05 data center it facility access standard...

of 6

IT FACILITY STANDARD NO. 5

DATA CENTER & IT FACILITY ACCESS

Function Affected: IT Facilities including data centers and network rooms (BDFs and IDFs)

Issued Date: 06/01/15 Issue Superseded: 12/15/13

Number of Pages: 6

I. Background

The UCSF data centers and network rooms such as BDFs and IDFs are critical to the health care, academic and research missions as well as University business functions. Ensuring the physical security of these facilities is an important way of protecting these critical assets. The primary goal of this standard is to maximize facility security while at the same time enabling access to those who are authorized.

II. Card Key System Access to the data center and some network rooms is restricted via the UCSF card key system (ProWatch). This campus-wide system is administrated by the UCSF Police Department and supported by UCSF Facilities Services. Card key activation and authorization for the Data Centers is managed by the IT Facilities group. Network room access is managed by the Network Operations group. Access is granted based upon the following criteria: 1. Staff with work assignments inside the facility.

2. System administration staff requiring frequent access to the facility

during or outside standard work hours to resolve system problems.

3. UCSF Police Officers

4. Facility Services Technicians supporting the facility 5. Members of the IT Departmental Emergency Operation Center

responding to a declared emergency. This access is only available for the 654 Minnesota St. location and is limited to the Command Center portion the facility.

IT FACILITY STANDARD NO. 5DATA CENTER & IT FACILITY ACCESS

of 6

Overall security is improved by limiting the number of individuals with facility access.

III. Card Keys Holder Rules

Those granted card key access must abide by the following rules: 1. UCSF Photo identification badges must be worn above the waist and

be clearly visible, at all times. 2. Card keys must not be loaned or used to allow access to any

unauthorized person. 3. Access to all secure areas should be handled with the use of a card

key. Card Key holders must not access areas for which they do not have approved authorization.

4. Equipment Log – any equipment taken out of the data centers (repair /

replacement / de-commissioned, etc.) is to be documented in the log (make, model, description, serial number of the item and if it is part of a system, provide additional info of the parent equipment – make, model, description, serial number etc.). The log is to undergo regular review.

5. Card key holders must not touch equipment and supplies belonging to

other departments. The IT Facilities group will provide access to tools or other equipment mounting supplies for use at one of the data centers.

6. Lost or stolen card keys must be reported to the card key holder’s

manager, IT Facilities at (415) 476-2643 and the UCSF Police Department.

7. Everyone requiring access to the data centers outside of regular

business hours (0800 to 1700, M-F) must log in and out.

8. Food, drink or other fluids are not allowed in the IT facility equipment areas.

9. All problems or emergency situations must be immediately reported to

IT Facilities and Computer Operations for data centers or Network Operations for network rooms.


of 6

10. IT facilities are only to be accessed to meet business requirements. Loitering will not be tolerated.

Any rule violation may result in a revoking of card key access. IV. Authorized Entry Without a Card Key

A database of all individuals with data center access is maintained in the card key system. This database is the record for all access approval and the source of authorization for granting access to individuals who have forgotten or lost their card key. Any authorized individual granted access without a card key is required to log in and out and agree they will adhere to the Data Center and IT Facility Access Standard policy.

The following Identification is required for all data center and IT facility visitors without card key access:

1. UCSF staff members: UCSF ID (Campus and Medical Center) along

with government issued photo ID

2. Non-UCSF visitors: Associated vendor (company issued employee ID) along with government issued photo ID

V. Vendor and Visitor Access to Perform Work

Work performed by vendors and visitors must be documented in an approved change ticket in ServiceNow. The change ticket must include the following critical information:

GENERAL INFORMATION 1. Change Request #

2. Associated Vendor Ticket/Case #

3. Brief Description of Work to be Performed

4. Company Name Requesting Access (List Individual’s Names in Step #8 Below)

5. UCSF Sponsor Approving Visitor Access

6. UCSF Business Application Owner (if applicable)

7. UCSF Application Admin (if applicable)

INDIVIDUALS (UCSF IT & VISITOR) ASSIGNED TO THE WORK & REQUIRE ACCESS 8. List ALL names (UCSF IT & Visitor’s) -

list names, mobile, title & role of those that require access and scheduled to be in the Data Center or Network Closet

Contact Name Mobile # Title & Assigned Role


of 6

during CHG or via remote access into system.

DATE & TIME SCHEDULING 9. Scheduled Date & Time of Arrival for Visitor

10. Planned Date(s) for Visitor Access

11. Planned Hours for Visitor Access (Start/End Time)

VISITOR ONSITE OR REMOTE ACCESS - If Onsite, complete Steps #12-16 and continue to Step #19. If Remote, complete Steps #17-18 and continue to Step #19. 12. ONSITE: Who is Visitor Escort Into Data Center or

Network Closet?

13. ONSITE: Will Visitor be supervised entire time? If yes, by who? If no, why?

14. ONSITE: If Visitor NOT supervised entire time, what Director approved unsupervised visit? And, explain why unsupervised.

15. ONSITE: Why can’t Visitor perform work via remote VPN access?

16. ONSITE: Can Visitor perform work at computer adjacent to Data Center? If no, briefly explain.

17. REMOTE: If remote access, is there UCSF oversight throughout entire CHG, e.g., observing Visitor work via WebEx session? If yes, by who? If no, explain why.

18. REMOTE: If Visitor NOT supervised entire time, what Director approved unsupervised remote access? And, explain why unsupervised.

SERVER / SYSTEM CHANGE INFORMATION 19. Host name: --------------------------------------------------> LIST ALL HOSTS.

IP: -------------------------------------------------------------->

Cabinet: ----> Rack Unit #: ----------------------------->

20. Are server and/or systems backed up? If not, explain. Provide date of last successful backup. If virtual machine, snapshot required? (Snapshots are

deleted 48-hours after capture time)

21. List any other applications on the server. If none, write none.

22. Proceed to (“Visitor Step-by-Step CHG PROCEDURE” section below)

VISITOR’S STEP-BY-STEP CHANGE INFORMATION - INCLUDE VALIDATION &

CONTINGENCY PLAN/EXIT STRATEGY CHG PROCEDURE VISITOR STEP‐BY STEP PROCEDURE OR ATTACH VISITOR MOP

DURATION START FINISH COMMENTS


of 6

1.

2.

3.

4.

5.

The change assignee or sponsor must meet the vendor or visitor to escort them and oversee their work. All vendors, regardless of access authorization status must sign the log. Vendors and visitors granted data center access must abide by the following rules: 1. UCSF issued ID must be worn at the waist or above, and clearly

visible, at all times.

i. Non-UCSF vendors: Present a company issued employee ID along with government issued photo ID (driver license, passport, etc.)

ii. Non-UCSF visitors: Present a government issued photo ID 2. Access to all secure areas within the data center should be handled

with the use of a card key. Vendors and visitors must not attempt to access card-key controlled areas without the appropriate escort.

3. Vendors and visitors must not touch equipment and supplies other

than the equipment they are on-site to support that has been documented in the visitor access template and Change Request ticket. If necessary, IT Facilities will facilitate access to tools or other equipment mounting supplies.

4. Equipment Log – Any equipment taken out of the data centers (repair /

replacement / de-commissioned, etc.) is to be documented in the log (make, model, description, serial number of the item and if it is part of a system, provide additional info of the parent equipment – make, model, description, serial number etc.). The log is to undergo regular review.

5. Food, drink or other fluids are not allowed in the IT facility equipment

areas.

6. All problems or emergency situations must be immediately reported to IT Facilities and Computer Operations for data centers or Network Operations for network facilities


of 6

7. IT facilities are only to be accessed to meet business requirements Loitering will not be tolerated.

VI. Other Visitors

1. All other visitors must sign the log and be escorted the entire time they

are in the facility. VII. Data Center Card Key Access Review

1. An Outlook calendar reminder is set for the Data Center Card Key Access Authorization Review to occur on the second Friday of the first month of each quarter.

2. The Senior IT Facilities Coordinator pulls the ProWatch authorized access report for the Data Center Card Key controlled doors.

3. The reports are sent to the IT Facilities Manager to review. 4. The IT Facilities Manager instructs the Senior IT Facilities Coordinator

to deactivate access for any unauthorized individuals.

5. The IT Facilities Manager posts copies of the quarterly report to UCSF Box IT Facilities folder.

05 data center it facility access standard...

Documents