DoIT Data Center Access Control Policy

This document details DoIT's data center access control policy.

Table of Contents

Preface
1.0 Scope
2.0 Purpose
3.0 Responsibility
4.0 Communication of Policy
5.0 Categories of Access
6.0 Permanent Access
7.0 Long-Term Access
8.0 Short-Term Access
9.0 Escort-Only Access
10.0 Tour Access
11.0 SEO Staff Offices Access (B332)
12.0 Badge Visibility
13.0 Use of Photo and Video Equipment
14.0 Conduct of Authorized Users
15.0 DC Access Control
16.0 Forms

Preface

In response to Legislative Audit Bureau findings, access controls needed for campus and system ERP deployments, requests to potentially house payment-card industry (PCI) and Federal Information Management Security Act (FISMA) regulated data, and independent security assessments of DoIT's data centers conducted by CORE BTS, Inc. and UW Policy & Security, DoIT's Systems Engineering & Operations staff have been engaged in a year-long effort to assess, document, and remediate access control concerns for the Dayton Street and Walnut Street data centers. Increased security protocols follow guidelines from NIST, ISO/IEC, PCI, and other sources, and are modeled on best practices by other universities such as the University of Washington and CIC partners.

Working with the UW Police Department (UWPD) and UW Facilities Planning & Management (FP&M) staff, the following recommendations have been implemented:
  1. Simplify management of control systems and establish business procedures across DoIT, UWPD, and FP&M. A single authority should grant and audit access to the data centers.
  2. Establish process for review and authorization of staff to access data center facilities. Access levels should include permanent, long-term, short-term, escort-only, and a special category for tours and special events.
  3. Eliminate the mix of physical key and card-reader access through the use of card-reader-only access. Two-factor authentication (card-reader and PIN) should be used at key access points to critical facilities to provide protection in case an ID badge is lost.
  4. Eliminate all hard key access except for a special master key held by UW Police & Security staff. This includes removing key access for building managers.
  5. Provide a two-stage access control barrier before an individual reaches the data center. Utilize the SEO front office area as an access control point. Maintain entry/exit log books at this location. Triage requests for access to appropriate parties (requests for badge access, requests for escort access, requests for tours or special events).
  6. Eliminate the use of the B347 conference room for activities other than those necessary for SEO operations. Minimize extraneous traffic in the main access hallway to the data center.
  7. Increase auditable video surveillance. Provide video coverage for all essential facilities, access points, and sensitive areas. Provide periodic audits that video access records match card reader records to ensure that all staff swipe in and out of sensitive areas and that we do not have unauthorized people "piggybacking" on an authorized individual's access.
  8. Provide visible video monitoring for operations and other key staff. This provides a safety service for those staff needing to leave the secured area for shift changes, restroom, food/beverage, and other breaks.
  9. Provide alarm and notification systems to mark unauthorized access or egress with appropriate escalation by SEO staff and by UW Police. UW Police will conduct access policy enforcement as SEO staff are not in a position to intervene in a problem situation.
Addressing these points has led to physical and policy modifications for the data centers. Physical changes include: door/latch reinforcement, additional access control points, two-factor PIN pad installation, additional cameras, security glass, door alarming, hardened keyways, a DC Access Control check-in window, and other physical space modifications. These changes have largely been completed. Video monitoring has been increased with visible displays in the operator's area and at the main SEO reception desk. Specific duties related to data center security have been written into the position description for the SEO program assistant located in B332.

1.0 Scope

1.0.1 Document the policy and procedures for requesting, reviewing, authorizing, assigning, and maintaining access rights for those who need to perform services or visit Division of Information Technology (DoIT)-managed data centers at the University of Wisconsin-Madison (UW-Madison).

2.0 Purpose

2.0.1 In support of UW-Madison DoIT data center data center access and physical security, these policies and procedures provide a strong security strategy that protects DoIT employees, data, and resources entrusted to DoIT by UW-Madison and its customers. These procedures are intended to clarify access requirements for all DoIT-managed data centers.

3.0 Responsibility

3.0.1 UW-Madison DoIT Data Center Access Control is responsible for assigning access rights to individuals for secured areas under its control based on management-approved requests and for issuing all temporary security badges provided to DC Access Control by the UW-Madison Police Department (UWPD). DC Access Control is the security liaison between UW-Madison, DoIT, and anyone having equipment in DoIT data centers.

4.0 Communication of Policy

4.0.1 All sponsors of individuals with authorized access to DoIT data centers are responsible for ensuring those individuals are aware of and comply with the policies and procedures identified in this document.

4.0.2 All personnel who are authorized to access DoIT data centers must read, understand, and comply with the policies and procedures identified in this document.

5.0 Categories of Access

There are five categories of access to DoIT data centers: Permanent Access, Long-Term Access, Short-Term Access, Escort-Only Access, and Tour Access:
  • 5.1 Permanent Access
    • For UW-Madison employees with a business need to provide services in DoIT data centers
    • Requires a valid Wiscard
    • Requires a UW-Madison supervisor as a sponsor
    • No escort required
    • Refer to section 6.0 for details regarding the acquisition of Permanent Access
  • 5.2 Long-Term Access
    • For contractors/vendors who have long-term support agreements to provide services for equipment in DoIT data centers
    • Requires a DoIT supervisor as a sponsor
    • No escort required
    • Refer to section 7.0 for details regarding the acquisition of Long-Term Access
  • 5.3 Short-Term Access
    • For those with limited-term engagements to provide a defined service over a defined period of time
    • For individuals who are familiar with data center policies
    • Requires DC&SCS manager sponsorship
    • No escort required
    • Refer to section 8.0 for details regarding the acquisition of Short-Term Access
  • 5.4 Escort-Only Access
    • For co-location customers or contractors without long- or short-term access
    • Requires a DC Access Control-approved escort at all times while in DoIT data centers
    • Appointments for access should be scheduled at least 24 hours in advance
    • Badges are issued at the DC Access Control point (refer to section 15) at the time of access
    • Refer to section 9.0 for details regarding the acquisition of Escort-Only Access
  • 5.5 Tour Access
    • For individuals with no primary business need to access DoIT data centers other than for education or demonstration purposes
    • Tour appointments must be scheduled at least 24 hours in advance
    • Badges are issued at the DC Access Control point (refer to section 15)
    • Requires a DC Access Control-approved escort at all times while in DoIT data centers
6.0 Permanent Access

6.0.1 Permanent access is generally approved for UW-Madison DoIT staff when job duties require access to DoIT data centers.
  • 6.1 Obtaining Permanent Access
    • 6.1.1 In order to be granted permanent access to DoIT data centers, the applicant must:
      • 6.1.1.1 Complete the required permanent access request form (obtainable from DC Access Control) and submit it to DC Access Control (refer to section 15).
      • 6.1.1.2 Obtain approval from the requester's supervisor, the DC&SCS manager, and the System Engineering & Operations (SEO) director.
      • 6.1.1.3 Must have a valid Wiscard that is also in the Central Card Access System (CCAS). Refer to http://www.wiscard.wisc.edu/service.html for details.
      • 6.1.1.4 The applicant must visit DC Access Control to select a PIN and have approved access areas assigned.
  • 6.3 Replacing Permanent Access Badges
    • 6.3.1 Lost or stolen badges must be immediately reported to DoIT Data Center Access Control via email dcaccesscontrol@doit.wisc.edu or call 608-890-3193
    • 6.3.2 For damaged, lost, or stolen badges, get a replacement Wiscard. Refer to http://www.wiscard.wisc.edu/service.html.
    • 6.3.3 Notify DC Access Control when a replacement Wiscard is issued so access rights can be transferred to your new Wiscard.
    • 6.3.4 If required, a temporary badge will be issued by DC Access Control until the replacement Wiscard is obtained. Refer to Section 8.0.1/li>
7.0 Long-Term Access

7.0.1 Long-Term Access is generally granted to vendors who have annual support contracts to perform routine and emergency support of hardware and software used in DoIT data centers.
  • 7.1 Obtaining Long-Term Access
    • 7.1.1 Requests for long-term access must be initiated by a DoIT sponsor using the long-term access request form, available from DC Access Control (refer to section 15).
    • 7.1.2 DC Access Control will process each request.
    • 7.1.3 UWPD will issue approved badges:
    • 7.1.4 The applicant must visit DC Access Control with badge to have a PIN and approved access areas assigned.
  • 7.2 Maintaining Long-Term Access
    • 7.2.1 Badges must not be altered or defaced in any way; badges must not be bent, written on, have anything affixed to, or have holes punched in them.
    • 7.2.2 The individual's DoIT sponsor must immediately report any change in job duties or employment status to DC Access Control that would change the need to have data center access.
    • 7.2.3 The individual must retain sole possession of the badge for the duration of their approved use. The individual is responsible for badge use. Badge use is not transferable and cannot be shared.
  • 7.3 Replacing Long-Term Access Badges
    • 7.3.1 Lost or stolen badges must be immediately reported to DoIT Data Center Access Control via email dcaccesscontrol@doit.wisc.edu or call 608-890-3193
    • 7.3.2 If a card is damaged, lost, or stolen, it must be reported to DC Access Control. A Replacement badge can be obtained from UWPD Access Control. Refer to section 7.1.3.
    • 7.3.3 If a replacement badge cannot be obtained within an appropriate amount of time, a temporary badge can be issued by DC Access Control. Refer to section 8.0.1.
  • 7.4 Returning Long-Term Access Badges
    • 7.4.1 A badge assigned to an individual is non-transferable and may not be used by anyone other than the assigned badge holder.
    • 7.4.2 Return the badge to DC Access Control (refer to section 15).
8.0 Short-Term Access

8.0.1 Short-Term access is generally assigned to those who only require data center access for short-term project work.

Short-term badges can sometimes be issued as temporary replacements to previously-approved individuals who currently don't have their assigned badge or are in the process of replacing a lost, stolen, or damaged badge.
  • 8.1 Obtaining Short-Term Access
    • 8.1.1 Requests for short-term badges must be initiated at the direction of the DC&SCS manager using the short-term access request form available from DC Access Control (refer to section 15).
    • 8.1.2 DC Access Control will process each request
    • 8.1.3 DC Access Control will issue approved short-term badges
    • 8.1.4 The applicant must visit DC Access Control to obtain the badge and a PIN. The applicant will have to present government-issued identification.
  • 8.2 Maintaining Short-Term Access
    • 8.2.1 Badges must not be altered or defaced in any way; badges must not be bent, written on, have anything affixed to, or have holes punched in them.
    • 8.2.2 The individual must retain sole possession of the badge for the duration of their approved use. The individual is responsible for badge use. Badge use is not transferable and cannot be shared.
  • 8.3 Replacing Short-Term Access Badges
    • 8.3.1 Lost or stolen badges must be immediately reported to DoIT Data Center Access Control via email dcaccesscontrol@doit.wisc.edu or call 608-890-3193
    • 8.3.2 If a card is damaged, lost, or stolen, it must be reported immediately to DC Access Control. A replacement will be issued by going to DC Access Control. Refer to section 8.0.1.
  • 8.4 Returning Short-Term Access Badges
    • 8.4.1 A badge assigned to an individual is non-transferable and may not be used by anyone other than the individual the badge was assigned to.
    • 8.4.2 Surrender the badge to DC Access Control (refer to section) 15 upon request.
9.0 Escort-Only Access

9.0.1 Escort-only access is generally for co-location customers, contractors, or vendors who have not been approved for short- or long-term access. This is typically for situations where less than one day of work needs to be performed. The work will be monitored at all times by a DC Access Control-approved escort.
  • 9.1 Obtaining Escort-Only Access
    • 9.1.1 Requests for escorted access to DoIT data centers must be arranged by communicating with the individual's DoIT contact, who will facilitate scheduling with DC Access Control.
    • 9.1.2 Requests should be scheduled with DC Access Control at least 24 hours in advance.
    • 9.1.3 Escorted groups will be limited to three individuals.
    • 9.1.4 The escort will be a DoIT employee with Permanent Access.
    • 9.1.5 Individuals with approved Escort-Only Access must sign in at DC Access Control, obtain an Escort-Only badge, and meet their escort. Government-issued photo identification will be required.
  • 9.2 Returning Escort-Only Access Badges
    • 9.2.1 When the work is finished, the individuals must return their badges and sign out at DC Access Control.
10.0 Tour Access

10.0.1 Tours of a DoIT data center are granted under limited circumstances. Tours are for educational purposes and are for viewing only.
  • 10.1 Obtaining Tour Access
    • 10.1.1 Requests for tours must be arranged with DC Access Control in person, by phone, or via email (refer to section 15). Include the purpose of the tour, names of those attending, and preferable dates and times.
    • 10.1.2 Tours must be approved by the DC&SCS manager (or their designee).
    • 10.1.3 Tours must be requested at least five business days in advance.
    • 10.1.4 A Data Center Team tour guide will coordinate the tour.
    • 10.1.5 Approved tour groups will meet their tour guide at DC Access Control, sign in, and be issued their tour badge(s). Individuals in the tour group will be required to present government-issued photo identification.
    • 10.1.6 The tour will be escorted at all times when in DoIT data centers.
  • 10.2 Returning Tour Badges
    • 10.2.1 When the tour is finished, the individuals must return their badges and sign out at DC Access Control.
11.0 SEO Staff Offices Access (B332)

11.0.1 Access will be maintained at the same level defined in section 6.0.

12.0 Badge Visibility

12.0.1 While in DoIT data centers or related secured areas, badges must be worn with the photos on them visible at all times. Acceptable badge display areas are on the chest or either front hip.

13.0 Use of Photo and Video Equipment

13.0.1 Taking pictures or video is not allowed within DoIT data centers except by DoIT employees with Permanent Access.

13.0.2 Exceptions to this policy will be evaluated on a case-by-case basis, and any granted exceptions will require authorization by the DC&SCS manager (or their designee). In such an instance, all pictures or video taken will be reviewed by and require the approval of the DC&SCS manager (or their designee) prior to leaving the secured area.

14.0 Conduct of Authorized Users

14.0.1 No food or drink is allowed within DoIT data centers.

14.0.2 Visitors may not tamper or interact with equipment that is not theirs.

14.0.3 Individuals must comply with all Data Center Team instructions while in DoIT data centers.

14.0.4 Badges are non-transferable and may not be used by anyone other than the person the badge was originally assigned to.

14.0.5 Individuals must present their access credentials at each access control point to ensure a valid access event is registered (i.e., no tailgating).

15.0 DC Access Control

DC Access Control assigns and maintains access to DoIT data centers. DC Access Control is located in room B332 in the basement of the Computer Sciences and Statistics building at 1210 W Dayton St, Madison, WI 53706. They can be reached by phone at 608-890-3193 or via email at dcaccesscontrol@doit.wisc.edu.

16.0 Forms

Permanent
Long-Term
Short-Term



Keywords:data center access control policy physical door security   Doc ID:22335
Owner:Christopher L.Group:DCTeam
Created:2012-01-20 11:37 CDTUpdated:2016-03-04 11:42 CDT
Sites:DCTeam, DoIT Help Desk, DoIT Staff
Feedback:  5   1