Standard 16: Data Center Security

Revision Number:

New Standard
Major Revision of Existing Standard
Minor/Technical Revision of Existing Standard
Reaffirmation/Review of Existing Standard

Effective Date:

2/24/2020

Revised Date:

2/24/2020

Review Date:

2/24/2020

Responsible Division/Department:
Office of the CIO / Information Technology Services

All information resources must be physically protected based on risk.
The University shall adopt safeguards to ensure appropriate granting, controlling, and monitoring of physical access. Physical access safeguards must incorporate procedures for:
1. Protecting facilities in proportion to the criticality or importance of their function and the confidentiality of any information resources affected;
2. Managing access cards, badges, and/or keys;
3. Granting, changing, and/or removing physical access to facilities to reflect changes in an individual's role or employment status; and
4. Controlling visitor and vendor physical access with procedures that incorporate the following:
  1. Logging and documenting of visits (sign in / out sheets);
  2. Escorting while on premises (not leaving unattended); and
  3. Restricting the unauthorized use of photographic and video devices while on premises.
University data centers. In addition to the controls required above, University data centers must incorporate procedures for each of the following:
1. Reviewing physical access permissions at least quarterly;
2. Designating staff who will have authorized access during an emergency;
3. Monitoring the exterior and interior of the facility 24/7 by video camera;
4. Maintaining appropriate environmental controls and alarms that monitor heat and humidity, fire suppression and detection systems, and uninterruptable power systems capable of supporting all data center power needs in the event of a primary power system failure; and
5. Protecting any University data center by implementing and maintaining security measures as appropriate, including any of the following:
6. Security fencing, lighting, and landscaping to prevent concealment of intruders;
7. Electronic intrusion alarms for all entry points into the facility and any internal areas housing critical infrastructure; and
8. Computer rooms with no externally facing windows.