the System Owner once per quarter, at a minimum. |
| Identify Physical Access Devices | The System Owner is responsible for: Defining and authorizing physical access devices (e.g., badges, keys, combinations) that provide access to the IT system environment. | ||
| 3.10.5 | Control and manage physical access devices. | Control Physical Access Devices | The System Owner is responsible for: Securely storing and monitoring physical access devices prior to issuing the access device to an authorized Individual. |
| Control Physical Access Devices: Authorized Individual | Authorized Individuals are responsible for: Securely controlling and storing any physical access devices assigned to them until such a time as the access device is returned to the System Owner. | ||
| Manage Physical Access Devices | The System Owner is responsible for: Issuing and revoking physical access devices using procedural (e.g., updated key assignment lists) or automated means (e.g., updating electronic access control lists). Reviewing the physical access device list once a year. |
Appendix B. Physical Protection References
The following list of references are common industry standards used to carry out the physical protection criterion defined within this standard.
- National Institute of Standards and Technology (NIST) Special Publication 800-114. https://csrc.nist.gov/publications/detail/sp/800-114/rev-1/final
- Special Publication 800-12: An Introduction To Computer Security: The NIST Handbook. https://csrc.nist.rip/publications/nistpubs/800-12/800-12-html/chapter15.html