IT Services Knowledge - ITS-PE-3 & PE-8: Physical Access Controls & Visitor Access Records

Purpose

This Control sets the requirements which govern physical access control to the University of Chicago Services, Enterprise Data Centers.

Scope

This Control applies to Staff, Faculty, visitors, contractors, and anyone requiring access to the University of Chicago Enterprise Data Centers. The scope includes:
Enforcement of physical access
Access audit logs
Visitor access
Physical keys

The process offers the following Enterprise Data Centers NIST level unless otherwise specified below:

1155 – Moderate
Hinds – Low
POD-A – Moderate
POD-B - Moderate
POD-C - Moderate

Policy

All Users, AUTHORIZED or UNAUTHORIZED, will comply with these requirements
All Enterprise Data Centers will maintain physical access control
All Enterprise Data Centers access will be monitored and logged through the Campus ID card system and Campus video surveillance system
All HIPAA compliant Data Centers will employ cabinet combination locks at minimum

Process

Physical Access General

Data Center access will be via an active, University assigned ID cards
All Authorized personnel will individually “badge” at each entrance to and exit from the Data Center
- Coattail entrance is forbidden
POD-A, POD-B, POD-C:
- A "sign in" log book will be located at the “Man Trap” entrance for all entering the data center.
- All UNAUTHORIZED visitors entering the Data Center are required to sign in & out
- UNAUTHORIZED access will be through the “Man Trap” only
1155
- A "sign in" log book will be located at the “Command Center” entrance for all entering the data center.
- Each UNAUTHORIZED visitor entering the Data Center is required to sign in/out
- UNAUTHORIZED access will be through the “Command Center” only
  - Upon signing in access may be repeated through alternate doors while being escorted
- AUTHORIZED staff/faculty access may be through alternate doors but must first sign in at the Command Center
Log book history will be maintained for no less than 18 months.
- Fields to be included in sign in log to include: Date, User, Purpose / CAB (Change Authorization Board) ticket, Time in, Time out
- See PE-2 Physical & Environmental Protection for Sample sign in sheet.
All Data Center visitors may be asked to provide two forms of identification which may include:
- Government photo identification
- Affiliation ID (for vendors and suppliers)
- Active University ID
An approved change ticket is required to access any cabinet or equipment in the Data Center
AUTHORIZED users are allowed unsupervised access and can escort UN-AUTHOIZED visitors in the data center
AUTHORIZED user access will be revoked if user is found not adhering to the Enterprise Data Center Policy and Process
- Once access is revoked, access reinstatement will require approvals by the offenders senior leader and the Executive Director of Executive Director for Enterprise Applications and Services
Departments hosting systems in Enterprise Data Centers who lack access to the campus ticketing system are to notify the Command Center via Email of pending work and schedule
Physical keys
- Will be limited to Enterprise Data Center staff, Building Engineers, and Campus police only
- Cabinet keys may be checked out from the Data Center management team or Command Center
- Keys may be checked out by AUTHORIZED staff only
- Client cabinet combinations will be managed by each client
- Cabinet master keys will be maintained by the Data Center management team and Building Engineers only
- Keys and/or combinations will be changed if:
  - An employer is terminated by the University
  - Key is lost or unaccounted for

Emergency Access:

Emergency access is allowed to those previously granted AUTHORIZED access.
Non-authorized access users must be escorted by the operations staff or an AUTHORIZED service owner during an Emergency repair.
When possible Fire, Police, and Campus Police will be escorted through secure areas. In the event escorting is prevented by these groups, no other access will be allowed until general access is granted by Campus Police.

Audit

Logs (electronic and written logbook) as well authorized access lists are reviewed annually by the Data Center Operations team. Any anomaly is reported to the Director of Data Center Strategy & Operations at University of Chicago, Information Security, and the Campus Department of Safety and Security, as applicable.
All incidents of attempted unauthorized access are reviewed and investigated with Campus Department of Safety and Security and the Information Security team, if applicable

Responsibilities

Listed below are the individuals involved with this PROCESS and the major scope of their responsibility:

Executive Director for Enterprise Applications and Services
- Approver for AUTHORIZED access list
- Set General Policy & Process
Director Data Center Strategy & Operations
- Approver for AUTHORIZED access list
- Implement Access control Policy & Process
Command Center
- Implement Access control Policy & Process
ITS Data Center Governance
- Approver for AUTHORIZED access request form
- Review access audit as determined to be required
- Annual review of Policy & Process
Authorized Access
- University of Chicago employee or contractor
- Service owner with direct responsibility for equipment hosted in the 6045 Computer Room
- Access has been approved through the accepted approval process
Un-Authorized Access
- University of Chicago employee or contractor with no direct responsibility for equipment or services hosted in the 6045 Computer Room
- Access has not been approved through the accepted approval process

Process Review & Approval

Management will perform an annual review of this Process. Based on the review, management may change this Process to reflect its intentions and compliance requirements. Both IT Services and business users will be informed of any changes to this Process and will be provided with a revised Process.

ITS-PE-3 & PE-8: Physical Access Controls & Visitor Access Records