PURPOSE:
This Physical Security Policy outlines the standards and procedures for maintaining a secure physical environment at all Idaho College of Osteopathic Medicine (ICOM) (the “Institution”) facilities and properties. The purpose of this policy is to protect the safety and well-being of students, faculty, staff, patients (if applicable), and visitors; to safeguard institutional assets, equipment, and infrastructure; to prevent unauthorized access, theft, vandalism, and other physical security threats; and to ensure a safe and conducive learning, research, and working environment. Effective physical security is essential for maintaining operational continuity, protecting sensitive information in physical form, and preserving the Institution's reputation. This policy applies to all Institution-owned, leased, or controlled buildings, grounds, and facilities (with some exceptions).
SCOPE:
This policy applies to all physical locations and properties owned, leased, or operated by ICOM (with some exceptions), including but not limited to:
- Academic buildings and classrooms
- Research laboratories and facilities
- Administrative offices
- Clinical facilities or patient care areas (if applicable)
- Libraries and learning resource centers
- Data centers and server rooms
- Storage areas and facilities
- Parking areas and grounds
- Any other Institution-controlled physical space.
Exceptions to this policy include any physical space leased or controlled by ICOM on a temporary basis, such as off-campus student housing; convention centers or arenas leased for special events, short term courses of instruction, or for any other such transient uses.
This policy applies to all individuals present on Institution properties, including but not limited to:
- Faculty
- Staff
- Administrators
- Students
- Patients (if applicable)
- Visitors
- Contractors
- Vendors
- Guests
- Any individual on Institution property.
DEFINITIONS:
- Access Badge/Key Card: A physical card or electronic credential used to gain authorized entry to buildings, rooms, or areas.
- Asset (Physical Asset): Tangible property owned or controlled by ICOM, including buildings, equipment, furniture, vehicles, and other physical resources.
- Cloud-Based Close-Circuit Television (CCTV) System: A cloud-hosted video surveillance system that uses cameras to transmit video signals to a limited set of monitors, typically for security and surveillance purposes.
- Clean Desk Rule: A rule requiring individuals to clear their workspaces of sensitive and confidential information at the end of the workday or whenever they leave their workspace unattended for extended periods.
- Controlled Access Area: A designated physical space where entry is restricted to authorized personnel through the use of access control mechanisms.
- Emergency Exit: A designated exit route specifically for use during emergencies, such as fires or evacuations. Emergency exits are typically marked with illuminated signs and equipped with panic hardware.
- Perimeter Security: Security measures implemented at the boundaries of ICOM properties to deter and detect unauthorized access. This may include fencing, gates, lighting, and landscaping.
- Restricted Area: A physical area within ICOM facilities where access is limited to specifically authorized individuals due to security concerns, confidentiality requirements, or the presence of sensitive assets or equipment.
- Sensitive Asset: Physical assets that require a higher level of protection due to their value, confidentiality, criticality, or potential for misuse. Examples may include research equipment, medical supplies, controlled substances (if applicable), or records containing sensitive information.
- Visitor: Any individual who is not a student, faculty member, or staff member of ICOM and who is present on ICOM property.
- Visitor Badge: A temporary identification card issued to visitors upon registration, indicating their authorized presence on ICOM property.
POLICY:
Access Control: Access to Institution facilities and areas will be controlled to ensure that only authorized individuals are permitted entry, and to protect sensitive areas and assets. Access control measures will include:
- Key Card/Access Badge System: Utilizing a key card or access badge system for entry to buildings, restricted areas, and after-hours access. Access cards/badges will be issued to authorized personnel and students based on their roles and needs.
- Locks and Keys: Utilizing physical locks and keys for offices, laboratories, classrooms, storage areas, and other secure spaces. Key management procedures will be in place to control key issuance, accountability, and rekeying processes.
- Visitor Management Procedures: Implementing visitor management procedures for all buildings, requiring visitors to sign in, present identification, state their purpose of visit, and obtain visitor badges. Visitors must be escorted at all times while in the building.
- Restricted Areas: Designating certain areas as restricted access (e.g., data centers, server rooms, research labs, areas with sensitive equipment, records storage). Access to restricted areas will be limited to authorized personnel only and may require additional security measures (e.g., dual authentication, specific authorization).
- After-Hours Access Control: Implementing specific procedures for after-hours access to buildings and facilities, requiring access badges, authorization, and potentially security escort or monitoring.
Surveillance and Monitoring: Surveillance and monitoring systems will be utilized to enhance physical security, deter unauthorized activities, and aid in incident investigation. Surveillance measures may include:
- Cloud-Based CCTV Systems: Deploying cloud-based CCTV cameras in strategic locations throughout campus and facilities to monitor entrances, exits, hallways, common areas, parking areas, and sensitive locations. Cloud-based CCTV systems will be actively monitored and recordings will be securely stored for a defined period, in accordance with privacy policies and legal regulations.
- Alarm Systems: Utilizing alarm systems for buildings, perimeter security, and specific areas requiring enhanced security (e.g., alarm systems for doors and windows in sensitive areas, panic alarms in designated locations). Alarm systems will be monitored and responded to by security personnel or designated responders.
- Security Patrols: Conducting regular security patrols of the main campus building, grounds, and parking areas by security personnel or designated staff, especially during non-business hours. Patrols will be conducted to deter unauthorized activity, identify security vulnerabilities, and respond to incidents.
Environmental Security: Measures will be taken to protect facilities from environmental threats and hazards:
- Fire Detection and Suppression Systems: Maintaining functional fire detection and suppression systems (fire alarms, sprinklers, fire extinguishers) in all buildings, in accordance with fire codes and safety regulations. Regular inspections and maintenance of fire safety equipment will be conducted.
- Flood and Water Damage Prevention: Implementing measures to mitigate flood and water damage risks, especially in areas with critical infrastructure or sensitive equipment (e.g., proper drainage, water sensors in server rooms, elevated equipment).
- Climate Control and Environmental Monitoring: Maintaining appropriate temperature and humidity levels in sensitive areas (e.g., data centers, server rooms, research labs, storage for sensitive materials). Implementing environmental monitoring systems (temperature, humidity sensors) in critical locations and establishing alerts for environmental anomalies.
- Emergency Power Systems: Maintaining backup power systems (generators, UPS systems) for critical infrastructure and systems to ensure continuity of operations during power outages.
Asset Protection: Measures will be in place to protect institutional assets from theft, damage, and unauthorized use:
- Equipment Security: Securing valuable equipment and assets (e.g., laptops, projectors, medical equipment, research equipment) with physical locking mechanisms, cable locks, or secure storage when not in use.
- Inventory Management: Maintaining an inventory of valuable and sensitive assets to track their location and accountability, and to facilitate asset recovery in case of theft or loss.
- Sensitive Material Handling and Storage: Establishing secure procedures for handling, storing, and transporting sensitive materials (e.g., research samples, controlled substances – if applicable, confidential documents, PHI in physical form). Secure storage areas with access controls and monitoring may be required.
- Data Security for Physical Media: Implementing procedures for the secure storage, handling, transport, and disposal of physical media containing sensitive data (e.g., hard drives, tapes, USB drives, paper documents). Secure shredding or destruction methods will be used for disposal of sensitive physical media.
- Clean Desk Rule: Implementing a Clean Desk Rule to minimize the risk of unauthorized access to sensitive information left unattended in work areas. Users will be required to secure sensitive documents and media when leaving their workspace unattended, especially at the end of the workday.
Personnel Security Awareness: Promoting physical security awareness among all members of the Institution community is crucial:
- Physical Security Awareness Training: Providing regular physical security awareness training to faculty, staff, and students, covering topics such as:
- Access control procedures and badge usage.
- Visitor management protocols.
- Reporting suspicious activity.
- Emergency procedures (fire, medical, security threats, active shooter).
- Personal safety tips and crime prevention.
- Clean desk rule and physical data security.
- Emergency Procedure Training and Drills: Conducting periodic training and drills for emergency procedures (fire drills, evacuation drills, active shooter drills – if deemed appropriate and in consultation with security experts and local law enforcement).
Visitor Management and Control: Procedures for managing and controlling visitors on campus will be implemented:
- Visitor Registration and Identification: Requiring all visitors to register at designated points of entry (e.g., reception desks, security stations) and state their purpose of visit.
- Visitor Badges: Issuing clearly identifiable visitor badges to all registered visitors, which must be worn visibly at all times while on campus.
- Escort Requirements: Requiring visitors to be escorted by a faculty or staff member when accessing certain areas or attending meetings in specific locations (depending on risk assessment and area sensitivity).
- Visitor Parking and Access Restrictions: Designating specific parking areas for visitors and restricting visitor access to non-public areas of campus.
- Contractor and Vendor Access: Establishing specific procedures for managing access for contractors and vendors, including background checks (where appropriate and legally permissible), access limitations, and supervision requirements.
Emergency Response and Procedures: Clear procedures will be established and communicated for responding to physical security emergencies:
- Emergency Contact Information: Clearly displaying and widely disseminating emergency contact information (security, campus police/emergency services, medical emergency contacts).
- Emergency Evacuation Plans: Developing and posting emergency evacuation plans for all buildings, outlining evacuation routes, assembly points, and procedures for assisting individuals with disabilities.
- Emergency Communication Systems: Utilizing emergency communication systems (e.g., campus-wide alert systems, public address systems, emergency notification apps) to communicate urgent information and instructions during emergencies.
- First Aid and Medical Emergency Response: Ensuring availability of first aid resources and trained personnel on campus to respond to medical emergencies. Establishing procedures for contacting emergency medical services (EMS) when needed.
- Security Incident Reporting Procedures: Establishing clear procedures for reporting security incidents, suspicious activities, or policy violations to security personnel or designated authorities.
- Active Shooter/Active Threat Response Plan: Developing and communicating an Active Shooter or Active Threat Response Plan (if deemed necessary and appropriate based on risk assessment), in consultation with security experts and local law enforcement. This plan should be aligned with recommended best practices (e.g., “Run, Hide, Fight”).
Policy Exceptions: Exceptions to this Physical Security Policy may be granted in limited circumstances by the Director of Campus Security, with appropriate justification, risk assessment, and documented approval. Exceptions should be rare and subject to periodic review and compensating security measures must be implemented where possible.
ENFORCEMENT:
Enforcement of this Physical Security Policy is the responsibility of all members of the ICOM community, with primary responsibility resting with the Campus Security Department. Failure to comply with physical security policies and procedures, compromising physical security controls, or other policy violations may result in disciplinary actions, up to and including warnings, restrictions on access privileges, and termination of employment or student status, and potential legal consequences, depending on the nature and severity of the violation and consistent with other institutional policies and procedures. The Campus Security Department will monitor compliance with this policy, conduct regular security assessments, and investigate reported violations or security deficiencies.
POLICY REVIEW AND UPDATES:
This Physical Security Policy and associated procedures will be reviewed and updated at least annually, or as needed to reflect changes in campus facilities, security threats, best practices in physical security, regulations, institutional risk assessments, emergency response protocols, or business needs. Campus Security is responsible for coordinating policy reviews and updates, in consultation with relevant stakeholders (e.g., IT Department, Information Security Office, Student Affairs, Facilities, Legal Counsel, local law enforcement/emergency services).
PRIMARY POLICY OWNER:
Director of Campus Security
APPROVAL:
Effective: 4/30/25
Last Reviewed: 4/30/25
Review Requirement: Annual