3.64 Physical Access
Purpose
Physical access to the server/communications room is restricted to individuals who require such access to perform their job responsibilities. Management approval is required before access is granted, and there is periodic review of all individuals with access rights.
- Scope
The main objective of Privileged user control is to monitor all physical access to systems (buildings, server rooms, computer rooms), to verify that only persons with proper credentials can access them. Users performing unauthorized activities should be quarantined, and their privileges should be reviewed. All components of the network are to be physically secured in an environmentally safe location, permitting access by only those authorized to operate and maintain it, as well as those required to provide access during off-hours emergencies.
These employees will be granted physical keys as well as selected vendors. All access is approved by the IT staff. Any changes to the access list will be discussed in the monthly IT finance meeting.
Section I: Granting Access
Access is granted, revised and/or revoked as stated in the Control 11: Staff Changes policy.
Section II: Computer Room Requirements
All computing and communication devices necessary for the operation of the network, applications, databases, and equipment to link to the Wide Area Network (WAN) and/or e-mail system, are to be installed in rooms assigned exclusively to this purpose (a “server cage”). This equipment specifically may NOT be installed in multipurpose rooms, such as file rooms, storage rooms, libraries, open office space, or hallways and corridors. However, this equipment may be co-located with other telecommunications equipment, such as PBX’s or voice switching equipment.
- The computer room must be lockable and must be locked at all times, by key lock, code lock, magnetic card lock, or other access restriction device. The server room is locked but accessible 24 hours a day.It is only accessible for authorized persons only.
- If this is a data center hosting sensitive client data, an auditable card access or biometric system must be employed along with a suitable CCTV surveillance system. (Key locks and key codes are not compliant to most client MSAs and WPP GCC controls as they are not auditable to accountability of the individual user. A biometric system is in place, as well as a one person at a time entry (mantrap) and video surveillance throughout the data center.
- If key or card locking is used, a record of all keys or key cards, and to whom assigned, must be kept. Keys or key cards must be recovered as part of the exit process for terminating employees. Public Safety personnel are notified of employee termination to disable key cards.
- Access to the room must be limited to those assigned the responsibility to operate and maintain this equipment, as well as other management necessary to provide adequate emergency access at all times. Only authorized persons, or selected vendors for materials pick up and deliveries are allowed in the building. Access is provided via the Joiners/Leavers/Changers policy.
- The authorized access list will be reviewed by the data center manager monthly, along with confirmation of his authorization of the current list. Additions and revocations of the authorized list, made by the data center manager, and will be kept by the data center manager in evidence as an audited item. An entry log is obtained upon the request during an audit or by upper management.
- A log of all people entering the data center facility is to be kept. The log is to show the individuals’ name, time entered, time left and if a written log, the purpose and signature. An entry log is obtained upon the request during an audit or by upper management.
- The log will be reviewed by the data center manager monthly, along with notes made by the data center manager rectifying any anomalies and will be kept by the data center manager in evidence as an audited item. An entry log is obtained upon the request during an audit or by upper management.
- Visitors to the computer room must be accompanied by IT staff. Visitors are never to be left alone in the computer room. Visitor's arrival & departure date/time, name, company, and purpose must be logged and initialed by the visitor. Visitors must accompany an IT staff member in order to enter the premises. They must then sign in their printed name, company, and the date and time in. Upon leaving the facility, the visitor must sign out their printed name, date and time out.
Section III: Environmental Controls
All computer rooms are to be protected from damage by fire, water, temperature excesses, electro-magnetic and static electricity discharge. Power disruptions, environmental control failures or the activation of fire suppression systems events triggered by alerting systems embedded within the devices designed to detect such events are logged. Sophisticated HVAC, fire suppression and seismic engineering capabilities protect the server room from natural and man-made catastrophes.
Section IV: Fire Protection
- All fire suppressions systems deployed within Data Centers are maintained up to date and tested regularly. IT uses dry fire suppression when necessary.
- If the computer room is on the building sprinkler system, plastic sheeting should be immediately available to prevent water damage to equipment.
- All computer rooms must be equipped with fire extinguishers (designed for electrical fires).
- All computer rooms must be equipped with smoke detectors installed in sufficient numbers for the square footage of the room by manufacturer’s specifications.
- No combustible material (e.g.: cleaning fluids, solvents, bulk paper storage, etc.) or materials capable of explosion (e.g.: aerosol cans) may be stored in the computer room. No combustible material is stored in the server room. Only plastic containers are used for storage.
- Smoking is not allowed in computer rooms. Smoking is not allowed in any buildings on campus.
- No food, drink, or food preparation equipment of any type is permitted in the computer room (e.g.: hot plates, coffee pots, Microwave ovens, immersion heaters, etc.). All employees have been advised that no food or drink of any kind is allowed in the server room.
- Trash is to be stored in appropriate containers and emptied frequently enough that the container does not overflow. Large trash cans have been placed immediately inside of the gated entry to dispose of any and all trash.
Section V: Water Protection
- Computer rooms are to be located away from potential sources of water damage. The server room is located where no water can damage the location or anything inside of it.
Section VI: Temperature Control
- Computer rooms must be air-conditioned. Computer rooms must have dedicated air conditioning systems amply rated to keep systems cool, backup power systems adequate to sustain systems according to agreed availability levels, fire suppression systems, and secured doors with access control systems. The server room is air conditioned, and it is on at all times to keep the data center cool.Recommended temperature is ______ degrees F.
- If a computer closet contains more than 3 file servers, and/or a minicomputer, and/or a mainframe, and/or a telephone switch, separate air-conditioning must be installed. (Note: an alternative is a branch of the building air-conditioning that can be thermostatically controlled from within the computer room).
Section VII: Other Environmental Controls
- Dust and Debris. Computer rooms must be kept free of dust and small particles that can be airborne.
- Electro-magnetic emissions. Computer rooms should never be located where there is danger of hi- frequency electro-magnetic energy emission, such as in places exposed to hi-tension electrical wiring, radio transmitters, microwave towers, or x-ray equipment, or magnetic devices (such as security scanning devices).
Section VIII: Network Wiring Hubs and Other Such Devices
Network wiring hubs and other such devices that cannot be centrally located in the locked cage are to be installed in telephone closets or other locations not accessible to the general office population.
- These rooms are NOT to be marked with any indication of their content.
- These rooms or closets are to be locked at all times, with access to the room limited to those assigned the responsibility to operate and maintain this equipment, as well as other management necessary to provide adequate emergency access at all times.
Section IX: Electrical Supply
- Computer rooms must be equipped with adequate electrical power to support the installed devices and prevent “brown outs” by abnormal power demands and resulting computer malfunction.
- All servers, whether in the computer room or elsewhere, should be equipped with power conditioners to protect equipment from electrical spikes. All closets in the server room are equipped with dual power supplied PDV’s.
- Devices installed in the computer room must be equipped with “uninterruptable power supplies” (UPS) that will provide battery power to the devices allowing enough time for an organized shutdown of the devices and network in the event of a power failure. All closets in the server room are equipped with dual power supplied PDV’s.
- These devices may be installed in a variety of ways, and at a variety of cost points, providing UPS capabilities to (a) the entire electrical distribution system of the room, (b) to racks of equipment, or (c) to individual devices.