VISC Data Center Physical Control
Guideline
VISC Data Center Physical Control
REVISION CONTROL
Document Title:
VISC Data Center Physical Control
Author:
VISC Document Committee
File Reference:
InfoSec Standard Template_Numbered Headings.docx
Revision History
Revision Date
Revised By
Summary of Revisions
Section(s) Revised
12-22-2011
Danita Leese
Formatted
All
12-13-2011
Sylvia Barnes
Incorporate review changes and place into approved
template.
Click here to enter
Sections Revised.
10-19-2011
Sylvia Barnes
Reformatted document and removed redundancies
All
10-9-2011
Mark Hendricks
Draft document
All
Review / Approval History
Review Date
Reviewed By
Action (Reviewed, Recommended or Approved)
10-31-2011
VISC Governance
Draft VISC Document
2/7/2012
VIAC Governance
Approve
Last Revised: 12/22/11
Page ii
VISC Data Center Physical Control
Table of Contents
Page
1.0
INTRODUCTION .............................................................................................................................................. 4
2.0
PURPOSE ........................................................................................................................................................ 4
3.0
SCOPE ............................................................................................................................................................. 4
4.0
GUIDELINE ....................................................................................................................................................... 4
4.1
Data Center Physical Control .................................................................................................................. 4
4.2
Data Center Access Authorization .......................................................................................................... 6
4.3
Data Center Access Requirements ......................................................................................................... 6
4.4
Unrestricted Data Center Access ............................................................................................................ 7
4.5
Access Limited to Authorized Personnel Only ........................................................................................ 7
4.6
Authorization for Unrestricted and Restricted Access to Data Center Spaces ....................................... 7
4.6.1
4.7
Visitor Access ............................................................................................................................. 7
Audit Procedures ..................................................................................................................................... 8
4.7.1
Equipment in the Data Center .................................................................................................... 8
5.0
DEFINITIONS ................................................................................................................................................... 8
6.0
REFERENCES ................................................................................................................................................. 8
Last Revised: 12/22/11
Page iii
VISC Data Center Physical Control
1.0
INTRODUCTION
This guideline was developed to support the CSU Policies, government regulations and audit compliance. This
guideline provides support for managing physical and environmental security controls to prevent unauthorized
physical access, damage, and interruption to campus information assets controlled within a data center
environment.
2.0
PURPOSE
The following data center physical control guideline is designed to provide procedures and support for managing
security to information assets within a data center with additional management controls for other assets that
process Level 1 and Level 2 data that may reside outside a data center. These controls will need to be adequate
to protect critical or protected data, and such controls need to:
a. Manage control of physical access to information assets (including personal computer systems, computer
terminals, and mobile devices) by campus staff and others.
b. Prevent, detect, suppress fire, water damage, and loss or disruption of operational capabilities due to
electrical power fluctuations or failures.
c.
Have appropriate security zone designations assigned to physical areas where Level 1 and Level 2 data
are processed. Appropriate physical controls need to be implemented in shared and limited access
security zones. Campuses should implement an access review process and review these controls
regularly.
3.0
SCOPE
This document is intended to address physical controls for campus limited access areas such as campus data
centers. This document is intended to implement section 8080 of the CSU Information Security Policy and
associated standards related to physical control for campus data centers. This document addresses access
procedures, as well as physical and environmental control guidelines.
4.0
GUIDELINE
4.1
Data Center Physical Control
Campus Data Centers are Limited Access Areas based on CSU’s Policy Section 8080 Physical Security
Standard. Information Technology should implement an access control list that includes the name and access
level of each individual granted restricted or unrestricted access. A copy of the access list should be maintained
both in the Information Technology office and at the University Police Department. A standard process should be
implemented to manage changes to the access list.
Last Revised: 00/00/00
Page 4 of 8
VISC Data Center Physical Control
4.1.1
Data Center Physical Controls
Campus Data Centers are Limited Access Areas based on CSU’s Policy Section 8080 Physical Security
Standard. Campus and/or departmental servers storing Level 1 Confidential data, as defined by the CSU
Information Security Standards, should be located in a physically controlled campus Data Center.
Data Center Guideline:
1. Campus Data Centers should be alarmed with a 24/7 alerting system with real time alerts reporting to
an outside department or agency like a University Police Department. A process should be
implemented in which the Information Security Officer or the Chief Information Officer or their
designee should be contacted in the event that an alarm is triggered.
2. All work areas should be kept clean and free of debris. Upon completion of any work in the room, staff
performing the work should ensure they have left the area as clean as it was before their work began.
3. All rack enclosures should be kept neat and free of manuals, diskettes, cables, etc. Doors on all racks
should remain closed at all times except during performed work.
4. Cables should never be strung outside of rack enclosures. Cabling between rack enclosures of
adjacent racks is accepted provided a sufficient pass-through chassis is in place.
5. Campus Data Centers should have processes and facilities in place to prevent, detect, suppress fire,
water damage, and loss or disruption of operational capabilities due to electrical power fluctuations or
failures.
6. Measures should be taken to prevent Tailgating or Piggybacking which is when a person tags along
with another person who is authorized to gain entry into a restricted area. Individuals with key access
may not allow any other person to follow unless they are certain that the trailing individual has
access.
7. Data Center Machine Room Etiquette

No food or drink is allowed within the Data Center.

No hazardous materials are allowed within the Data Center.

Do not power any electrical or mechanical device without proper authorization.

All packing material should be removed from computer equipment/components in the specified
staging areas before being moved into the Data Center. This includes cardboard, paper wrap,
peanuts, plastic, wood and other such materials.

No cleaning supply is allowed within the Data Center without prior approval. This includes water.

Only HEPA filter vacuums may be used inside the Data Center.

No cutting of any material (pipes, floor tiles etc.) should be performed inside the Data Center
unless special arrangements are made in advance.

Boxes, tapes, CDs and other material should not be stored inside the Data Center.

Employees authorized to access any portion of the Data Center should only access equipment for
which they are specifically responsible.

Only staff with unrestricted access should access the sub-floor or remove floor tile.
Last Revised: 00/00/00
Page 5 of 8
VISC Data Center Physical Control
4.2

Do not lift floor tiles without prior knowledge, consent, and oversight of the Network Operations
staff.

Communicate all problems to Data Center staff.

In the event of an emergency notify Data Center staff immediately.

Do not touch a Power Distribution Unit within the Data Center.

Do not touch air conditioning equipment.

Do not open communications cabinets.
Data Center Access Authorization
All requests for access to the campus Data Center need to be approved by the Chief Information Officer (CIO) or
designee. Access is restricted to specific individuals with job functions related to operating mission critical
equipment in the Data Center. The CIO or designee must approve all changes to physical controls, such as, locks
and alarm codes. Data Center management and access authorization procedures should be developed and
implemented to maintain baseline security for the Data Center and the protected assets.
Other best practices that should be implemented in the management of the Data Center are as follows:

A Campus Limited Access Area Authorization Form needs to be completed for each employee.
The form will include information pertaining to the responsibilities of those with privileged access.

The supervisor of the employee will need to sign the authorization form.

The Chief Technology Officer (CTO) or designee will need to sign the authorization form.

Employees, Public Safety, Facilities and Maintenance and contractors that are granted access
should have a signed Confidentiality Agreement on file.

Employees, public safety, and contractors will need to have completed appropriate Data Center
Physical Access Training as defined by the Information Security Officer (ISO) or designee.

After CIO approval, the Director of (CTO) will file the authorization form and request key cards
and security codes.

Lock and Alarm Updates Procedures.

All changes to Lock or Alarm access for a Data Center will need to be approved by the CIO or
Designee.

The employee’s name will be added to the “Data Center Access Control List”.

The access control process should be re-authorized annually on or near July 1st. The Data
Center Access Control list will be maintained within easy visual proximity to the controlled spaces,
and with the University Police Department.
4.3
Data Center Access Requirements
Data Centers should be equipped with key card swipe or numeric keypad access controls. Individuals prior to
being granted any unrestricted or unescorted physical access will need to:

Have a signed confidentiality agreement on file

Complete a "Live Scan" background check

Complete Data Center Access Training as defined by the Information Security Officer (ISO)
Last Revised: 00/00/00
Page 6 of 8
VISC Data Center Physical Control

Virtual Access - Devices with virtual access to Data Center Assets, such as remote consoles, should be
secured with unique passwords and only access Level 1 systems with Virtual Private Network (VPN)
connections.
4.4
Unrestricted Data Center Access
Unrestricted Access is limited to campus employees, and consists of unlimited, unrestricted access to all areas
within the Campus Data Center. Personnel granted unrestricted physical access are assigned card key
authorization and provided individual alarm codes for campus Data Center spaces to which they require access
as part of their job function. Personnel with unrestricted physical access are allowed un-escorted access as
needed to these rooms at any time; including off-hour access to otherwise closed buildings. Unrestricted physical
access is normally restricted to the System and Network Administration teams within Information Technology
Services.
Employees with unrestricted access may escort individuals without specific approval from the CIO or Designee.
4.5
Access Limited to Authorized Personnel Only
Physical access to the Data Center spaces should be restricted to those with operational need to enter those
spaces. Access is non-transferable. Staff and Administrators should not be permitted to share their keys, key
cards, or alarm codes and should not bring any guests (children, siblings, spouses, colleagues or friends) into the
Data Center at any time without prior approval by the CIO or designee.
4.6
Authorization for Unrestricted and Restricted Access to Data Center Spaces
4.6.1
Visitor Access
Anyone who does not have unrestricted or restricted authorization is considered a visitor. All visitors to the Data
Center will need to adhere to facility guidelines and other best practices as detailed below:
1. Visitors that require access to the Data Center spaces should provide 48 hours advance notice prior
to arrival.
2. Visitors that will be performing work or maintenance on systems or infrastructure should be validated
against names provided in advance by employers.
3. All visitors to Data Center Spaces will be accompanied at all times by an individual with unrestricted
access and need to be entered into the visitor log. All exceptions will need to have prior approval by
the Chief Information Officer (CIO) or designee.
4. Visitors will need to be signed in when entering the campus Data Center to document the time and
purpose of their visit, and will need to sign out when leaving.
Last Revised: 00/00/00
Page 7 of 8
VISC Data Center Physical Control
4.7
Audit Procedures
The Information Security Officer or designee should review the list of authorized employees on a biannual basis
(January and June) and verify against signed Authorization forms. Equipment installations and removals should
also be reviewed.
4.7.1
Equipment in the Data Center
In order to enhance security and reduce the chance for disruptions, the following policies apply to all equipment
housed in the Data Center:
1. Advance consultation with Enterprise Technology on all hardware and network related procurements
to be housed in the Data Center is required prior to placing orders to ensure the products and/or
services best meet client needs and are certified for standard 19” racks and related power, HVAC,
etc., requirements.
2. An Equipment Form process should be implemented and forms should be completed for all
equipment installations and removals in either the Restricted or Unrestricted zones of the Data
Center. Equipment Forms should be made available from Information Technology.
3. Information Technology should deny access to the Data Center to anyone who intends to install or
remove equipment without some type of change management, installation form or file process being
followed. Equipment surreptitiously installed without prior change management submission in the
unrestricted zone during off-hours may result in a cancellation of authorization for access and
removal of all unapproved equipment from the Data Center.
5.0
DEFINITIONS
HEPA - High-Efficiency Particulate Air is a type of air filter that satisfies certain standards of efficiency.
HVAC – Heating, Ventilating and Air Conditioning air filter.
6.0
REFERENCES
California State University Policy Section 8080
Last Revised: 00/00/00
Page 8 of 8