Other title: Physical and Environmental Protection Policy 2100-15

"Original Policy"--Page 11.; "Effective date: 12/22/2017."; Policy number: 2100-15.; Includes bibliographical references.The purpose of this policy is to provide physical and environmental protection (PE) requirements for Ohio Department of Administrative Services (DAS)-managed information systems and for the facilities in which they operate. Documented PE security controls are needed to ensure information systems are properly protected against physical and environmental threats. A glossary of terms found in this policy is located in Section 8.0 Definitions. In addition, references to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations," family identifiers and control numbers are provided in parentheticals next to requirement headers, where applicable. The scope of this policy includes any DAS-managed information system and the facility in which it operates. This policy also applies to DAS data owners, system and service owners, and extends to external service providers. For the purposes of this policy, 'facility' refers primarily to physical locations containing concentrations of DAS-managed information system resources including, for example, data centers, server rooms, rooms containing sensitive network, telecommunications, or electrical equipment, and mainframe computer rooms. 'Managed service partner facility' refers to these same physical locations when operated by an external entity through agreement with DAS. This policy is intended to detail required physical and environmental security controls, but is not intended to supersede local or state building regulations, or fire or electrical codes