28 CFR § 700.24 - Security of systems of records.
(a) The Office Administrator or Security Officer shall be responsible for issuing regulations governing the security of systems of records. To the extent that such regulations govern the security of automated systems of records, the regulations shall be consistent with the guidelines developed by the National Bureau of Standards.
(b) The Office shall establish administrative and physical controls to prevent unauthorized access to its systems of records, to prevent the unauthorized disclosure of records, and to prevent the unauthorized disclosure of records, and to prevent the physical damage or destruction of records. The stringency of such controls shall reflect the sensitivity of the records the controls protect. At a minimum, however, the Office's administrative and physical controls shall ensure that -
(1) Records are protected from public view,
(2) The area in which records are kept is supervised during business hours to prevent unauthorized persons from having access to the records, and
(3) Records are inaccessible to unauthorized persons outside of business hours.
(c) The Office shall establish rules restricting access to records to only those individuals within the Office who must have access to such records in order to perform their duties. The Office also shall adopt procedures to prevent the accidental disclosure of records or the accidental granting of access to records.