Data Center Access Policy and Guidelines

DATA CENTER ACCESS POLICY

AND GUIDELINES

Information Security Team

DePaul University

1 East Jackson Boulevard

Chicago, Illinois 60604

https://infosec.depaul.edu/

13th December 2002

1. “Redistribution of source code, documentation and advisories, must retain the

2. “Redistributions in binary forms must reproduce the above copyright notice, this

list of conditions, and the disclaimer included in Section 4 of this copyright no-

tice."

3. “Neither the name of the University nor the names of its contributors may be

used to endorse or promote products derived from this software or information

without speciﬁc prior written consent.”

4. “The information contained herein is provided by the regents and contributors

‘AS IS’ and any express or implied warranties, including, but not limited to,

the implied warranties of merchantability and ﬁtness for a particular purpose are

disclaimed. In no event shall the regents or contributors be liable for any direct,

indirect, incidental, special, exemplary, or consequentialdamages (including, but

not limited to, procurement of substitute goods or services; loss of use, data or

proﬁts; or business interruption) however caused and on any theory or liability,

whether in contract, strict liability, or tort (including negligence or otherwise)

arising in any way out of the use of this information, even if advised of the

possibility of such damage.”

Contents

1 Summary 4

2 Access Authorization Requests 5

2.1 Requesting Access . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.2 Reservation of Access Rights . . . . . . . . . . . . . . . . . . . . . . 5

2.3 Emergency Access . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Guidelines for Use 6

3.1 Physical Security Measures . . . . . . . . . . . . . . . . . . . . . . . 6

A Sample Access Request Form 7

1 Summary

This policy is a recommendation for dealing with access to secured physical areas

housing computers, network devices and other critical infrastructure computing com-

ponents that support current services. Too often physical security is overlooked at by

operational staff as an afterthought; physical security and compliance with guidelines

can be costly and yield low beneﬁts to all but the site’s operational staff. Likewise,

procedures can be difﬁcult to following and maintain as new technologies are deployed

at the site.

The implementation of any policy or guideline requires a methodical set of procedures

to be developed for assisting all those affected. A sample of these guidelines can be

found in this document as a recommendationfor your site when developing guidelines.

Additionally, this document may be used directly as a guideline to meet your basic

requirements.

2 Access Authorization Requests

A central point of contact should be assigned for each data center, network closet or

operations facility. These contacts should be delegated by the responsible director or

manager claiming responsibility for the physical area, and maintenance thereof.

2.1 Requesting Access

An individual requiring physical access to a restricted area should obtain the necessary

forms for access to the physical location — these forms may be speciﬁc to an area

dependingon the requirements, etc. A completed form should be sent to the appropriate

contact(s) for the area; we strongly recommend a digital signature be used to authorize

requests. Where critical infrastructure components are held, only an email signed by a

valid digital key should be acknowledged. Further, INFOSEC strongly recommends that

each responsible area promote the use of digital encryption when submitting request

information.

2.2 Reservation of Access Rights

Each responsible entity for a data center should include a disclaimer that access to

secured area may be revoked temporarily or permanently for any reason, at any time.

These guidelines should included in the necessary access forms to the area and agreed

to each person requesting access to the secured areas.

2.3 Emergency Access

Emergencyaccess to a secured site should not be permitted. Each resource should have

primary and secondary authorized personnel “on call” ready to respond to a situation

at all times. Proper cross-training and contact information should be developed to

promote limiting of emergency access completely.

3 Guidelines for Use

Each access to the data center should be made in compliance with the following guide-

lines in order to increase the longevity of systems. While other speciﬁc guidelines

may be required for a speciﬁc site requirement, these general guidelines should retroﬁt

existing installations.

1. Access to all secured areas should require the use of an authorized swipe card,

proxy card, biometric device, physical key or password. Where possible, all

entries into the secured areas should be recorded and reviewed by the responsible

parties for the area. All access should be logged, even when a group of persons

enters the area.

2. Swipe cards and proxy cards should not be shared between authorized and unau-

thorized persons.

3. A seperate log should be kept for “sign-in” to the area. This log book should

record a name, employee identiﬁcation number, time in, time out, and signature.

4. Vendors, or those wishing to access the data center for a speciﬁc task, should be

accompanied by an authorized person at all times.

5. The secured area should only be accessed to meet a business requirement. When

such a requirement is complete, leave the area. Do not loiter.

6. A resource in use (computer, monitor, keyboard, network cable, power cable,

cabinet, ﬂoorboard, etc.) should be moved only by the person directly responsi-

ble for that resource.

7. Food, drink or other ﬂuids must not be introduced to the secured areas. These

items promote deterioration of computing hardware through moisture.

3.1 Physical Security Measures

The physical security measures implemented at each secured site will greatly assist

in the compliance with policy. Monitoring devices and access control devices should

record each entry into the secured area, both authorized and unauthorized. A log of

entries should be archived for a period of two (2) years. If the site is monitored with

video or audio devices, this data should too be archived.

A Sample Access Request Form

The following form may be used as a template when building an access control policy

or guideline for a secured area.

Data Center Access Request Form for [Sample Data Center]

----------------

Access Policies

---------------

Access request to [Sample Data Center] may be obtained by

submitting this form to <[email protected]>. This form should

be digitally signed and encrypted where possible.

By requesting this access you explicitly agree to all policies and

guidelines set forth by [Sample Data Center] management staff, and

validate that the employee requiring access has been made aware of

all policies and guidelines that pertain to [Same Data Center]. You

may also be held liable for any action or damages against [Sample

Data Center]. [Sample Data Center] management staff reserves the

right to revoke access to the area(s) at any time, for any reason,

without prior notification.

Section I - Employee Information

-------------------------------

Employee Requiring Access

- Name: _____________________________________________________

- Title: ____________________________________________________

- Phone: ____________________________________________________

- Email: ____________________________________________________

- Division: _________________________________________________

- Department: _______________________________________________

- PGP Key ID: _______________________________________________

- Fingerprint _______________________________________________

- Employee ID: ______________________________________________

- SSN: ______________________________________________________

Section II - Approving Manager or Director

------------------------------------------

Approving Manager or Director (if different)