Appendix
Sidebar
Sidebar
Table of Contents
TOC placeholder
Governing Policy
Questions?
Please use the contact section in the governing policy.
Objective
To define the information security requirements to protect the facilities and the IT resources located within a data center or network/telecommunications room/closet.
Security Controls
Facility Requirements
The following table defines requirements for those that manage a data center or network/telecommunications room/closet. Security level is based on the security level of the system or data in the data center or network/telecommunications room/closet.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| DCS.A.01 | Document procedures for securing keys or door access to the facility | Required | Required Effective July 2019 |
Required Effective July 2019 |
| DCS.A.02 | Document procedures and approvals needed for adding or removing equipment or media from the facility | Required | Required Effective July 2019 |
Required Effective July 2019 |
| DCS.A.03 | Document procedures for controlling maintenance and repair of equipment protecting systems in the facility | Required | Required Effective July 2019 |
Recommended |
| DCS.A.04 | Maintain a disaster recovery plan in accordance with University Business policy (including who is responsible for DR plan for tenant hardware and data) | Required | Required | Required |
| DCS.A.05 | Limit access to the facility to only those with business need and prior approval | Required | Required Effective July 2019 |
Recommended |
| DCS.A.06 | Identify and maintain a log of who has access to the facility | Required | Required Effective July 2019 |
Recommended |
| DCS.A.07 | Secure servers and network equipment (e.g., lockable casings, lockable racks, secure consoles, continuously locked space) | Required | Required Effective July 2019 |
Required Effective July 2019 |
| DCS.A.08 | Change access codes when personnel change and at least annually | Required | Required Effective July 2019 |
Required Effective July 2019 |
| DCS.A.09 | Periodically review who has key or card access to the facility (suggest: semi-annual or annual) | Required | Required Effective July 2019 |
Recommended |
| DCS.A.10 | Log ingress/egress from facility (i.e., via staff, video, card access logs, etc.). | Required Effective July 2019 |
Recommended | Recommended |
| DCS.A.11 | Monitor ingress access (e.g., compare system generated logs with list of individuals allowed access) | Required Effective July 2019 |
Recommended | Recommended |
| DCS.A.12 | Protect against damage from physical emergencies (i.e., fire, flood, explosions, storms) and civil unrest (e.g., physical protections, fallback equipment and backup media at a safe distance from the facility) | Required | Recommended | Recommended |
| DCS.A.13 | Provide air conditioning, humidity controls, and fire detection / suppression systems to protect the facility and equipment in accordance with local fire safety regulations and manufacturer standards | Required | Required Effective July 2019 |
Required Effective July 2019 |
| DCS.A.14 | Monitor for outages in cooling, electrical or water | Required | Recommended | Recommended |
| DCS.A.15 | Protect facility from failures of power (e.g., use uninterruptible power supply, generators) and other necessary utilities | Required | Required Effective July 2019 |
Recommended |
| DCS.A.16 | Escort or monitor visitors, vendors, delivery staff, maintenance staff | Required | Required Effective July 2019 |
Required Effective July 2019 |
| DCS.A.17 | Wear a visible form of identification that is University authorized (e.g., name badge issued by the University, government, or approved companies) | Required | Recommended | Recommended |
| DCS.A.18 | Use video cameras or automated access control mechanisms to monitor areas in the facility. Audit collected data and correlate with who should have access. | Recommended1 | Recommended | Recommended |
| DCS.A.19 | Periodically test recovery procedures (i.e., power outage) | Required | Required Effective July 2019 |
Recommended |
| DCS.A.20 | Train staff on requirements related to working in or entry to a secure facility | Required | Required Effective July 2019 |
Required Effective July 2019 |
| DCS.A.21 | Establish rules for eating, drinking, proper attire and other non-work related activities in the facility | Required | Required Effective July 2019 |
Recommended |
| DCS.A.22 | Conduct and document a periodic on-site review of the facility (suggest: annual) | Recommended1 | Recommended | Optional |
1 Required for PCI DSS systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.
Resources Covered
This standard applies to IT resources owned or contracted by the University.
Individuals Covered
This standard applies to University community members who use or manage University IT resources.
Related Information
- More information on Data Center Security
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to data center security.
Published Date
November 2014
Last Reviewed
April 2019