Standard Number: IT.2.2.1S
Category: Information Security
Owner: Information Technology Services
Effective: April 23, 2019
Revision History: None
Review Date: April 22, 2022
Owner: Information Technology Services
Effective: April 23, 2019
Revision History: None
Review Date: April 22, 2022
PURPOSE, SCOPE AND RESPONSIBILITIES
- As identified in the Data Center Security Policy, all University Data Centers must be secured by limiting access to and establishing rules for individuals who are granted Authorized Access to a University Data Center. The purpose of this Standard is to establish minimum requirements that will ensure the physical and environmental security of University Data Centers and the Data Center Assets located within.
- This Standard is based on the Physical and Environmental Protections Family within NIST Special Publication 800-171 and applies to all University Data Centers and all individuals who are granted Authorized Access a University Data Center.
- The ITS Executive Director for Enterprise Infrastructure is responsible for implementing and enforcing this Standard. Each Data Center Coordinator (“DCC”) is responsible for implementing and enforcing the requirements of this Standard.
- All individuals with Authorized Access to a University Data Center must follow the requirements outlined in this Standard. Failure to do so will result in loss of access.
- Entrance doors must remain closed and locked 24/7. Doors may not be left open or unmonitored for any purpose including installing cable or equipment. If an emergency occurs, such as failure of environmental controls, that requires the doors to be left open to support air flow, a DCC or a designee must remain posted at the entrance to the data center until the doors can be closed.
- Entrance door(s) must be equipped with an electronic lock that requires both a card swipe and a PIN that audits access. When a physical key is used to open a University Data Center lock, an alert must be sent to the DCC.
- Keys, combinations, and other ways to physically access a University Data Center must be secured. DCCs must change combinations/keys when personnel change.
- A valid identification card and PIN must be entered to access a data center. Multiple individuals may not enter a data center using one individual’s card.
PHYSICAL ACCESS AUTHORIZATIONS
- Each University Data Center must have an established access request process that provides the DCC the ability to review and approve individuals to access a data center.
Authorized Individuals granted unescorted access to a University Data Center must:
- Carry and be prepared to present a valid University identification card or a vendor identification card when in the data center;
- Swipe a valid identification card and enter PIN upon entry to a data center. Multiple individuals may not enter a data center using one individual’s card; and,
- Ensure that Visitors do not handle, damage, or reconfigure existing Data Center Assets in an unauthorized manner.
Visitors granted temporary, escorted access to a University Data Center must:
- Carry and be prepared to present valid identification when in the data center;
- Request access from the DCC at least 24 hours in advance. Unscheduled visits may be denied by the DCC;
- Sign in upon entry and sign out upon exit of the data center, providing the reason for visit. Signing in and signing out is mandatory; and,
- Always be escorted by an Authorized Individual.
PHYSICAL ACCESS MONITORING
- Penetration testing must be conducted annually to ensure physical security controls are working as intended and cannot be bypassed or circumvented.
- Door access logs must be maintained for a minimum of one year and reviewed quarterly.
- A list of Authorized Individuals with physical access must be maintained identifying the reason for access. Access list must be audited regularly. Audits are preferred to be done quarterly but must be done at least annually. Audits include reviewing access logs to detect possible Information Security Events. Anyone who fails an audit for any reason or who no longer requires access to the data center must have their access removed.
- Visitors’ log must be kept in a locked cabinet with access limited to DCC. DCC must review visitor logs on a quarterly basis. Visitors’ logs must be kept for one year at minimum.
- Entry door(s) must be monitored (e.g., video surveillance, still photography) to ensure only Authorized Individuals access data center. Surveillance must allow for local and remote surveillance of secured and public spaces. Recording device must be in a secure area. All video recordings or photographs must be saved no less than 30 days.
- Assets within a University Data Center must be situated in a safe location where conditions are met for proper operation and minimize unnecessary access that may cause damage to assets.
- All assets used within a University Data Center must meet the University-Owned Device Standard, the Secure Server Standard, and/or the Bring Your Own Device Standard.
- A Data Center Asset Inventory must be kept that reflects current assets within the University Data Center. The inventory must be reviewed annually to conduct status check of the assets, generating a report indicating the assets reviewed and condition.
- All assets that have reached the end of their life cycle must be removed from use and be sanitized according to the Device Sanitization Standard.
- Only Authorized Individuals may connect or disconnect any Data Center Asset.
- All installations or removal of Data Center Assets must be formally documented and reviewed by the DCC.
- Deliveries and/or removal of assets must be indicated on access logs. Deliveries should be delivered to the DCC.
- Power and telecommunications cabling carrying data or supporting information services must be protected from interception or damage.
- Rack-mountable Data Center Assets must be housed in racks. Devices (e.g., monitors, PCs) that are not rack-mountable must be located on shelves.
- Temperature and humidity must be monitored to prevent fluctuations that could adversely affect the data center.
- Food, drink, liquids of any kind, and tobacco are prohibited in University Data Centers.
- Data Center Assets must never leave the facility to which they are assigned without permission of the DCC identifying the reason for the asset leaving, who oversees it while gone, how much time it will be out, and where it will be located. Any asset that goes off premise must be encrypted and always physically secured.
- External electronic equipment (e.g., laptops, vacuums, power tools) and devices (e.g., fans, drills) that are not included on the Data Center Asset Inventory and are temporarily brought into the data center for a specific purpose must be plugged into the nearest standard wall outlet. External electronic equipment or devices may not be plugged into rack outlets.
- No photography or videography is permitted in a University Data Center without the explicit approval of the appropriate DCC.
- Data Center Safety Guidelines must be posted on the door of each University Data Center.
- University Data Centers must have fire suppression and redundant cooling and power services capable of maintaining the environment should a single component fail.
- All active alarms, including those associated with the air conditioning units, must automatically notify the DCC, alternate contact, the University Police Department, and/or Facilities Management.
- All Data Center Assets must be protected from power failures and other electrical anomalies through uninterruptible power supply (“UPS”) support.
- All University Data Centers must have an Emergency Power Off (“EPO”) button that will shut off power to all equipment except lights and air conditioning in the event of imminent danger to persons within the data center (e.g., electrical shock, fire, other natural disasters).
- To reduce fire hazards, rack enclosures must be kept neat and free of manuals, media, boxes, and unused equipment. Rack enclosures are not storage cabinets and must only be used for functioning equipment.
- At least one Class BC Fire Extinguisher must be stored within a University Data Center in case of fire. Each DCC is responsible for ensuring the fire extinguisher is inspected annually.
- All University Data Centers must employ emergency lighting that activates in the event of a power outage.
- All University Data Centers must feature a master shutoff or isolation water valve that are accessible, working properly, and known to key personnel.
- Contact information for the appropriate DCC, alternate contact person (e.g., IT director), University Police Department, and Facilities Management must be prominently posted in each University Data Center.
- Air conditioners and large uninterruptable power supplies and power distribution units are not classified as Data Center Assets and therefore are not required to be rack mounted or housed in standard racks.
- “Authorized Access” means access to a University Data Center that has been approved by the appropriate DCC.
- “Class BC Fire Extinguisher” means a portable, regular dry chemical fire extinguisher that meets the requirements set forth by the U.S. Department of Labor Occupational Safety and Health Administration to handle a range of fires caused by Energized Electrical Equipment or flammable liquids, greases, or gases.
- “Conditioned Power” means an electrical component intended to improve the quality of the power supplied to the Data Center Assets. Conditioned Power is provisioned through one or more UPS system(s) or a DC battery plant and is further supported by one or more standby diesel generators.
- “Data Center Asset” means a component located within a University Data Center including, but not limited to, servers, blade systems, network devices, storage devices, racks, and rack power distribution units (“PDUs”).
- “Data Center Asset Inventory” means an inventory that provides detailed information of the Data Center Assets located within a University Data Center and classifies the assets in accordance with business criticality. Each DCC may determine how to maintain a data center’s inventory, provided it offers the ability to add, assign, locate, and remove all assets within the DCC’s responsibility.
- “Energized Electrical Equipment” means electrical equipment connected to a power supply such as computers, servers, motors, transformers, appliances, wiring, circuit breakers, and outlets.
- “Mission Critical Services” means services essential to the academic, administrative, research, and outreach missions of the University.
- “University Data Center” means a facility, or portion of a facility, with the primary function to house data processing equipment and features N+1 Fault Tolerance, provides at least 72-hour power outage protection, has no more than 1.6 hours of downtime per year, and can undergo routine maintenance without affecting operation; however, unplanned maintenance and emergencies may affect operations. Exhibit A of the Data Center Security Policy identifies all University Data Centers.
- “Visitor” means a person with approved, escorted access to a University Data Center.
- Acceptable Use of Data and Technology Resources Policy
- Identification Card Policy
- Data Center Security Policy
- NIST Special Publication 800-171
- Data Center Safety Guidelines
Valid WVU credentials are required in order to view internal procedures and guidelines.