Systems Facilities Security Standard
Purpose
Facilities Security requirements identify the steps necessary to safeguard the physical facilities that house IT equipment, systems, services, and personnel.
Standard
UMW adheres to the following minimum standard for securing physical access to IT Systems/Data Facilities.
Physical Access
For all data centers and server rooms that house UMW data centrally there will be controlled access via an individually traceable method. Acceptable methods are UMW authorized access card readers (proximity, swipe, and pin or any combination thereof), combination door locks that have the ability to be coded to track individual entry, or key entry for those rooms deemed not to house sensitive information.
Override keys for combination locks and access card systems will only be issued to Emergency Operations (EOC) and UMW Locksmith personnel and only used by those personnel if the lock is disabled (i.e. batteries have died and immediate access is required to repair the lock or get to the data center or if the access control system is malfunctioning and access is impeded because of it).
Facilities Group Combination Codes
Group combination codes for Facilities shops (I.e. Electrical, HVAC, plumbers) are acceptable as long as there is another method to track who from the shops was entering the facility at any given time. This can be accomplished through the work order tracking system that Facilities uses. Facilities personnel with frequent need to access though will be assigned an individual combination code for tracking purposes.
Contractor and other personnel Physical Access
All contractors and non-authorized personnel requiring access to sensitive IT data housed areas must be accompanied at all times by an approved UMW staff member or contract employee directly hired by UMW through staff augmentation or other acceptable means by Human Resources.
Extra care will be taken by the UMW employee accompanying the contractor, or other personnel, to ensure that no systems are accessed other than those being worked on and no sensitive data is visible on screens within the center. Also, passwords or other access devices to systems and consoles will never be given to the contractor or any other personnel.
Annual Review of Access Permissions
At least once annually, a review of users with data center/server room facility access codes will be performed by the Information Security Officer (ISO) or a designee. Supervisors of UMW employees with access to these areas will notify the ISO and UMW Locksmith shop when an employee departs. Associated codes should be invalidated within 1 week for an amicable departure and within 24 hours of an employee termination.
Environmental Controls within a Data Center or Server Room
All Data Centers and Server rooms must contain appropriate electrical and environmental controls installed and monitored on a regular basis, including Fire Control systems, Standalone Heating and Cooling systems, and electrical protection.
Electrical Protection and Redundancy
All UMW owned production systems must, at a minimum, be protected appropriately with grounding and redundant power in all Data Center and Server room locations. Redundant power can be supplied from multiple mainline power feeds from the vendor, a generator, or other acceptable means of providing power. If a generator is used, then appropriate backup power needs to be implemented to deal with the time it take from a power loss until the generator is operational.
If additional secondary power is available, Development and Test servers and appropriate networking devices could also be covered on a priority basis defined by the Enterprise Infrastructure Manager, Networks and Communications Director and Senior IT leadership.
Fire Control and Suppression Systems
Where a fire control and suppression system is required by building code in Data Centers and Server rooms throughout the UMW campus, ideally these are equipment safe system that does not use water.
If there is no option other than a water based system, then appropriate extra steps need to be taken to document that as a risk. A dry pipe water based fire system with a pre-action multi step release be implemented
HVAC Systems
Independent HVAC systems installed in these rooms need to exceed capacity to maintain vendor recommended temperature, humidity, and provide ventilation sufficient to meet these needs.
Externally Hosted Systems
Externally hosted systems go beyond the scope of this document. However, for every IT system identified as sensitive relative to availability, UMW needs to require that its service provider document and implement facilities security practices in accordance with UMW Standards requirements.
Approvals and Revisions
Approved: November 16, 2010 by Vice President for Information Technologies & CIO