Physical Security for Servers
Servers (computers used by multiple users at a time or that are a central data repository) that are designated as critical to the operation of the University are required to be physically secured to a high standard. The University is committed to providing secure and environmentally appropriate facilities for these mission critical computer systems in a fiscally responsible and efficient manner.
Multiple departmental audits have identified inadequate physical security (including access, environmental protections, etc.) as representing a substantial risk to the University community in terms of time, money, and potential data loss or disclosure. To respond to these concerns and to better protect data, industry best practices have been reviewed and summarized as the minimum level of protection necessary.
Minimum Protection Level
- Servers must be protected by backup and offsite data storage. The offsite storage of backup media must be in a secure University or backup-vendor secure facility (not staff homes, cars, etc).
- A facility with Uninterruptible Power Supply (UPS) supporting all servers and essential peripheral equipment (console servers, etc).
- A facility with a climate controlled environment separate from the building HVAC, (dedicated air conditioning with in-room temperature controls).
- A facility with cooling and electrical capacity that is planned and monitored for outages.
- Secured access to the facility with documentation listing all individuals who currently have access and monitoring/auditing of ingress/egress via staff/video/etc.
- Servers in the facility must require authentication for local access (i.e. consoles are not left logged in while unattended).
- For facilities that use access codes, the capability to quickly change the access codes if personnel changes warrant is required. Access codes must be changed at least annually.
- A facility with automated fire detection and suppression systems.
The Office of Information Technology (OIT) and coordinate campus central IT units offer centrally-funded data center facilities for critical servers. These facilities provide an environmentally protected and professionally managed facility. They help protect University data from unauthorized acquisition and promote compliance with state and federal laws and contractual commitments. The University conducts periodic data center audits to confirm compliance to security, environmental, and management standards.