Approved by Tracy Schroeder, Vice President of Information Services & Technology, March 25, 2020
Purpose and Scope
This policy builds upon the University’s Data Protection Standards to specify the required safeguards at all IS&T and BUMC IT Data Centers on the Charles River Campus and Medical Campus.
This policy defines the University’s approach to compliance with NIST 800.53r4 Physical and Environmental Protection and mapping to the NIST Cyber Security Framework (CSFv1.1) as indicated in square brackets ().
The Data Center Service Owner shall develop, disseminate, and enforce procedures to implement this policy. This policy is reviewed annually by Information Security and the Data Center Service Owner. [PE-1, PR.IP-5]
Unescorted access to the Data Center is authorized by the Data Center Service Owner according to business need. To achieve separation of duties, the authorization from the Data Center Service Owner is implemented by a different office, such as Finance Administration or Public Safety. The Data Center Service Owner is responsible for providing timely access when requested, revoking access when notified of a change, and conducting periodic, at least annual, reviews to ensure accuracy of both the authorization and implementation of access controls. Information Security shall conduct audits at least annually as well. [PE-2, PR.AC-2].
All physical media (e.g., hard drives, tapes, USB storage) must be inventoried by its owner, and when at end of life, physically destroyed by BU or an approved vendor. No failed media can be returned to a vendor without permission from Information Security, even if encrypted (Note: encrypted HIPAA data still requires a Business Associate Agreement with the vendor). Additionally, equipment removal must be approved by Data Center Service Owner. [CM-8, PE-16, PR.DS-3].
All personnel with authorized, unescorted access to data centers must take initial and annual training (once available) that covers data center responsibilities. Completion of training is logged and audited. [AT-1, AT-3, AT-4, PR.AT-2].
Access by anyone who is not authorized for unescorted access is given a visitor badge that is documented in a log of access, and visitors must be escorted to the necessary rack/equipment. Logs of visitor access are reviewed by the Data Center Service Owner every quarter. Logs of visitor access are kept for at least one year. [PE-3, PE-8, PR.AC-2, DE.CM-7].
Physical and Technical Controls
Physical access to Data Centers is controlled by electronic locks using multifactor authentication. The Data Center Service Owner ensures that routine checks of physical security are conducted, including that all doors are kept secure and access controls are functioning properly. Keys are issued sparingly and are used for emergency access use only. Forced entry or holding doors open causes an alarm with immediate response requirements, and video surveillance records activity at entrances to data centers all hours of every day. Any issues are reported to appropriate responders, including the Incident Response Team (email@example.com). This effort is audited by Information Security. [PE-3, PE-6, PE-6(1), PE-8, PR.AC-2, DE.CM-2, DE.CM-7, DE.DP-3, RS.AN-1].
Distribution and transmission lines are protected with conduit or cable trays, and access to networking closets and power equipment is controlled with keys or electronic locks. Emergency power shut-off is located within data centers to protect from unauthorized activation. [PE-4, PE-9, PE-10, PR.AC-2].
Power and environmental conditions are monitored, and deviations trigger an alert to appropriate responders, such as Data Center Operations or Public Safety. Short-term power problems, such as surge or sag, are managed with Uninterrupted Power Supply (UPS) units or equivalent. Emergency lighting for exits and evacuation routes in facilities holding a data center automatically turn on for power outages. [PE-11, PE-12].
Temperature and humidity are controlled with redundant systems, such as air conditioning units, in-rack cooling, or in-row cooling mechanisms. [PE-14].
Fire suppression systems are installed, operate without human presence, and are not dependent upon building power for operation. When activated, notification is sent to BU and emergency responders. Carbon Dioxide (CO2) canisters and other fire suppression systems are periodically tested. [PE-13, PE-13(1)(2)(3)].