Data Center Security Standard

Standard Number: 1.11.2.2.1
Category: Information Security
Owner: Information Technology Services
Effective: December 8, 2022
Revision History: Originally effective April 23, 2019
Review Date: December 7, 2025

1. PURPOSE, SCOPE AND RESPONSIBILITIES

   1. Pursuant to the Data Center Security Policy, all University Data Centers must be secured by limiting access to and establishing rules for individuals who are granted Authorized Access to a University Data Center.
   2. The purpose of this Standard is to establish minimum requirements that will ensure the physical and environmental security of University Data Centers and the Data Center Assets located within.
   3. This Standard is based on the Physical and Environmental Protections Family within NIST Special Publication 800-171 and applies to all University Data Centers and all individuals who are granted Authorized Access a University Data Center.
   4. The Chief Information Officer, supported by the Executive Director for Enterprise Infrastructure, is responsible for implementing and enforcing this Standard. Each Data Center Coordinator (“DCC”) is responsible for implementing and enforcing the requirements of this Standard.
   5. All individuals with Authorized Access to a University Data Center must follow the requirements outlined in this Standard. Failure to do so will result in loss of access.

2. PHYSICAL ACCESS

   1. Entrance doors must remain closed and locked 24/7. Doors may not be left open or unmonitored for any purpose including installing cable or equipment. If an emergency occurs, such as failure of environmental controls, that requires the doors to be left open to support air flow, a DCC or a designee must remain posted at the entrance to the data center until the doors can be closed.
   2. Entrance door(s) must be equipped with an electronic lock that requires both a card swipe and a PIN that audits access. Multiple individuals may not enter a data center using one individual’s card. See Section 3 for physical/visitor access to a data center.
   3. Keys, combinations, and other ways to physically access a University Data Center must be secured either in a lock box, locked cabinet, or under the control of an individual issued a key.
   4. All individuals are required to notify the DCC when they will be using a physical key to open a University Data Center lock.
   5. The DCC is responsible for maintaining an inventory of all physical keys that are either located in a lock box or distributed to individuals and have access to the University Data Center they oversee detailing the following:
      1. Key number;
      2. Name of individual/lock box issued key;
      3. Date key issued; and,
      4. Date key returned.
   6. DCCs must collect any physical keys distributed when personnel change and ensure that access is removed pursuant to the Physical Access Management Standard.
   7. Doors must be re-keyed if any physical key is not returned or is unaccounted for on the physical key inventory.

3. PHYSICAL ACCESS AUTHORIZATIONS

   1. Each University Data Center must have an established access request process that provides the DCC the ability to review and approve individuals to access a data center.
   2. Authorized Individuals granted unescorted access to a University Data Center must:
      1. Carry and be prepared to present a valid University identification card or a vendor identification card when in the data center;
      2. Swipe a valid identification card and enter PIN upon entry to a data center; and;
      3. Ensure that Visitors do not handle, damage, or reconfigure existing Data Center Assets in an unauthorized manner.
   3. Visitors granted temporary, escorted access to a University Data Center must:
      1. Carry and be prepared to present valid identification when in the data center;
      2. Request access from the DCC at least 24 hours in advance. Unscheduled visits may be denied by the DCC;
      3. Sign in upon entry and sign out upon exit of the data center, providing the reason for visit. Signing in and signing out is mandatory; and,
      4. Always be escorted by an Authorized Individual.

4. PHYSICAL ACCESS MONITORING

   1. An annual risk assessment must be conducted to ensure physical security controls are working as intended and cannot be bypassed or circumvented.
   2. Door access logs must be maintained for a minimum of one year and reviewed at least quarterly to ensure only Authorized Individuals access the data center and vendor/visitor access is logged appropriately. Audits include reviewing access logs to detect possible Computer Security Incidents (e.g., a user being granted access to the data center that is not an Authorized Individual or an approved visitor/vendor).
   3. A list of Authorized Individuals with physical access must be maintained identifying the reason for access. Access list must be audited regularly. Audits are preferred to be done quarterly but must be done at least annually. Anyone who fails an audit for any reason or who no longer requires access to the data center must have their access removed.
   4. Visitors’ log must be secured within the data center or kept in a locked cabinet outside of the data center with access limited to DCC, or authorized personnel. DCC must review visitor logs on a quarterly basis to ensure only Authorized Individuals access the data center and that vendor/visitor access is logged appropriately. Visitors’ logs must be kept for one year at minimum.
   5. Entry door(s) must be monitored (e.g. video surveillance, still photography) to ensure only Authorized Individuals access data center. Surveillance must allow for local and remote viewing of secured and public spaces. Recording device must be in a secure area. All video recordings or photographs must be saved no less than 30 days.

5. ASSET SECURITY

   1. Assets within a University Data Center must be situated in a safe location where conditions are met for proper operation and minimize unnecessary access that may cause damage to assets.
   2. All assets used within a University Data Center must meet the University-Owned Device Standard, the Secure Server Standard, and/or the Bring Your Own Device Standard.
   3. A Data Center Asset Inventory must be kept that reflects current assets within the University Data Center. The inventory must be reviewed annually to conduct status check of the assets, generating a report indicating the assets reviewed and condition.
   4. All assets that have reached the end of their life cycle must be removed from use and be sanitized according to the Data Destruction and Media Sanitization Standard.
   5. Only Authorized Individuals may connect or disconnect any Data Center Asset. Visitors or unauthorized individuals must only connect or disconnect Data Center Assets under the supervision of an Authorized Individual.
   6. All installations or removal of Data Center Assets must be formally documented and reviewed by the DCC.
   7. Deliveries and/or removal of assets must be indicated on visitor access logs. Deliveries should be delivered to the DCC.
   8. Power and telecommunications cabling carrying data or supporting information services must be protected from interception or damage.
   9. Rack-mountable Data Center Assets must be housed in racks. Devices (e.g., monitors, PCs) that are not rack-mountable must be located in designated data center storage cart or shelves.
   10. Temperature and humidity must be monitored on a reoccurring basis to prevent fluctuations that could adversely affect the data center.
   11. Food, drink, liquids of any kind, and tobacco are prohibited in University Data Centers.
   12. Data Center Assets must never leave the facility to which they are assigned without permission of the DCC identifying the reason for the asset leaving, who oversees it while gone, how much time it will be out, and where it will be located. Any asset that goes off premise must be encrypted and always physically secured.
   13. External electronic equipment (e.g., laptops, vacuums, power tools) and devices (e.g., fans, drills) that are not included on the Data Center Asset Inventory and are temporarily brought into the data center for a specific purpose must be plugged into the nearest standard wall outlet. External electronic equipment or devices may not be plugged into rack outlets.
   14. No photography or videography is permitted in a University Data Center without the explicit approval of the DCC.
   15. Data Center Safety Guidelines must be posted on the door of each University Data Center.

6. EMERGENCY PREPAREDNESS

   1. University Data Centers must have fire suppression and redundant cooling and power services capable of maintaining the environment should a single component fail.
   2. All active alarms, including those associated with the air conditioning units, must automatically notify the DCC, alternate contact, the University Police Department, and/or Facilities Management.
   3. All Data Center Assets must be protected from power failures and other electrical anomalies through uninterruptible power supply (“UPS”) support.
   4. All University Data Centers must have an Emergency Power Off (“EPO”) button that will shut off power to all equipment except lights and air conditioning in the event of imminent danger to persons within the data center (e.g., electrical shock, fire, other natural disasters).
   5. To reduce fire hazards, rack enclosures must be kept neat and free of manuals, media, boxes, and unused equipment. Rack enclosures are not storage cabinets and must only be used for functioning equipment.
   6. At least one Class BC Fire Extinguisher must be stored within a University Data Center in case of fire. Each DCC is responsible for ensuring the fire extinguisher is inspected annually.
   7. All University Data Centers must employ emergency lighting that activates in the event of a power outage.
   8. All University Data Centers must feature either a master shut off or shut off valve per Computer Room Air Conditioning (“CRAC”) unit that is accessible, working properly, and known to key personnel.
   9. Contact information for the appropriate DCC, alternate contact person (e.g., IT director), University Police Department, and Facilities Management must be prominently posted in each University Data Center.

7. EXCEPTIONS

   1. Air conditioners and large uninterruptable power supplies and power distribution units are not classified as Data Center Assets and therefore are not required to be rack mounted or housed in standard racks.

8. DEFINITIONS

   1. “Authorized Access” means access to a University Data Center that has been approved by the appropriate DCC.
   2. “Class BC Fire Extinguisher” means a portable, regular dry chemical fire extinguisher that meets the requirements set forth by the U.S. Department of Labor Occupational Safety and Health Administration to handle a range of fires caused by Energized Electrical Equipment or flammable liquids, greases, or gases.
   3. “Conditioned Power” means an electrical component intended to improve the quality of the power supplied to the Data Center Assets. Conditioned Power is provisioned through one or more UPS system(s) or a DC battery plant and is further supported by one or more standby diesel generators.
   4. “Computer Room Air Conditioning (CRAC) Unit” means a device that is used to monitor and maintain the temperature, air distribution and humidity in a University Data Center.
   5. “Data Center Asset” means a component located within a University Data Center including, but not limited to, servers, blade systems, network devices, storage devices, racks, and rack power distribution units (“PDUs”).
   6. “Data Center Asset Inventory” means an inventory that provides detailed information of the Data Center Assets located within a University Data Center and classifies the assets in accordance with business criticality. Each DCC may determine how to maintain a data center’s inventory, provided it offers the ability to add, assign, locate, and remove all assets within the DCC’s responsibility.
   7. “Energized Electrical Equipment” means electrical equipment connected to a power supply such as computers, servers, motors, transformers, appliances, wiring, circuit breakers, and outlets.
   8. “Mission Critical Services” means services essential to the academic, administrative, research, and outreach missions of the University.
   9. “University Data Center” means a facility, or portion of a facility, with the primary function to house data processing equipment and features N+1 Fault Tolerance, provides at least 72-hour power outage protection, has no more than 1.6 hours of downtime per year, and can undergo routine maintenance without affecting operations; however, unplanned maintenance and emergencies may affect operations. Exhibit A of the Data Center Security Policy identifies all University Data Centers.
   10. “Visitor” means a person with approved, escorted access to a University Data Center.

9. Related Documents

   1. Acceptable Use of Data and Technology Resources Policy
   2. Identification Card Policy
   3. Data Center Security Policy
   4. NIST Special Publication 800-171
   5. Data Center Safety Guidelines
   6. Physical Access Management Standard
   7. Risk Assessment Standard
   8. University-Owned Device Standard
   9. Bring Your Own Device Standard
   10. Secure Server Standard
   11. Data Destruction and Media Sanitization Standard