PENN STATE DATA CENTERS POLICY IMPLEMENTATION AND PROCEDURES MANUAL

Transcription

1 PENN STATE DATA CENTERS POLICY IMPLEMENTATION AND PROCEDURES MANUAL Page 1 of 19

2 Contents Data Center Access Control... 3 Access Authorization Procedure... 6 Visitor and Vendor Access... 8 Equipment Ordering and Hosting Network Access Equipment Lifecycle and Disposal Capacity Management Appendix: Service Level Agreement Appendix: Sign In Sheet Page 2 of 19

3 Purpose Data Center Access Control This policy sets requirements to govern physical access control to secured areas which house University equipment in the multiple data centers supporting Penn State IT infrastructure. Such equipment includes but is not limited to: servers, networking equipment, central storage, Voice over Internet Protocol (VOIP) and telephone equipment, and other critical systems. Policy GENERAL INFORMATION 1. The Penn State Data Centers will be locked at all times. 2. Authorized persons will be granted unescorted access. a. Authorized persons are building occupants and those that have valid card access to Data Center offices and conference rooms. b. Authorized persons also include those having card sign out authorization into Data Center secure areas. c. Authorized status may be granted to customers, Penn State Information Technology Services (ITS) staff, and long-term contracting or vendor personnel. d. Authorized status is granted at the discretion of the Director of Data Centers or their designee. 3. Visitor status may be granted to Penn State employees requiring temporary access to Data Center offices or conference rooms. 4. Visitor Escort Required status may be granted to persons not employed by Penn State requiring temporary access to Data Center offices or conference rooms or non- Authorized persons needing access to Data Center secure areas. a. Authorized personnel must approve and be responsible for all visitors. b. The visitor must obtain and display a Visitor Escort Required badge at all times. 5. No temporary access card is to be signed out for more than 8 hours. 6. Physical keys are not to be used unless the card swipe is down. Use of a physical key will trigger a forced entry investigation. Access cards are to be used with the card Page 3 of 19

4 BUILDING OCCUPANTS AND AUTHORIZED PERSONNEL 1. PSU ID or Visitor badge MUST be displayed at all times. 2. Access to the building will be via the Main entrance located at the corner of Bigler and Curtin roads (Northeast side of building). The accessible entrance is located at the Northwest side of the building across from the Creamery. 3. The loading dock will be utilized for deliveries and repair vehicle access only. 4. If an Authorized person does not have their card, a temporary office and conference room access card can be checked out with the Operations Center. a. Photo ID is required to check out a temporary access card. b. The temporary access card must be returned to the Operations Center at the end of the employee s shift. Access Management 1. All visitors entering data center facilities are required to sign in and out. 2. Readers must be used for all doors 3. All Data Center locations are secured with electronic locks requiring ID cards for access and are monitored by camera 4. Unsupervised access will be granted to authorized personnel only a. Tailgating or following an authorized person into the data center, even if all persons are authorized, is strongly discouraged. b. Authorized personnel are required to check that the door has locked behind them when entering the data center. Facility Hours 1. Data Center locations may be accessed 24 hours per day for those with authorized access privileges. 2. Normal hours of operation for buildings with Data Center facilities are from 8:00am to 5:00pm. Facility Cleanliness 1. The data centers must be kept clean and free from packaging materials at all times. This includes but is not limited to cardboard boxing materials, bags, foam peanuts, or other filler materials. Page 4 of 19

5 2. Room 125 is a designated receiving area and to be utilized to unbox and dispose of packaging materials. Once the packaging material is removed and all cardboard is discarded, the equipment to be moved into the data center may be moved to its final location or may be stored/staged inside our caged area inside room If accessories such as keyboards, cabling, hard drives, etc. are to be installed at a later time, a plastic bin will be provided to hold these devices prior to installation. 4. If there are any questions regarding facility cleanliness, unboxing equipment or storage/staging, please consult with the data center facilities representatives located in room 201 of the Computer Building. Or send an to dcfacilites@dc.psu.edu. Page 5 of 19

6 Purpose Access Authorization Procedure A significant cause of data center failure is the presence of unauthorized or unmonitored personnel obtaining access to critical facilities. This process supports the goal of securing access to data center facilities for trusted individuals only. Policy Access to data center facilities will be granted only to those personnel with direct responsibilities for servicing and life cycling data center equipment. Procedures Obtaining Data Center Access 1. All candidates for access to University Data Centers are required to have a Penn State Access Account and identification card. Individuals considered for access who do not already possess Access Accounts must obtain them by visiting the Accounts Office. Exceptions will only occur at the request of the Data Center Director. a. Individuals requiring authorization for limited and predetermined periods of time, such as vendor representatives, will be granted Escort Required Visitor access ID valid for the necessary time period only. 2. IT Directors in the candidate s administrative unit will submit a request to Data Center Management on behalf of the candidate individual. The request should include the following information about the candidate: a. Name, position, department, and ID number b. Reason access is necessary c. Equipment with which the individual will interact 3. Data Center staff will follow up promptly with further instructions or decisions regarding access requests. Page 6 of 19

7 Authorization Check 1. A check is run weekly that compares those authorized to enter the data center against the University directory. Any change in status generates an error report and the person's access is removed pending verification. This includes termination, change in department or level of employment. 2. If a change in status is recorded the individual account is verified by sending an to the director of the associated work unit and action to terminate or continue access is then determined. 3. A biannual audit will be performed by ing the director of each IT unit along with providing a list of current authorized personnel. The IT director will verify and/or make any appropriate changes to the list. Page 7 of 19

8 Purpose Visitor and Vendor Access This elaborates on Data Center Access Control. Procedures PSU EMPLOYEES 1. PSU employees visiting a Data Center building must show PSU ID and sign in at the Operations Center. 2. PSU employees will be issued a "Visitor" badge which must be displayed at all times. 3. The Visitor badge will allow access to offices and conference rooms. 4. "Visitor" badges must be returned before leaving the building. VISITORS 1. An Authorized representative must be available to sign in all visitors. Each meeting visitor must be signed in. 2. Visitors will be signed in at the Operations Center and given a "Visitor Escort Required" badge. 3. There may be instances where badges will need to be signed out for longer periods. The period may be extended by request of the Authorized person responsible for escort. 4. The Visitor Escort Required badge is for identification purposes only, and will have no door access associated with them. DATA CENTER WHITE SPACE AUTHORIZED PERSONNEL 1. Verification a) PSU or vendor ID will be required to verify access. b) Verified personnel will be given a temporary access card with the appropriate clearances. 2. Authorized personnel are required to sign in a visitor. a) Individuals will be signed in at the Operations Center. Page 8 of 19

9 DELIVERIES b) A Visitor Escort Required badge will be issued. c) The visitor must be escorted at all times within the White Space. d) Visitor approval is only good for a single entry. 1. The loading dock A/I phone will be used to request access by delivery personnel without an access card. 2. During business hours a) Operations Center staff will temporarily unlock the door via the master console. b) Deliveries will be received by the Staff Assistants in 229 or the Data Center staff. 3. After hours a) The Operations Center should be notified of all after hour deliveries prior to the time of delivery. b) Persons delivering to the building after hours should be directed to the main building entrance. c) Large deliveries requiring use of the dock should be scheduled with the Data Center staff. PHYSICAL PLANT 1. During Business Hours a) OPP employees must present a Work Order to the Operations Center. b) The Work Order number will be noted in the sign in record when the Work Order number becomes available. c) A temporary access card will be issued to the specific areas needed. d) A limited number of Area 5 employees will be pre-authorized 2. After Hours a) Requires a phone call from the Service Desk to the Operations Center stating the emergency. The Operations Center phone number is b) The Work Order number will be noted in the sign in record when the Work Order number becomes available. c) A temporary access card will be issued to the specific areas needed. SHIELDS BUILDING 1. All access to the Shields Building Data Center will follow the same procedures as the Computer Building Data Center. Page 9 of 19

10 2. Temporary access cards will be issued by the Operations Center staff at the Computer Building. Page 10 of 19

11 Purpose Equipment Ordering and Hosting This process outlines the procedure by which a customer requests data center space, equipment delivery and installation. Procedure Request for Equipment Installation 1. The customer or appropriate work unit representative will submit a request for equipment installation to dcfacilities@dc.psu.edu or by visiting and filling in the Request Form. 2. ITS Data Centers will work with the customer to verify that the equipment meets the technical requirements for housing in the Co-Lo, and to facilitate installation as appropriate. Requests must contain information regarding the following: Power, cooling, and space requirements (faceplate information, number of racks or rack-units) Networking requirements Firewall and rule set requirements Load balancing requirements Security and compliance requirements based on the kinds of data to be stored Budget information for billing purposes 3. Orders for new equipment must be delivered to the following address: [Your name] C/O Manager 229 Computer Building The Pennsylvania State University, University Park, PA Page 11 of 19

12 4. When equipment is received, Data Center staff will notify customer to arrange installation. Page 12 of 19

13 Purpose Network Access To provide network access to the customers of the centrally managed enterprise data centers Process At this time network access will be addressed and recommendations forwarded based on the requirements of the customer and the capabilities of the data centers and the Penn State Network. The process will include initial meetings with the Data Center s network engineer(s) and project manager to determine scope and deliverables. Follow up meetings may be required with TNS to determine circuit moves and timelines. A TSR will be required to move or establish connectivity to the data centers. Page 13 of 19

14 Purpose Equipment Lifecycle and Disposal This policy outlines the steps necessary to retire equipment from service. If a customer wishes to replace existing equipment with new equipment, the new equipment must be ordered according to Equipment Ordering and Hosting. Process Equipment Removal Customers will contact dcfacilities@dc.psu.edu upon deciding to remove equipment from the Data Center. Relocation Please coordinate the appropriate times for removal and relocation. Relocation expectations should be at a minimum of 48 hours. Salvage Please complete a salvage disposition form through IBIS to arrange pickup of retired equipment. Important Note: When filling out the disposition form, in the notes section, indicate "for inventory purposes only" Data Center personnel will arrange pickup of all items indicated. Treatment of Sensitive Data Use best practices to destroy any media that might possibly contain personally identifiable or otherwise sensitive information. Penn State Salvage will be able to assist in data destruction if notified Page 14 of 19

15 Capacity Management Future Topic for Governance Page 15 of 19

16 Appendix: Service Level Agreement This document is an agreement between Penn State ITS Data Centers and Customers defining the scope, requirements, and responsibilities for the information technology equipment and co-location computing services provided by ITS Data Centers. Definitions ITS Data Centers refers to the unit of Penn State Information Technology Services, its staff and facilities. Customer refers the administrative unit contracting for co-location services with ITS Data Centers. Service Contact refers to the individual designated by the Customer to be directly responsible for managing the Customer s use of ITS co-location services. In this agreement, tasks and responsibilities assigned to the Customer extend to the Service Contact. Co-Lo refers to those physical spaces which house co-location computing equipment and necessary infrastructure. For the purposes of this agreement, the term specifically refers to the designated, enclosed area within the raised-floor data room located at 139 Computer Building. Responsibilities ITS Data Center Staff agree to: 1. Provide a facility for co-location computing services with the following equipment specifications: a. Racks: Wide-body 32 enclosure with 42-unit capacity. Blanking panels are available for use between rack-mounted equipment to manage airflow b. Power Distribution Units (PDUs): 3-phase, with standard C13 and C19 receptacles. c. Cable trays: Overhead conduits for the management of networking cables. d. Structured cable: Pre-terminated and custom length cable, whether fiber or copper, delivered via cable trays. Page 16 of 19

17 e. Busway: Overhead power busway (StarLine) that accepts receptacle/ breaker assemblies to connect PDUs to facility power. f. Power: Electric power supported with redundant connections, and with UPS and generator backups. g. Cooling: Air-conditioned facilities with N+1 redundancy and generator support. h. Network: Connection to the ITS network via structured cabling. The Customer agrees to: 1. Follow all established policies and procedures regarding equipment ordering, setup, and lifecycle. 2. Maintain the Co-Lo floor and housed equipment in a tidy and orderly manner. Termination of Agreement This agreement is subject to termination by either party provided a minimum of 30 day notice is given to the other. Termination by Customer 1. The customer may request termination of services at any time via a written notice delivered 30 days prior to said termination. All equipment must be removed no later than 30 days following the date of termination. If equipment is not removed within the 30 days following termination, ITS Data Center staff reserves the authority to remove the customer s equipment from the racks and return it to the address of record. The customer is responsible for reimbursing ITS Data Centers for any costs associated with the removal and transportation of equipment. Termination by ITS 1. ITS Data Centers reserves the right to terminate service in the event that payment has interrupted or ceased. In such an event, ITS Data Centers will issue a written notice to the Customer requesting payment to re-establish service. The customer will have 30 days to resume regular payments. In the event this notice has gone unanswered, the ITS Data Center staff will have the authority to remove the customer s equipment from the racks and return it to the address of record. The customer is responsible for reimbursing ITS Data Centers for any costs associated with the removal and transportation of equipment. Page 17 of 19

18 2. Termination of service provided to a college or work unit may be necessary in the event that capacity has been reached in the Co-Lo, and it has been determined by review that equipment belonging to the Customer does not provide a service critical to the operation of the University. I agree to the conditions outlined in this document: Customer / Service Contact Director of Data Centers ITS Data Centers Facilities Contacts: Brett Dixon, Austin Lewis Please send all correspondence to dcfacilities@dc.psu.edu Page 18 of 19

19 Appendix: Sign In Sheet Page 19 of 19