VII:01:26 Information Technology Physical Access Policy

Purpose

This policy provides guidance on physical protection of data, information, equipment, and resources within the Information Technology (IT) environment for all Volunteer State Community College locations. Compliance with this policy ensures Vol State’s information assets, systems, and services are protected against unauthorized use, disclosure, modification, damage, and loss.

Definitions

For the purposes of this policy, the following definitions shall apply:

  1. Data Center – a specialized, restricted area facility that houses critical information technology infrastructure, including servers, storage systems, networking equipment, and related components, designed to provide a secure and reliable environment for the equipment used to provide and support the campus networks and systems.
  2. Information Technology Resources – all Volunteer State Community College information technology hardware assets, software assets, computing systems, networks, network components, facilities, services, data, and information, regardless of location, provider, management, medium, or how the resource is provided/delivered, that exists for the purpose of conducting business or academic activities. This includes, but is not limited to, computers, servers, mobile devices, email systems, internet access, cloud-based applications, databases, and any associated peripherals or support services.
  3. Software – the computer programs, procedures, and associated documentation and data that instruct computer hardware to perform specific tasks. This includes, but is not limited to, operating systems, applications, utilities, and any digital code used to operate computer systems and devices.

Policy

  1. Vol State Datacenters are considered “Restricted Access Areas”. Vol State IT closets/communications rooms are considered “Limited Access Areas”. Any damage or theft in these areas could severely impact critical Vol State communications. Theft of equipment or data storage in any Restricted Access Area could result in the loss of confidential information and/or personally identifiable information (PII).
  2. The IT Department shall:
    1. Develop, approve, and maintain a list of individuals with authorized access to the facilities where Vol State systems reside, review the list at least annually, and remove individuals when access is no longer needed.
    2. For authorized visitors at the facilities, validate identity in accordance with local procedures before granting access. Ensure visitors sign in/out on the facility log. Maintain the logs for at least one year.
    3. Perform security checks of the facilities at least quarterly.
  3. The Chief Information Officer (CIO) or their designee has the final authority to interpret the terms of this policy. The CIO or their designee may grant exceptions to this policy, in writing, based on an evaluation of the risks versus the benefits.  

 

TBR Source:  none.

VSCC Source: June 7, 2010, President’s Cabinet; August 13, 2025, President’s Cabinet.