Document Name: ACHE Facility Security Procedures
Approved: Dec 16, 2021 by IIB
This document specifies the procedures for bringing people and equipment in and out of a secured facility for processing or storing sensitive data, such as ePHI (electronic Personal Health Information) and CUI (Controlled Unclassified Information), covered by regulations like HIPAA.
This applies to facilities operated by the NCSA for handling sensitive data, such as the Advanced Computational Health Enclave.
NCSA will track approvals and changes made to the applicable environment, keeping records for 6 years or from the inception of the program. Each step of the following workflows is approved by a member of the NCSA Staff with ACHE Access (for ePHI, this is the NCSA Covered Entity) while logged in with their personal credentials, and each approval sends emails to the approver and other relevant parties.
Please note that in the following procedures, the NCSA CISO is assumed to also be the NCSA HIPAA Liaison.
The building manager has the only physical key and can use it to allow access for emergency personnel or if the electronic access control mechanism is broken. In these cases, they log access afterwards with a ticket assigned to the CISO subject "Emergency Access for the ACHE". This tells who was let in, when, and why. No one is left unescorted if they are not part of the NCSA Staff with ACHE Access.
All other access is made with an electronic control that identifies each person individually. People given electronic access must be a part of the NCSA Staff with ACHE Access. The workflow for granting access is as follows.
The process for removing access can be triggered either via a role change from staff to non-staff (e.g., during the employee exit process) or at the request of the CISO.
Maintenance requests start with the building manager who works with Facilities & Services. The process for non-emergency maintenance is as follows.
If there is a disaster that causes the access control mechanisms to fail open, University staff may or may not be allowed near the facility for some time. When they are allowed back, the building manager is responsible for providing physical security to any remaining systems until controls are restored. This may mean that a person within the NCSA Staff with ACHE Access is physically watching the area or that equipment is moved to secure, offline storage.
The response must be documented and given to the CISO. This documentation must include:
A request to modify physical security controls can start with the building manager, Security Office or CISO. The workflow is as follows.
If equipment with sensitive data (ePHI, CUI, etc.) is moved, it must stay within the secured facility or be moved to another secured facility. The following process is followed.
Media must be sanitized before disposal outside of the secure facility. This includes returning disks to vendors or repurposing equipment.
Wiping is done on a dedicated workstation by a method approved by the Security Office.
Anyone in the NCSA Staff with ACHE Access may initiate the process to remove media from the facility, but it follows the following process.
The requestor will place the media in the provided secure container.
Container shall be locked with a key kept in the secure area.
Security team will transport secure container for wiping / destruction.
The security team will unlock with second key kept at wiping / destruction station.
Each device will be wiped or destroyed per Security Office policy
The person wiping the media will electronically record the details of the wiped media and when it was sanitized. Then they will return the secure container to the secure area.
The media is given to the building manager who closes the workflow and sends the drive on. If necessary, they have the original requestor fill out the RMA paperwork.