Printed on: 04/20/2019. Please go to http://policy.umn.edu for the most current version of the Policy or related document.
Appendix

Data Center Standard

Appendix to Policy

Objective

To identify IT resources that must be in a data center and define data center security requirements to protect the IT resources located in a data center.

Security Controls

Systems to locate in a Data Center

The following table defines systems or applications that need to be located in a data center.

Control Security Level
ID Description High Medium Low
DC.A.01 Multi-user systems Required Required Recommended

Data Center Requirements

The following table defines requirements for a data center.

Control Security Level
ID Description High Medium Low
DC.B.01 Disaster recovery plan in accordance with University Business Continuity policy (including who is responsible for DR plan for tenant hardware and data) Required Required Required
DC.B.02 Limit access to the facility to only those with business need and prior approval Required Recommended Recommended
DC.B.03 Identify and maintain a log of who has access to the facility Required Recommended Recommended
DC.B.04 Secure servers and network equipment (i.e., lockable casings, lockable racks, secure consoles). Lock vacant data center rooms. Required Recommended Recommended
DC.B.05 Document procedures for securing keys or door access to the facility Required Recommended Recommended
DC.B.06 Change access codes when personnel change and at least annually Required Recommended Recommended
DC.B.07 Periodically review who has key or card access to the facility (suggested: semi-annual or annual) Required Recommended Recommended
DC.B.08 Monitor and log ingress/egress from facility (i.e., via staff, video, card access logs, etc.) Required Recommended Recommended
DC.B.09 Protect against damage from physical emergencies (i.e., fire, flood, explosions, storms) and civil unrest (e.g., physical protections, fallback equipment and backup media at a safe distance from the facility) Required Recommended Recommended
DC.B.10 Provide air conditioning, humidity controls, and fire detection / suppression systems to protect the facility and equipment in accordance with local fire safety regulations and manufacturers standards Required Recommended Recommended
DC.B.11 Monitor for outages in cooling, electrical or water Required Recommended Recommended
DC.B.12 Protect facility from failures of power and other necessary utilities Required Recommended Recommended
DC.B.13 Establish stable and redundant power supply (Uninterruptible Power Supply) to maintain critical systems Required Recommended Recommended
DC.B.14 Document procedures for the data center Required Required Recommended
DC.B.15 Escort visitors, vendors, delivery staff, maintenance staff Required Recommended Recommended
DC.B.16 Wear a visible form of identification that is University authorized (e.g., name badge issued by the University, government, or approved companies) Required Recommended Recommended
DC.B.17 Document procedure and approvals needed for removing equipment or media from the facility Required Recommended Recommended
DC.B.18 Document procedures for controlling maintenance and repair of equipment protecting systems in the facility Required Recommended Recommended
DC.B.19 Use cameras to monitor areas in the facility. Audit collected data and correlate with who should have access. Recommended1 Recommended Recommended
DC.B.20 Use emergency lighting Required Recommended Recommended
DC.B.21 Provide emergency power switches near emergency exits Required Recommended Recommended
DC.B.22 Segregate equipment that requires unique environmental controls Required Recommended Recommended
DC.B.23 Periodically test recovery procedures (i.e., power outage) Required Recommended Recommended
DC.B.24 Do not store hazardous or combustible materials Required Recommended Recommended
DC.B.25 Train staff on requirements related to working in or entry to a secure facility Required Recommended Recommended
DC.B.26 Establish rules for eating, drinking, proper attire and other non-work related activities in the facility Required Recommended Recommended

1 This is required for systems in scope for credit card processing environment per PCI-DSS. This includes systems that support or store, process or transmit cardholder data.

Resources Covered

This standard applies to IT resources owned or contracted by the University.

Individuals Covered

This standard applies to University community members who use or manage University IT resources.

Related Information

More information on Data Center

Published Date

  • November 2014

Document Feedback