Purpose
Scope
Policy
Process
Audit
Responsibilities
Related Documents
Appendix
Purpose
This Control sets the requirements which govern physical access authorizations to the University of Chicago’s Enterprise Data Centers.
Scope
These Controls apply to faculty, staff, contractors, and visitors and anyone else who requires access to the University of Chicago Enterprise Data Centers. The scope includes:
- Physical access
- Faculty/staff "authorized" and "unauthorized" access
- Vendor access
- Emergency access
- Training related to Data Center Compliance requirements
The process offers the following Enterprise Data Centers Security levels unless otherwise specified below:
- 1155 – Moderate
- Hinds – Low
- POD-A – Moderate
- POD-B - Moderate
- POD-C - Moderate
Note: 1155, POD-A, POD-B, and POD-C meet High for the NIST SP 800-53 physical controls
Policy
- All Users, "authorized" or "unauthorized" access must comply with documented requirements.
- Physical access will be grant by the guidelines listed in the Process section of this Policy.
- Unauthorized staff or Visitors will be escorted at all times while in the Data Center.
- Visitor access to Enterprise Data Centers will require two forms of identification.
- No food or beverages are permitted in the Data Center, Data Center mechanical, or Data Center electrical spaces.
Process
Authorized and Unauthorized Access
General access – All Data Centers – NIST High
- Authorized users are allowed unsupervised access and can escort unauthorized visitors in the data center
- Every authorized user will badge both in and out of the Data Center. No "coat tailing" allowed.
- Authorized Data Center access for system administrators and contractors shall be granted via email approval of the Authorized Access Request form (See sample in Appendix 1 & 2).
- Authorized approval to be granted by any of the following:
- Chief Information Officer (CIO)
- Executive Director for Enterprise Applications
- Director Data Center Strategy & Operations
- ITS Data Center Governance committee
- Approved access authorization request forms will be returned to the Operations staff via the Campus ticketing system who will grant physical to Data Centers as required and approved.
Vendor Authorization
- An Authorized contractor list of approved vendors will be maintained.
- Authorized contracts may sign out a vendor access card granting temporary access to the Enterprise Data Centers on a per shift bases.
- The vendor card will be returned at the end of the work effort or the end of the day whichever is shorter.
- Unauthorized contractors may be issued a vendor card but MUST be escorted.
NOTE: The vendor card allows access for retrieving tools, bio breaks, and other similar activities. - Long term, contracted vendors may be granted AUTHORISED access.
- Contractors granted access may be required to complete required training.
- Vendors will notify the Command Center in advance of all work.
- Vendors will sign in each day work is to be performed.
- Access may be revoked at any time by the University.
Access Termination
- Termination notification received from the Human Resources department will be received by the Command center.
- For confidential (terminations, RIFs, the like) a member of the Data Center Management team will remove Data Center access.
- For non-confidential termination or mutual separation access will be removed by the Command Center.
- Failure to adherence of Data Center policy and procedures.
HIPAA
- Completion of the University’s HIPAA training is required for all staff with authorized access to the following Data Centers in which HIPAA-regulated data is stored:
- 1155 East
- 1155 West
- POD-A
- POD-B
- POD-C
- Authorized contractors performing general maintenance are exempt from the HIPAA training.
- There is no retraining requirement at this time.
Audit
Quarterly reviews of the access logs (Electronic and written log book) and authorized access list will be performed by the Data Center Operation team.
Responsibilities
Listed below are the individuals involved with this Process and the major scope of their responsibility:
- Executive Director for Infrastructure Services
- Approver for authorized access list
- Set General Policy & Process
- Director Data Center Strategy & Operations
- Approver for authorized access list
- Set General Policy & Process
- Implement Access control Policy & Process
- ITS Data Center Governance Committee
- Approver for authorized access list
- Implement Access control Policy & Process
- Operations Staff
- Implement Access control Policy & Process
- OLG (Operations Leadership Group)
- Approver for authorized access request form
- Review access audit as determined to be required
- Annual review of Policy & Process
- Authorized Access
- University of Chicago employee or contractor
- Service owner with direct responsibility for equipment hosted in the 6045 Computer Room
- Access has been approved through the accepted approval process
- Unauthorized Access
- University of Chicago employee or contractor with no direct responsibility for equipment or services hosted in the 6045 Computer Room
- Access has not been approved through the accepted approval process
Related Documents
Policy and Procedure documents specific to IT Security, Change Management and Backup and Recovery.
- Daily/Weekly/Monthly Data Center Checklists
- Approved Vendor/Contractor List
- Run Book
- CAB Process
Process Review Approval
Management will perform an annual review of this process. Based on the review, management may change this process to reflect its intentions and compliance requirements. Both IT Services and business users will be informed of any changes to this process and will be provided with a revised process.
Appendix
Sample Faculty/Staff Authorized Access Request
Please grant [User name] access to the 6045 Data Center. This form is being provided via email as signature of my approval. By requesting this access I explicitly agree to all policies and guidelines set forth by IT Services and validate that the employee requiring access has been made aware of all policies and guidelines that pertain to the 6045 Data Center. I and [Employee name] may also be held liable for any negative actions or damages to the 6045 Data Center.
Note: IT Services Infrastructure Services management team reserves the right to revoke access to any of the area(s) at any time, for any reason, without prior notification.
Section I - Employee Information - Employee Requiring Access
Name:
Title:
CNetID:
Phone:
Email:
Department:
Employee ID card number (# beginning 4*XXXX)
Section II - Approving Manager or Director - Approving Manager or Director
Name:
Title:
CNetID:
Phone:
Email:
Department:
Section III - Type of Access
Access should be allowed -
[ ] Permanently
[ ] Temporarily, ending on __/__/____ at __:__ CST.
Sample Contractor Authorized Access Request
Please grant [Contactor name] access to the 6045 Data Center. This form is being provided via email as signature of my approval. By requesting this access I explicitly agree to all policies and guidelines set forth by IT Services and validate that the contractor requiring access has been made aware of all policies and guidelines that pertain to 6045 Data Center. I and [Contractor name] may also be held liable for any negative actions or damages to the 6045 Data Center.
Note: IT Services, Infrastructure Services management team reserves the right to revoke access to any of the area(s) at any time, for any reason, without prior notification.
Section I - Contractor Information
Name:
Company Representative:
Representative Title:
Phone:
Email:
Target equipment and function of contractor:
Section II - Contractor Staff names:
Please list those who will be working on equipment/services listed is section I:
Name:
Name:
Name:
(Add additional lines as required)
Section III - Approving Manager or Director - Approving Manager or Director
Name:
Title:
Phone:
Email:
Department:
Employee CNET:
Section IV - Type of Access
Access should be allowed -
[ ] Permanently
[ ] Temporarily, ending on __/__/____ at __:__ CST