Related policies and additional references:
This policy was reviewed and updated by Information Services in SU18. Due to the nature of the policy I am recommending a review ever other year going forward.
The IS Data Centers provide stable environments, enhanced security, equipment and alarms, uninterrupted power (UPS and generators), high- speed network connectivity, and other features required by the mission-critical resources they contain. The policies and procedures described in this document have been developed to maintain a secure, safe environment and must be followed by individuals working in or visiting the Data Centers. All individuals requesting access or maintaining servers in the Data Center must understand and agree to these procedures. This policy is designed to meet industry standards and align with ITIL methodologies.
The IS Data Centers contain the St. Mary’s University’s enterprise computing and networking resources. Access is controlled to protect both physical resources and enterprise data from unauthorized use, accidental or malicious damage and theft. Access to the Data Centers will only be granted when a legitimate business need is demonstrated. This access policy and procedure document specifies the criteria for granting access to specific individuals or groups. Failure to follow these policies is considered grounds for dismissal and/or prosecution. Failure of a vendor, consultant, or contractor to follow these policies is grounds for termination of agreements and subsequent legal action. Any questions regarding policies and procedures should be addressed to the Department of Network and Infrastructure Technology. This Data Center Access Policy may be suspended in the event of an emergency that requires access for medical, fire, or police personnel.
Data Center Access
Rattler Card swipe access and unsupervised 24×7 access to the Data Centers will only be given to individuals with an approved and demonstrated business need to access the Data Centers on a regular basis, those individuals requiring infrequent access will be granted escorted access as needed. Individuals with unescorted access may escort and supervise unauthorized individuals provided all individuals are logged on entry and exit. Rattler Cards belonging to authorized individuals may not be loaned to unauthorized individuals; such action is grounds for disciplinary action. There are no temporary or blank access cards available. Any employee that forgets or misplaces their Rattler Card will be restricted to escorted access to the Data Centers until his/her Rattler Card is replaced.
Violations of the agreement can result in removal of access. Individuals who violate the policies and are removed from the list may face additional disciplinary actions, pending review by the responsible supervisor.
Levels of Access
Individuals that have an infrequent need for Data Center access will be granted Escorted status and will not have Rattler Card swipe access. This will include vendors. Escorted access will be provided primarily during normal business hours. After-hours escorted access will be on an emergency or pre-arranged basis only. Individuals requesting escorted access must be signed in and out in the Data Center access log by a member of the IS staff. They are required to provide identification on demand and leave the facility when requested to do so. They must not allow any other person access to the Data Center.
Employees that work inside the Data Center and other individuals that have been granted the access based on their job requirements and a demonstrated legitimate business need will have 24/7 access to the Data Center. In the event multiple individuals with unescorted data center access enter simultaneously each individual will swipe their Rattler Card prior to entering. This will ensure each entry is logged and available for audit. Please see Appendix B: Data Center Unescorted Access Procedure for more information.
Data Center Tours
All visitors must sign in and out and must be escorted while touring the Data Centers.
Maintenance and Custodial Staff
University maintenance and custodial staff will need to be escorted when accessing the Data Centers. All facilities staff must sign the access log upon entering and leaving the Data Center.
Periodic Review and Termination of Access
The Director of Network and Infrastructure Technology will review the access list annually and will remove any individuals who no longer have a legitimate business need to access the Data Centers.
As part of the employee exit procedure the IS staff is notified when employees leave the department. An IS Director will request the immediate removal of access rights if the employee has Data Center access.
Data Center Access Log
The Access logs at each Data Center must be maintained at all times by the IS staff. All escorted individuals entering the Data Center must sign the log as they enter and exit for audit purposes.
Access Exception Reporting
Any unauthorized access to the Data Center must be reported to IS Management and must be reported to the Director of Network and Infrastructure Technology who will determine if the incident needs to be reported to the campus police.
Attempts to forcibly enter the Data Center must be immediately reported to campus police.
Any incidents must be documented and stored in the designated location on SharePoint.