Washington University in St. Louis strives to provide stable and secure environments for housing systems and related components, which store and manage university data. This document establishes guidelines for access and physical security related to university data centers, regardless of size, location or ownership.
The guideline will serve to:
- Ensure access is controlled to protect both the physical resources and university data from unauthorized use, accidental or malicious damage and theft
- Define appropriate levels of access (LOAs) allowed based on demonstrated business need
- Improve stability and security of systems which store and manage university data
- Support the university’s strategy to incorporate information technology as an integral part of decision-making, competitive positioning and delivery of services
Access is controlled to protect both the physical resources and the university data. Access to university data centers should only be granted when a legitimate business need is demonstrated. This access guideline specifies the criteria for granting access to specific individuals or groups, and the different levels of access allowed.
Entry to university data centers should be controlled through physical security, card swipe or keyed entry. Access should only be granted to named individuals, and cannot be shared or transferred. The only exception is for emergency personnel, for whom shared access can be granted provided the access credentials (swipe cards/keys) are secured when not in use.
Levels of Access (LOAs)
Full Access, or unsupervised 24×7 access, to university data centers should only be given to individuals with an approved and demonstrated business need to access the data centers on a regular basis as part of their primary job duties. These individuals can come and go as needed and are not required to log their entry/exit. For university data centers that do not have 24×7 operator coverage, all individuals who need access as part of their job duties should be granted Full Access.
Unescorted Access, or “knock then enter” access, to university data centers should be given to individuals with an approved and demonstrated business need to access the data centers on an infrequent basis as part of their job duties. These individuals must gain entry from someone with Full Access, and must log their entry and exit to the data center. These individuals do not require an escort while in the data center, and must not allow any other person to access the data center. All Unescorted Access individuals are required to provide identification on demand and leave the facility when requested to do so. University data centers that do not have 24×7 operator coverage should not provide Unescorted Access.
All other individuals are considered unauthorized and granted Escort Only access. These individuals must be accompanied by an escort at all times, and they must log their entry and exit to the data center. Any individual with elevated security who fails to present proper identification should be restricted to Escort Only access. All Escort Only access individuals are required to provide identification on demand and leave the facility when requested to do so.
Individuals with an LOA of Full Access may escort and supervise unauthorized individuals provided all individuals are logged on entry and exit. An escort must remain in the data center the entire time their guest is in the data center.
Maintenance and Custodial Staff
University maintenance and custodial staff should be escorted when provided access to a university data center. All maintenance and custodial staff must sign the access log upon entering and leaving the data center, and inform the data center staff of any maintenance work. The data center staff must enter any maintenance work in the operations log.
Campus first responders, including police, fire, medical and facilities, are granted unescorted access.
The list of individuals with elevated LOAs, both Full and Unescorted Access, should be reviewed periodically and access should be revoked for any individuals who no longer have a legitimate business need. The data center director should review the list at least every 90 days.
A log of access by anyone without an LOA of Full Access must be kept. All such individuals entering a university data center must sign the log as they enter and exit the facility for audit and security purposes.
Access Exception Reporting
Any unauthorized access to a university data center must be logged by the data center staff in the daily operations log and must be reported to the data center director who should determine if the incident needs to be reported to the campus police.
Attempts to forcibly enter a university data center must be immediately reported to campus police. The on-duty data center staff must also report the incident in writing to the data center director.
Tours must be pre-approved by the data center director. All visitors must sign the access log as they enter and exit, and must be escorted while touring the data centers.
Responsibilities for Implementation
Every data center director with operational oversight of a university data center is responsible for implementing and ensuring compliance with Washington University in St. Louis’ Data Center Access and Physical Security Guideline and must initiate corrective action with the proper authorities of the university if it is needed.
- Communicating all applicable guidelines to applicable faculty, staff and students
- Establishing specific goals, objectives and action plans to implement the applicable guidelines
- Actively supporting strong access and physical security measures for university data centers
- Ensuring availability of education and training in data center best practices, including security awareness, to employees whose jobs require them to access, maintain or use university data centers
Updated April 1, 2013