SEC-S003 Data Center Access Standard

  1. OBJECTIVE: 
    1. This document has been developed to ensure a secure Data Center environment and must be followed by anyone working in the Data Center. It is important that any department/project desiring the installation of servers or other computer hardware in the Data Center fully understand and agree to this document.
  2. RESPONSIBILITY:
    1. Director, Information Technology Security
  3. APPROVAL AUTHORITY:
    1. Associate Vice President and Chief Information Officer for Information Technology
  4. SCOPE:
    1. ​​​​​​​This document applies to all Austin Peay State University faculty and staff, contractors, vendors, and all others with a validated need to access resources in the Data Center. The Information Technology (OIT) Infrastructure Services team is responsible for managing and maintaining the Data Center.  The Director of Information Technology Security is responsible for managing and maintaining access to the Data Center. The Chief Information Officer has full access rights to the Data Center along with the ability to re-designate access control and authority as needed. Questions, concerns, or suspicions of non-compliance are to be reported to the Director of Information Technology Security. 
  5.  ​​​​​​​DEFINITIONS:
    1. OITOffice of Information Technology
    2. Data Center: Room 104 Maynard (Inside Room 105) - The data center is the physical university facility composed of networked computers and storage used by the university to organize, process, store and disseminate university data.  This room along with the UPS room (103) is a restricted area requiring the Data Center Access Standard.
  6. REQUIREMENTS:
    1. Overview
      1. Security for the Data Center is the Responsibility of the Office of Information Technology (OIT). The Director of Information Technology Security is responsible for the administration of this policy. The following are the standards and procedures that govern access to this area.
    2. Primary Guidelines
      1. The Data Center is a restricted area requiring a much greater level of control than normal non-public university spaces. Only those individuals who are expressly authorized to do so may enter this area. Access privileges will be granted to individuals who have a legitimate university need to be in the Data Center. Furthermore, this area may only be entered to conduct authorized university business.
      2. Any questions regarding these university procedures should be addressed with the Director of Information Technology Security.
      3. An exception allowing suspension of the rules in this document occurs if it becomes necessary to provide emergency access to medical, fire and/or police officials or in the event of a catastrophic event such as earthquake, flood or other “acts of God” that requires a university wide effort to remediate.
    3. Levels of Access to the Data Center
      1. There are 3 Levels of Access to the Data Center — Privileged Access, Escorted Access, and Limited Access.
        1. Privileged Access is given to people who have 24/7 access authority into the Data Center. Privileged Access is granted to the Austin Peay State University OIT staff whose job responsibilities require that they have routine access to this area.  This access is given by authorizing card swipe access into the Data Center room (104), and UPS room (103). 
          1. Individuals with Privileged access to the area may allow properly authorized individuals Escorted access to the Data Center. The individuals being escorted must sign in to the Data Center Visitor Log located in the Data Center room (104). If a person with Privileged Access allows Escorted access to an individual, the person granting access is responsible for escorting that individual and ensuring that proper protocol is followed.
        2. Escorted Access is closely monitored access given to people who have a legitimate university need for infrequent access to the Data Center. "Infrequent access" is generally defined as access required for less than 15 days per year. Individuals with Escorted Access will not obtain card swipe access to the Data Center.
          1. A person given Escorted Access to the area must sign in and out to the Data Center Visitor Log located in the Data Center room (104) under the direct supervision of a person with Privileged Access, must provide positive identification upon demand, and must leave the area when requested to do so.
        3. Limited Access is granted to an individual who does not qualify for Privileged Access but has a legitimate business reason for unsupervised access to the Data Center.  This access is given by authorizing card swipe access for a defined number of days and hours per day into the Data Center room (104).   Card swipe access for Limited Access to an individual is defined and approved by the Director of Information Technology Security.
    4. Data Center Doors
      1. ​​​​​​​​​​​​​​All doors to the Data Center must remain locked at all times and may only be temporarily opened for periods not to exceed that minimally necessary in order to:​​​​​​​
        1. Allow officially approved and logged entrance and exit of authorized individuals;
        2. Permit the transfer of supplies/equipment as directly supervised by a person with Privileged Access to the area;
        3. To prop open the doors to the Data Center ONLY if it is necessary to increase airflow into the Data Center in the case on an air conditioning failure. In this case, staff personnel with Privileged Access must be present and limit access to the Data Center.
    5. Exception Reporting
      1. All infractions of the Data Center Access Standard must be reported to OIT. If warranted (e.g.: emergency, imminent danger, etc.), campus police should be notified as soon as is reasonably possible.
      2. When an unauthorized individual is found in the Data Center it must be reported immediately to a member of OIT. If this occurs during the evening hours, the Director of Infrastructure Services or the Director of Information Technology Security should be contacted. They will determine if the campus police should be contacted.
      3. The unauthorized individual should be escorted from the Data Center and a full written report should be immediately submitted to the Director of Information Technology Security.
      4. Individuals with Privileged Access to the area are to monitor the area and remove any individual who appears to be compromising either the security of the area or its activities, or who is disrupting operation. It is particularly important that individuals with Privileged Access show initiative in monitoring and maintaining the security of the Data Center.
    6. Requesting Access to the Data Center
      1. Departments/projects that have computer equipment in the Data Center may request access to the Data Center. The individuals designated by the requesting department/project will be granted access upon authorization by the Director of Information Security.
      2. When an employee who has access to the Data Center terminates his employment or transfers out of the department, the Director of Information Security must be notified as soon as possible by the employee’s supervisor so that access to the Data Center can be removed. This is extremely important in cases where the employee was terminated for cause.
    7. General Data Center Operations Procedures for Departments and Projects
      1. ​​​​​​​​​​​​​​​​Hosting Procedures for Data Center Capacity Planning:​​​​​​​ The Director of Infrastructure Services must be consulted for any new equipment to be installed in the Data Center. It is advisable to consult as early as possible (preferably months before actual equipment is ordered), to confirm your equipment actually can be hosted.
      2. Procedures on Infrastructure Work In the Data Center: The Director of Infrastructure Services must be notified of all work pertaining to infrastructure changes in the Data Center. This includes activities such as equipment installation/removal, construction or any activity that adds/removes assets to/from the Data Center.
      3. Safety Procedures: All individuals in the Data Center must conduct their work in observance with all applicable (i.e.: campus, state, federal) Procedures related to safety.
      4. Cleanliness Procedures: The Data Center must be kept as clean as possible. All individuals in the Data Center are expected to clean up after themselves. Boxes and trash need to be disposed of properly. Tools must be replaced to their rightful place.Food and drink are not allowed in the Data Center.
      5. Procedures for Data Center Equipment Deliveries/Pick-Up:
        1. Any department that is planning to have equipment delivered to or picked up from the Data Center should contact the Director of Infrastructure Services and provide details in advance of delivery/pick-up.
        2. Please provide The Director of Infrastructure Services with the following information for the equipment log:
          1. For the delivery of equipment: Expected day of delivery; P.O. number for the equipment (if known); Vendor name and description of the equipment; Person to be contacted when the equipment arrives
          2. For the pick-up of equipment: Expected day the equipment will be picked up; Vendor name and the description and location of the equipment up; Name of person to be notified once equipment is picked up.
    8. Data Center Access Audit of Privileged Access and Limited Access Users​​​​​​​​​​​​​​
      1. The Director of Information Security will maintain a list of all university employees that have been granted Privileged Access and Limited Access to the Data Center.   Information maintained for each user will include their name, type of access granted (Privileged Access or Limited Access), department, supervisor, date access was granted, date access was terminated, date the access was re-authorized, and reason for access termination.
      2. The Director of Information Security will request the door access report from Physical Plan for the Data Center on a bi-annual schedule (January and July) and will correlate this report with the active users on the IT Security list.  Any differences will be documented and addressed.
      3. the Director of Information Security will provide the list of active users on the IT Security list bi-annually (January and July) to the listed supervisors.  Supervisors will be given two weeks to re-authorize users within their units.  If a supervisor does not respond by the end of the two week period, all authorized users in their unit will be de-authorized until the response is received.
      4. All audits of Data Center access will be maintained by the Director of Information Security in secured file storage.
  7. ASSOCIATED DOCUMENTS:
    1. ​​​​​​​4:042 Information Security and Data Classification Policy
    2. 4:029: Acceptable Use of Information Technology Resources
  8. RECORD RETENTION TABLE:​​​​​​​

Identification

Storage

Retention

Disposition

Protection

OITManagers file share

Electronic

Perpetual

Delete

Electronic Back-up

      9. RECORD RETENTION TABLE:

Date:

Rev.

Description of Revision:
01/01/2018 1.0 Initial Release
05/20/2020 1.1 Reviewed and Updated
08/16/2021 1.2 Reviewed, Updated, Reformatted

 

Print Article