IT FACILITY STANDARD NO. 5 DATA CENTER & IT FACILITY ACCESS

Transcription

1 Function Affected: IT Facilities including data centers and network rooms (BDFs and IDFs) Issued Date: 06/01/15 Issue Superseded: 12/15/13 Number of Pages: 6 I. Background The UCSF data centers and network rooms such as BDFs and IDFs are critical to the health care, academic and research missions as well as University business functions. Ensuring the physical security of these facilities is an important way of protecting these critical assets. The primary goal of this standard is to maximize facility security while at the same time enabling access to those who are authorized. II. Card Key System Access to the data center and some network rooms is restricted via the UCSF card key system (ProWatch). This campus-wide system is administrated by the UCSF Police Department and supported by UCSF Facilities Services. Card key activation and authorization for the Data Centers is managed by the IT Facilities group. Network room access is managed by the Network Operations group. Access is granted based upon the following criteria: 1. Staff with work assignments inside the facility. 2. System administration staff requiring frequent access to the facility during or outside standard work hours to resolve system problems. 3. UCSF Police Officers 4. Facility Services Technicians supporting the facility 5. Members of the IT Departmental Emergency Operation Center responding to a declared emergency. This access is only available for the 654 Minnesota St. location and is limited to the Command Center portion the facility. Page 1 of 6

2 Overall security is improved by limiting the number of individuals with facility access. III. Card Keys Holder Rules Those granted card key access must abide by the following rules: 1. UCSF Photo identification badges must be worn above the waist and be clearly visible, at all times. 2. Card keys must not be loaned or used to allow access to any unauthorized person. 3. Access to all secure areas should be handled with the use of a card key. Card Key holders must not access areas for which they do not have approved authorization. 4. Equipment Log any equipment taken out of the data centers (repair / replacement / de-commissioned, etc.) is to be documented in the log (make, model, description, serial number of the item and if it is part of a system, provide additional info of the parent equipment make, model, description, serial number etc.). The log is to undergo regular review. 5. Card key holders must not touch equipment and supplies belonging to other departments. The IT Facilities group will provide access to tools or other equipment mounting supplies for use at one of the data centers. 6. Lost or stolen card keys must be reported to the card key holder s manager, IT Facilities at (415) and the UCSF Police Department. 7. Everyone requiring access to the data centers outside of regular business hours (0800 to 1700, M-F) must log in and out. 8. Food, drink or other fluids are not allowed in the IT facility equipment areas. 9. All problems or emergency situations must be immediately reported to IT Facilities and Computer Operations for data centers or Network Operations for network rooms. Page 2 of 6

3 10. IT facilities are only to be accessed to meet business requirements. Loitering will not be tolerated. IV. Any rule violation may result in a revoking of card key access. Authorized Entry Without a Card Key A database of all individuals with data center access is maintained in the card key system. This database is the record for all access approval and the source of authorization for granting access to individuals who have forgotten or lost their card key. Any authorized individual granted access without a card key is required to log in and out and agree they will adhere to the Data Center and IT Facility Access Standard policy. The following Identification is required for all data center and IT facility visitors without card key access: 1. UCSF staff members: UCSF ID (Campus and Medical Center) along with government issued photo ID 2. Non-UCSF visitors: Associated vendor (company issued employee ID) along with government issued photo ID V. Vendor and Visitor Access to Perform Work Work performed by vendors and visitors must be documented in an approved change ticket in ServiceNow. The change ticket must include the following critical information: GENERAL INFORMATION 1. Change Request # 2. Associated Vendor Ticket/Case # 3. Brief Description of Work to be Performed 4. Company Name Requesting Access (List Individual s Names in Step #8 Below) 5. UCSF Sponsor Approving Visitor Access 6. UCSF Business Application Owner (if applicable) 7. UCSF Application Admin (if applicable) INDIVIDUALS (UCSF IT & VISITOR) ASSIGNED TO THE WORK & REQUIRE ACCESS 8. List ALL names (UCSF IT & Visitor s) - list names, mobile, title & role of those that require access and scheduled to be in the Data Center or Network Closet Contact Name Mobile # Title & Assigned Role Page 3 of 6

4 during CHG or via remote access into system. DATE & TIME SCHEDULING 9. Scheduled Date & Time of Arrival for Visitor 10. Planned Date(s) for Visitor Access 11. Planned Hours for Visitor Access (Start/End Time) VISITOR ONSITE OR REMOTE ACCESS - If Onsite, complete Steps #12-16 and continue to Step #19. If Remote, complete Steps #17-18 and continue to Step # ONSITE: Who is Visitor Escort Into Data Center or Network Closet? 13. ONSITE: Will Visitor be supervised entire time? If yes, by who? If no, why? 14. ONSITE: If Visitor NOT supervised entire time, what Director approved unsupervised visit? And, explain why unsupervised. 15. ONSITE: Why can t Visitor perform work via remote VPN access? 16. ONSITE: Can Visitor perform work at computer adjacent to Data Center? If no, briefly explain. 17. REMOTE: If remote access, is there UCSF oversight throughout entire CHG, e.g., observing Visitor work via WebEx session? If yes, by who? If no, explain why. 18. REMOTE: If Visitor NOT supervised entire time, what Director approved unsupervised remote access? And, explain why unsupervised. SERVER / SYSTEM CHANGE INFORMATION 19. Host name: > LIST ALL HOSTS. IP: > Cabinet: ----> Rack Unit #: > 20. Are server and/or systems backed up? If not, explain. Provide date of last successful backup. If virtual machine, snapshot required? (Snapshots are deleted 48-hours after capture time) 21. List any other applications on the server. If none, write none. 22. Proceed to ( Visitor Step-by-Step CHG PROCEDURE section below) VISITOR S STEP-BY-STEP CHANGE INFORMATION - INCLUDE VALIDATION & CONTINGENCY PLAN/EXIT STRATEGY CHG PROCEDURE VISITOR STEP BY STEP PROCEDURE OR ATTACH VISITOR MOP DURATION START FINISH COMMENTS Page 4 of 6

5 The change assignee or sponsor must meet the vendor or visitor to escort them and oversee their work. All vendors, regardless of access authorization status must sign the log. Vendors and visitors granted data center access must abide by the following rules: 1. UCSF issued ID must be worn at the waist or above, and clearly visible, at all times. i. Non-UCSF vendors: Present a company issued employee ID along with government issued photo ID (driver license, passport, etc.) ii. Non-UCSF visitors: Present a government issued photo ID 2. Access to all secure areas within the data center should be handled with the use of a card key. Vendors and visitors must not attempt to access card-key controlled areas without the appropriate escort. 3. Vendors and visitors must not touch equipment and supplies other than the equipment they are on-site to support that has been documented in the visitor access template and Change Request ticket. If necessary, IT Facilities will facilitate access to tools or other equipment mounting supplies. 4. Equipment Log Any equipment taken out of the data centers (repair / replacement / de-commissioned, etc.) is to be documented in the log (make, model, description, serial number of the item and if it is part of a system, provide additional info of the parent equipment make, model, description, serial number etc.). The log is to undergo regular review. 5. Food, drink or other fluids are not allowed in the IT facility equipment areas. 6. All problems or emergency situations must be immediately reported to IT Facilities and Computer Operations for data centers or Network Operations for network facilities Page 5 of 6

6 7. IT facilities are only to be accessed to meet business requirements Loitering will not be tolerated. VI. Other Visitors 1. All other visitors must sign the log and be escorted the entire time they are in the facility. VII. Data Center Card Key Access Review 1. An Outlook calendar reminder is set for the Data Center Card Key Access Authorization Review to occur on the second Friday of the first month of each quarter. 2. The Senior IT Facilities Coordinator pulls the ProWatch authorized access report for the Data Center Card Key controlled doors. 3. The reports are sent to the IT Facilities Manager to review. 4. The IT Facilities Manager instructs the Senior IT Facilities Coordinator to deactivate access for any unauthorized individuals. 5. The IT Facilities Manager posts copies of the quarterly report to UCSF Box IT Facilities folder. Page 6 of 6