APPENDIX TO POLICY
Data Center Standard
Objective
To identify IT resources that must be in a data center and define data center security requirements to protect the IT resources located in a data center.
Security Controls
Systems to locate in a Data Center
The following table defines systems or applications that need to be located in a data center.
| Criteria | Security Level | |||
| ID | Type of System | High | Medium | Low |
| DC.A.01 | Multi-user systems | Required | Required | Recommended |
Data Center Requirements
The following table defines requirements for a data center.
| Control | Security Level | |||
| ID | Description | High | Medium | Low |
| DC.B.01 | Disaster recovery plan in accordance with University Business Continuity policy (including who is responsible for DR plan for tenant hardware and data) | Required | Required | Required |
| DC.B.02 | Limit access to the facility to only those with business need and prior approval | Required | Recommended | Recommended |
| DC.B.03 | Identify and maintain a log of who has access to the facility | Required | Recommended | Recommended |
| DC.B.04 | Secure servers and network equipment (i.e., lockable casings, lockable racks, secure consoles). Lock vacant data center rooms. | Required | Recommended | Recommended |
| DC.B.05 | Document procedures for securing keys or door access to the facility | Required | Recommended | Recommended |
| DC.B.06 | Change access codes when personnel change and at least annually | Required | Recommended | Recommended |
| DC.B.07 | Periodically review who has key or card access to the facility (suggested: semi-annual or annual) | Required | Recommended | Recommended |
| DC.B.08 | Monitor and log ingress/egress from facility (i.e., via staff, video, card access logs, etc.) | Required | Recommended | Recommended |
| DC.B.09 | Protect against damage from physical emergencies (i.e., fire, flood, explosions, storms) and civil unrest (e.g., physical protections, fallback equipment and backup media at a safe distance from the facility) | Required | Recommended | Recommended |
| DC.B.10 | Provide air conditioning, humidity controls, and fire detection / suppression systems to protect the facility and equipment in accordance with local fire safety regulations and manufacturers standards | Required | Recommended | Recommended |
| DC.B.11 | Monitor for outages in cooling, electrical or water | Required | Recommended | Recommended |
| DC.B.12 | Protect facility from failures of power and other necessary utilities | Required | Recommended | Recommended |
| DC.B.13 | Establish stable and redundant power supply (Uninterruptible Power Supply) to maintain critical systems | Required | Recommended | Recommended |
| DC.B.14 | Document procedures for the data center | Required | Required | Recommended |
| DC.B.15 | Escort visitors, vendors, delivery staff, maintenance staff | Required | Recommended | Recommended |
| DC.B.16 | Wear a visible form of identification that is University authorized (e.g., name badge issued by the University, government, or approved companies) | Required | Recommended | Recommended |
| DC.B.17 | Document procedure and approvals needed for removing equipment or media from the facility | Required | Recommended | Recommended |
| DC.B.18 | Document procedures for controlling maintenance and repair of equipment protecting systems in the facility | Required | Recommended | Recommended |
| DC.B.19 | Use cameras to monitor areas in the facility. Audit collected data and correlate with who should have access. | Recommended1 | Recommended | Recommended |
| DC.B.20 | Use emergency lighting | Required | Recommended | Recommended |
| DC.B.21 | Provide emergency power switches near emergency exits | Required | Recommended | Recommended |
| DC.B.22 | Segregate equipment that requires unique environmental controls | Required | Recommended | Recommended |
| DC.B.23 | Periodically test recovery procedures (i.e., power outage) | Required | Recommended | Recommended |
| DC.B.24 | Do not store hazardous or combustible materials | Required | Recommended | Recommended |
| DC.B.25 | Train staff on requirements related to working in or entry to a secure facility | Required | Recommended | Recommended |
| DC.B.26 | Establish rules for eating, drinking, proper attire and other non-work related activities in the facility | Required | Recommended | Recommended |
1 This is required for systems in scope for credit card processing environment per PCI-DSS. This includes systems that support or store, process or transmit cardholder data.
Resources Covered
This standard applies to IT resources owned or contracted by the University.
Individuals Covered
This standard applies to University community members who use or manage University IT resources.
Related Information
More information on Data Center
Published Date
- November 2014
Document Feedback