Printed on: 07/21/2019. Please go to http://policy.umn.edu for the most current version of the Policy or related document.

Appendix

Data Center Security Standard

Objective

To define the information security requirements to protect the facilities and the IT resources located within a data center or network/telecommunications room/closet.

Security Controls

Facility Requirements

The following table defines requirements for those that manage a data center or network/telecommunications room/closet. Security level is based on the security level of the system or data in the data center or network/telecommunications room/closet.

Control		Security Level
ID	Description	High	Medium	Low
DCS.A.01	Document procedures for securing keys or door access to the facility	Required	Required Effective July 2019	Required Effective July 2019
DCS.A.02	Document procedures and approvals needed for adding or removing equipment or media from the facility	Required	Required Effective July 2019	Required Effective July 2019
DCS.A.03	Document procedures for controlling maintenance and repair of equipment protecting systems in the facility	Required	Required Effective July 2019	Recommended
DCS.A.04	Maintain a disaster recovery plan in accordance with University Business policy (including who is responsible for DR plan for tenant hardware and data)	Required	Required	Required
DCS.A.05	Limit access to the facility to only those with business need and prior approval	Required	Required Effective July 2019	Recommended
DCS.A.06	Identify and maintain a log of who has access to the facility	Required	Required Effective July 2019	Recommended
DCS.A.07	Secure servers and network equipment (e.g., lockable casings, lockable racks, secure consoles, continuously locked space)	Required	Required Effective July 2019	Required Effective July 2019
DCS.A.08	Change access codes when personnel change and at least annually	Required	Required Effective July 2019	Required Effective July 2019
DCS.A.09	Periodically review who has key or card access to the facility (suggest: semi-annual or annual)	Required	Required Effective July 2019	Recommended
DCS.A.10	Log ingress/egress from facility (i.e., via staff, video, card access logs, etc.).	Required Effective July 2019	Recommended	Recommended
DCS.A.11	Monitor ingress access (e.g., compare system generated logs with list of individuals allowed access)	Required Effective July 2019	Recommended	Recommended
DCS.A.12	Protect against damage from physical emergencies (i.e., fire, flood, explosions, storms) and civil unrest (e.g., physical protections, fallback equipment and backup media at a safe distance from the facility)	Required	Recommended	Recommended
DCS.A.13	Provide air conditioning, humidity controls, and fire detection / suppression systems to protect the facility and equipment in accordance with local fire safety regulations and manufacturer standards	Required	Required Effective July 2019	Required Effective July 2019
DCS.A.14	Monitor for outages in cooling, electrical or water	Required	Recommended	Recommended
DCS.A.15	Protect facility from failures of power (e.g., use uninterruptible power supply, generators) and other necessary utilities	Required	Required Effective July 2019	Recommended
DCS.A.16	Escort or monitor visitors, vendors, delivery staff, maintenance staff	Required	Required Effective July 2019	Required Effective July 2019
DCS.A.17	Wear a visible form of identification that is University authorized (e.g., name badge issued by the University, government, or approved companies)	Required	Recommended	Recommended
DCS.A.18	Use video cameras or automated access control mechanisms to monitor areas in the facility. Audit collected data and correlate with who should have access.	Recommended¹	Recommended	Recommended
DCS.A.19	Periodically test recovery procedures (i.e., power outage)	Required	Required Effective July 2019	Recommended
DCS.A.20	Train staff on requirements related to working in or entry to a secure facility	Required	Required Effective July 2019	Required Effective July 2019
DCS.A.21	Establish rules for eating, drinking, proper attire and other non-work related activities in the facility	Required	Required Effective July 2019	Recommended
DCS.A.22	Conduct and document a periodic on-site review of the facility (suggest: annual)	Recommended¹	Recommended	Optional

¹ Required for PCI DSS systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.

Resources Covered

This standard applies to IT resources owned or contracted by the University.

Individuals Covered

This standard applies to University community members who use or manage University IT resources.

Related Information

More information on Data Center Security
How to use the information security standards
See the Information Security policy appendices for additional information security standards that also apply to data center security.

Data Center Security Standard

Objective

Security Controls

Facility Requirements

Resources Covered

Individuals Covered

Related Information

Published Date

Last Reviewed

Document Feedback

Information Technology

Data Center Security Standard

Related Policy:

Appendix to Policy

Objective

Security Controls

Facility Requirements

Resources Covered

Individuals Covered

Related Information

Published Date

Last Reviewed

Document Feedback

Information Technology