University of Minnesota  Appendix

Data Center Security Standard

Sidebar

Expand all

Sidebar

Table of Contents

TOC placeholder

Governing Policy

Questions?

Please use the contact section in the governing policy.

Objective

To define the information security requirements to protect the facilities and the IT resources located within a data center or network/telecommunications room/closet.

Security Controls

Facility Requirements

The following table defines requirements for those that manage a data center or network/telecommunications room/closet. Security level is based on the security level of the system or data in the data center or network/telecommunications room/closet.

Control Security Level
ID Description High Medium Low
DCS.A.01 Document procedures for securing keys or door access to the facility Required Required
Effective July 2019
Required
Effective July 2019
DCS.A.02 Document procedures and approvals needed for adding or removing equipment or media from the facility Required Required
Effective July 2019
Required
Effective July 2019
DCS.A.03 Document procedures for controlling maintenance and repair of equipment protecting systems in the facility Required Required
Effective July 2019
Recommended
DCS.A.04 Maintain a disaster recovery plan in accordance with University Business policy (including who is responsible for DR plan for tenant hardware and data) Required Required Required
DCS.A.05 Limit access to the facility to only those with business need and prior approval Required Required
Effective July 2019
Recommended
DCS.A.06 Identify and maintain a log of who has access to the facility Required Required
Effective July 2019
Recommended
DCS.A.07 Secure servers and network equipment (e.g., lockable casings, lockable racks, secure consoles, continuously locked space) Required Required
Effective July 2019
Required
Effective July 2019
DCS.A.08 Change access codes when personnel change and at least annually Required Required
Effective July 2019
Required
Effective July 2019
DCS.A.09 Periodically review who has key or card access to the facility (suggest: semi-annual or annual) Required Required
Effective July 2019
Recommended
DCS.A.10 Log ingress/egress from facility (i.e., via staff, video, card access logs, etc.). Required
Effective July 2019
Recommended Recommended
DCS.A.11 Monitor ingress access (e.g., compare system generated logs with list of individuals allowed access) Required
Effective July 2019
Recommended Recommended
DCS.A.12 Protect against damage from physical emergencies (i.e., fire, flood, explosions, storms) and civil unrest (e.g., physical protections, fallback equipment and backup media at a safe distance from the facility) Required Recommended Recommended
DCS.A.13 Provide air conditioning, humidity controls, and fire detection / suppression systems to protect the facility and equipment in accordance with local fire safety regulations and manufacturer standards Required Required
Effective July 2019
Required
Effective July 2019
DCS.A.14 Monitor for outages in cooling, electrical or water Required Recommended Recommended
DCS.A.15 Protect facility from failures of power (e.g., use uninterruptible power supply, generators) and other necessary utilities Required Required
Effective July 2019
Recommended
DCS.A.16 Escort or monitor visitors, vendors, delivery staff, maintenance staff Required Required
Effective July 2019
Required
Effective July 2019
DCS.A.17 Wear a visible form of identification that is University authorized (e.g., name badge issued by the University, government, or approved companies) Required Recommended Recommended
DCS.A.18 Use video cameras or automated access control mechanisms to monitor areas in the facility. Audit collected data and correlate with who should have access. Recommended1 Recommended Recommended
DCS.A.19 Periodically test recovery procedures (i.e., power outage) Required Required
Effective July 2019
Recommended
DCS.A.20 Train staff on requirements related to working in or entry to a secure facility Required Required
Effective July 2019
Required
Effective July 2019
DCS.A.21 Establish rules for eating, drinking, proper attire and other non-work related activities in the facility Required Required
Effective July 2019
Recommended
DCS.A.22 Conduct and document a periodic on-site review of the facility (suggest: annual) Recommended1 Recommended Optional

1 Required for PCI DSS systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.

Resources Covered

This standard applies to IT resources owned or contracted by the University.

Individuals Covered

This standard applies to University community members who use or manage University IT resources.

Related Information

Published Date

November 2014

Last Reviewed

April 2019