Standard: Data Center Security



Similar documents
The Importance of Organizing Your SJSU Information Assets

Standard: Application Service Provider Security Requirements

Standard: Retention

IT - General Controls Questionnaire

Standard: Event Monitoring

Standard: Information Security Awareness Training

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

CITY UNIVERSITY OF HONG KONG Physical Access Security Standard

Data Center Operations and Security Requirements

IT Security Standard: Computing Devices

Standard: Network Security

Standard: and Campus Communication

Standard: Information Security Incident Management

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Standard: Vulnerability Management and Assessment

SITECATALYST SECURITY

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

REVIEWED ICT DATA CENTRE PHYSICAL ACCESS AND ENVIROMENTAL CONTROL POLICY

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report September 4, 2012

MARULENG LOCAL MUNICIPALITY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Auditing in an Automated Environment: Appendix C: Computer Operations

Information Technology Services Guidelines

California State University, Sacramento INFORMATION SECURITY PROGRAM

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, CHICO. Audit Report October 19, 2012

Audit Report on the New York City Police Department Data Center 7A06-093

IBX Business Network Platform Information Security Controls Document Classification [Public]

Physical and Environment IT Security Standards

Application Development within University. Security Checklist

Tufts Health Plan Corporate Continuity Strategy

OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire

System Security Plan University of Texas Health Science Center School of Public Health

Physical Security Policy

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Gramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007

Supplier Information Security Addendum for GE Restricted Data

Rotherham CCG Network Security Policy V2.0

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

HIPAA Privacy and Security Risk Assessment and Action Planning

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY FREQUENTLY ASKED QUESTIONS OVERVIEW CORPORATE CONTINUITY PROGRAM.

Version 1.0. Ratified By

Supplier Security Assessment Questionnaire

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY

Hosted Testing and Grading

ANNEXURE 07: CHECK-LIST FOR OFF-SITE STORAGE FACILITIES

Network Security Policy

HIPAA RISK ASSESSMENT

ULH-IM&T-ISP06. Information Governance Board

PCI Data Security and Classification Standards Summary

Security Control Standard

Data Protection. Secure Media Management. Offsite Tape Vaulting Drives Efficiencies, Enhances Control and Improves Audit Readiness

Ohio Supercomputer Center

BKDconnect Security Overview

INFORMATION SECURITY California Maritime Academy

Resource Ordering and Status System. User Business Resumption Plan

HIPAA Security Alert

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

How To Plan For A Disaster At The University Of Texas

Mike Casey Director of IT

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

White Paper: Librestream Security Overview

BNA FEDERAL CREDIT UNION DISASTER RECOVERY PLAN

Tk20 Network Infrastructure

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM

The Commonwealth of Massachusetts

Information Security. Manual Guideline. Version 3

C.T. Hellmuth & Associates, Inc.

CONTINUITY AND RECOVERY PLANNING GUIDE

Best Practices For Department Server and Enterprise System Checklist

ISO IEC ( ) INFORMATION SECURITY AUDIT TOOL

Approved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee

Administrative Procedure

CHIS, Inc. Privacy General Guidelines

DISASTER RECOVERY PLAN

Retention & Destruction

HIPAA Information Security Overview

Powering the Cloud Desktop: OS33 Data Centers

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

Standard: Web Application Development

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

The City of New York Office of the Comptroller Bureau of Financial Audit EDP Audit Division

RECORDS MANAGEMENT RECORDS MANAGEMENT SERVICES. Cost-Effective, Legally Defensible Records Management

Silent Safety: Best Practices for Protecting the Affluent

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

SNAP WEBHOST SECURITY POLICY

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

MARQUIS DISASTER RECOVERY PLAN (DRP)

Standard: Patching and Malicious Code Management

Alabama State Port Authority

WASTE Application Form - Dublin Waste to Energy SECTION J ACCIDENT PREVENTION & EMERGENCY RESPONSE

How To Ensure Network Security

Risk and its Impact to(insert company name here) Risk AFTER Mitigation. Objective (A-D)

Continuity Planning and Disaster Recovery

Transcription:

Information Security Standards Data Center Security Standard IS-DCS Effective Date TBD Email security@sjsu.edu # Version 3.0 Contact Mike Cook Phone 408-924-1705 Standard: Data Center Security Page 1

Executive Summary The university data centers provide for the reliable operation of SJSU s computing systems, computing infrastructure, and communication systems. Per ICSUAM 8000, California SAM, local, State, and Federal law, this standard defines the requirements for security controls of machines hosted in SJSU data centers to safeguarding the confidentiality, integrity, and availability of information stored, processed and transmitted by SJSU. Page 2

Revision History Date Action 4/25/2014 Draft sent to Mike 5/13/2014 Reviewed with comments and sent to Mike 12/1/2014 Reviewed. Content suggestions. Added comments. Hien Huynh Page 3

Table of Contents Executive Summary... 2 Introduction and Purpose... 5 Scope... 5 Standard... 5 Storage of Unencrypted Level 1 Information is prohibited on servers... 5 Physical and Environmental Security... 5 Background Check of Employees... 5 Electronic Lock Required... 5 Networking Equipment Locked... 5 Management Control of Access... 5 Physical Need to Access... 5 Removal of Permissions upon Employee separation... 5 Audit of Key Cards... 6 Master Keys... 6 Moisture Detectors... 6 Smoke Detectors... 6 Environmental Reporting... 6 Fire Suppression... 6 Uninterruptible Power Supply (UPS)... 6 Glass Windows... 6 Power Generators... 6 Earthquake Protection... 6 Firewalls between data centers and core networks... 6 Emergency Preparedness and Training... 6 Test Data Center Emergency Procedures... 6 IT Disaster Recovery Plan... 7 Backup Tapes... 7 Food, Drink, Hazardous Materials... 7 Labels on Doors... 7 Data Center Owner Training... 7 Page 4

Introduction and Purpose This standard defines the requirements for security controls of machines hosted in SJSU data centers. This standard is composed to explicitly comply with ICSUAM 8000, California SAM, local, State, and Federal law. Scope This standard applies to all SJSU State, Self-Fund, and Auxiliary ( campus ) computer systems and facilities, with a target audience of SJSU Information Technology employees and partners. This standard applies to any machine storing unencrypted Level 1 data at rest, any machine providing internet-facing services outside the campus border firewall (i.e. Web Servers), and campus core network aggregation points. Standard Storage of Unencrypted Level 1 Information is prohibited on servers For any machine on the campus, storing level 1 unencrypted data at rest on servers is prohibited unless that machine is hosted in an approved SJSU data center. For information classification and handling of Level 1 sensitive data, refer to the Information Classification and Handling Standard. Physical and Environmental Security Additional physical security controls are included in the Physical Security Standard. Background Check of Employees All new employees with entry access to data centers must pass a background check (Livescan) at time of hire. Electronic Lock Required Electronic locks are required on all entry doors to data centers storing level 1 data. Entry logs must be properly maintained showing who entered, time, and date. Entry logs must be maintained for at least 365 days. Networking Equipment Locked Networking equipment, including lab equipment, must be enclosed and locked. Management Control of Access Management needs to have control over access to assets. Physical Need to Access Physical access to locked data center rooms is based on the physical need to access principal. Physical access is limited to individuals required to have access. Service employees, including custodians, should not have electronic access to data center locked rooms. University Police personnel are authorized to access the data center in emergency situations only via electronic lock, if functional, or physical access if necessary. Removal of Permissions upon Employee separation Upon separation of employees, key cards and key should be immediately revoked. Alarm codes should be changed upon employee separation. Page 5

Audit of Key Cards Key cards and physical keys must be audited annually and approved by Data Center management (MPP). Master Keys Physical locks must not accept master keys. Moisture Detectors Moisture Detectors should be in use and placed in data centers, in accordance with the Physical Security Standard. Smoke Detectors Smoke Detectors should be in use and placed in data centers, in accordance with the Physical Security Standard. Environmental Reporting Environmental alerting, such as temperature and moisture is required for server rooms storing level 1 data. Fire Suppression Fire extinguisher or fire suppression for electronic equipment, must be located in each Data Center. Data Centers must not be protected by water-based fire suppression systems. Uninterruptible Power Supply (UPS) UPS power in the data center should be capable of handling backup power in room for minimum of 5 minutes to provide ample time for generator startup. Glass Windows Glass windows to public areas allowing viewing of server rooms are prohibited. Power Generators Power generators capable of sustaining computer operations during a power outage are required for servers storing level 1 data. Earthquake Protection Full-Height server racks which are in excess of three times as tall as they are wide must be affixed to the structure on at least 2 faces to prevent damage in the event of a minor earthquake. Firewalls between data centers and core networks Firewalls are required between SJSU data centers and the core networks, as specified in the Network Security Standard. Emergency Preparedness and Training All personnel with access to data center rooms must undergo emergency preparedness training on an annual basis, including learning how to operate fire extinguishers, suppression, and emergency alarms. Test Data Center Emergency Procedures All data center owners need to develop and test data center emergency procedures annually. Procedures must specify due care for safety and life preservation measures. Page 6

IT Disaster Recovery Plan Data Centers must have an IT Disaster Recovery Plan identifying the critical systems in the data center, the assets necessary for those applications, and the plans for resuming services after an unplanned disruption. Backup Tapes Data center room sensitive servers must use backup tapes sent to an offsite location, in accordance with the Data Retention Standard. Tapes containing level 1 data must be encrypted. Data center backup tapes must be in compliance with CSU Executive Order 1031: Records Retention & Disposition Schedules Food, Drink, Hazardous Materials Food, drink, and hazardous materials are prohibited in Data Centers. Labels on Doors Labels on doors that list data center or telecom closet are prohibited. Data Center Owner Training Data center owners must maintain procedures for training, including the following areas: gaining physical access, removing physical access, visitor access (including logging), stop tailgating, alarm arm/disarm procedures, cleanliness (dust removal), facility services, development access to data center (including logging), and change control (including documentation). Page 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information