Policy Number: 18.104.22.168
Category: Information Technology
Effective: April 24, 2019
Revision History: Replaces Data Center Access Policy originally effective January 10, 2018
Review Date: April 23, 2022
PURPOSE AND SCOPE
The purpose of this Policy is to establish the physical and environmental protections to secure the University Data Centers that support the University’s Enterprise Activities at West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (“University Data Centers”).
This Policy applies to the operation of all University Data Centers as well as those individuals who are granted access to a University Data Center. This Policy does not include server rooms that feature only one source of servers, network links, or other components and have partial or no redundancy on any parts of power or cooling operations.
UNIVERSITY DATA CENTERS
- A University Data Center is a facility, or portion of a facility, with the
primary function to house data processing equipment and meets the following
- Features N+1 Fault Tolerance;
- Provides at least 72 hour power outage protection;
- Has no more than 1.6 hours of downtime per year; and,
- Can undergo routine maintenance without affecting operation; however, unplanned maintenance and emergencies may affect operations.
- Under Exhibit A, the University has designated all University Data Centers.
- The University will seek to secure University Data Centers according to generally accepted information technology standards, such as National Institute of Standards and Technology (NIST) Special Publication 800-171.
- Each University Data Center must be located to minimize potential damage from Environmental Hazards and Unauthorized Access.
- Pursuant to the Acceptable Use of Data and Technology Resources Policy, each University Data Center must only be used for its intended function, which is to house and protect University data and technology systems.
- To ensure proper operations of and minimize damage to University Data Centers and the equipment therein, all Data Center Assets must be tracked and monitored on a Data Center Asset Inventory.
- In University Data Centers equipped with cameras, the activities therein will be recorded. Pursuant to the University Record Retention Policy and Schedule, videos will be retained no less than thirty (30) days.
- A University Data Center is a facility, or portion of a facility, with the primary function to house data processing equipment and meets the following criteria:
DATA CENTER COORDINATOR RESPONSIBILITIES
- Each University Data Center must have a named Data Center Coordinator (“DCC”)
responsible for securing University Data Centers according to the University
Data Center Security Standard including:
- Establishing procedures to request and approve access;
- Maintaining a Data Center Asset Inventory;
- Creating and posting Data Center Safety Guidelines; and,
- Maintaining a list of Authorized Individuals.
Exhibit A, the University has designated all DCCs.
- Each University Data Center must have a named Data Center Coordinator (“DCC”) responsible for securing University Data Centers according to the University Data Center Security Standard including:
PHYSICAL ACCESS AUTHORIZATIONS
. Each DCC will approve unescorted access to a University Data Center for
individuals that require a physical presence within the data center to conduct
activities, including but not limited to:
- System administration;
- Installation or de-installation of equipment;
- Emergency response (e.g., police, fire department);
- Facility system maintenance (e.g., electronic, fire suppression, air conditioning); and,
- Core infrastructure responsibilities.
- Visitors. Each DCC may grant an individual temporary access to a University Data Center. Those individuals will be considered a Visitor.
- Visitors must always be escorted by an Authorized Authorized Individual and be restricted, as much as is reasonably possible, to the area where the Visitor’s equipment and/or systems are located.
- All Authorized Individuals and Visitors granted access to a University Data Center are responsible for adhering to the posted Data Center Safety Guidelines.
- Authorized Individuals . Each DCC will approve unescorted access to a University Data Center for individuals that require a physical presence within the data center to conduct activities, including but not limited to:
UNAUTHORIZED ACCESS AND UNIVERSITY DATA CENTER MISUSE
Access to a University Data Center by anyone other than an Authorized Individual or an escorted Visitor is considered Unauthorized Access.
Failure to comply with the Data Center Security Standard or the Data Center Safety Guidelines is considered misuse of a University Data Center and must be reported to the DCC immediately. Misuse includes, but is not limited to the following:
- Leaving a University Data Center door unsecured;
- Unauthorized photography within a University Data Center;
- Failure to provide two forms of identification and sign in when accessing a University Data Center;
- Group entry into a University Data Center using a single authorized card; or,
- Entering a University Data Center unescorted by an Authorized Individual.
- “Authorized Individual” means a person with unescorted access to a University Data Center such as a DCC or a vendor conducting maintenance.
- “Data Center Assets” means the components located within a specific University Data Center including, but not limited to, virtual machines, servers, blade systems, network devices, UPS, rack power distribution units (“PDUs”), and uninterruptible power supply ("UPS") system(s).
- “Data Center Asset Inventory” means an inventory that provides detailed information of the Data Center Assets located within a University Data Center and classifies the assets in accordance with business criticality. It is the decision of each DCC as to how inventory for each University Data Center will be maintained, provided it offers the ability to add, assign, locate, and remove all assets within each DCC’s responsibility.
- “Data Center Coordinator (DCC)” means the University employee responsible to protect and oversee a University Data Center according to the Data Center Security Standard.
- “Enterprise Activities” means the activities that support the academic, administrative, outreach, and research missions of the University that are supported by Information Technology Services and/or Health Sciences Information Technology Services.
- “Environmental Hazards” means a substance, state, or event that has the potential to threaten a data center including, but not limited to, flooding, fire, tornadoes, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation.
- “N+1 Fault Tolerance” means parallel redundancy is in place to ensure that an uninterruptible power supply (“UPS”) system designed to provide consistent power for infrastructure plus another UPS system to act as a backup power generator in case of emergencies.
- “Unauthorized Access” means access to a University Data Center that has not been approved by the appropriate DCC.
- “Uninterruptible Power Supply (UPS)” means a system that provides a continuous supply of power to a load, utilizing stored energy when the normal source of energy is not available or is of unacceptable quality. A UPS will provide power until the stored energy of the system has been depleted or an alternative or the normal source of power of acceptable quality becomes available.
- “Visitor” means a person granted escorted access to a University Data Center (e.g., tour participant, student).
ENFORCEMENT & INTERPRETATION
- Any employee who violates this Policy will be subject to appropriate disciplinary action.
- Any Student who violates this Policy will be subject to appropriate disciplinary action in accordance with the Student Code of Conduct.
- Any individual affiliated with the University who has access to a University Data Center and violates this Policy will be subject to appropriate corrective action, including, but not limited to, termination of the individual’s relationship with the University.
- The University’s Chief Information Officer, supported by the Chief Information Security Officer, will coordinate with appropriate University entities on the implementation and enforcement of this Policy.
- Responsibility for interpretation of this Policy rests with the Chief Information Officer.
AUTHORITY & REFERENCES
BOG Governance Rule 1.11 - Information Technology Resources and Governance
- All other University policies are also applicable to the electronic environment. Relevant institutional policies include, but are not limited to:
- BOG Governance Rule 1.11 - Information Technology Resources and Governance