{"id":106412,"date":"2017-04-13T09:28:40","date_gmt":"2017-04-13T13:28:40","guid":{"rendered":"http:\/\/www.bu.edu\/tech\/?page_id=106412"},"modified":"2023-08-01T16:25:39","modified_gmt":"2023-08-01T20:25:39","slug":"secure-data-center-access","status":"publish","type":"page","link":"https:\/\/www.bu.edu\/tech\/about\/policies\/secure-data-center-access\/","title":{"rendered":"IS&#038;T and BUMC IT Data Center Policy"},"content":{"rendered":"<div id=\"policies-page\">\n<p>Approved by Tracy Schroeder, Vice President of Information Services &amp; Technology, March 25, 2020<\/p>\n<h2>Purpose and Scope<\/h2>\n<p>This policy builds upon the University\u2019s <a href=\"http:\/\/www.bu.edu\/policies\/data-protection-standards\/\">Data Protection Standards<\/a> to specify the required safeguards at all IS&amp;T and BUMC IT Data Centers on the Charles River Campus and Medical Campus.<\/p>\n<p>This policy defines the University\u2019s approach to compliance with <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r4.pdf\">NIST 800.53r4 Physical and Environmental Protection<\/a> and mapping to the <a href=\"https:\/\/www.nist.gov\/cyberframework\/framework\">NIST Cyber Security Framework (CSFv1.1)<\/a> as indicated in square brackets ([]).<\/p>\n<h2>Administrative Controls<\/h2>\n<p>The Data Center Service Owner shall develop, disseminate, and enforce procedures to implement this policy.\u00a0 This policy is reviewed annually by Information Security and the Data Center Service Owner. [PE-1, PR.IP-5]<\/p>\n<p>Unescorted access to the Data Center is authorized by the Data Center Service Owner according to business need.\u00a0 To achieve separation of duties, the authorization from the Data Center Service Owner is implemented by a different office, such as Finance Administration or Public Safety.\u00a0 The Data Center Service Owner is responsible for providing timely access when requested, revoking access when notified of a change, and conducting periodic, at least annual, reviews to ensure accuracy of both the authorization and implementation of access controls.\u00a0 Information Security shall conduct audits at least annually as well. [PE-2, PR.AC-2].<\/p>\n<p>All physical media (e.g., hard drives, tapes, USB storage) must be inventoried by its owner, and when at end of life, physically destroyed by BU or an approved vendor.\u00a0 No failed media can be returned to a vendor without permission from Information Security, even if encrypted (Note: encrypted HIPAA data still requires a Business Associate Agreement with the vendor).\u00a0 Additionally, equipment removal must be approved by Data Center Service Owner. [CM-8, PE-16, PR.DS-3].<\/p>\n<p>All personnel with authorized, unescorted access to data centers must take initial and annual training that covers data center responsibilities.\u00a0 Completion of training is logged and audited. [AT-1, AT-3, AT-4, PR.AT-2].<\/p>\n<p>Access by anyone who is not authorized for unescorted access is given a visitor badge that is documented in a log of access, and visitors must be escorted to the necessary rack\/equipment.\u00a0 Logs of visitor access are reviewed by the Data Center Service Owner every quarter.\u00a0 Logs of visitor access are kept for at least one year. [PE-3, PE-8, PR.AC-2, DE.CM-7].<\/p>\n<h2>Physical and Technical Controls<\/h2>\n<p>Physical access to Data Centers is controlled by electronic locks using multifactor authentication.\u00a0 The Data Center Service Owner ensures that routine checks of physical security are conducted, including that all doors are kept secure and access controls are functioning properly.\u00a0 Keys are issued sparingly and are used for emergency access use only.\u00a0 Forced entry or holding doors open causes an alarm with immediate response requirements, and video surveillance records activity at entrances to data centers all hours of every day.\u00a0 Any issues are reported to appropriate responders, including the Incident Response Team (irt@bu.edu).\u00a0 This effort is audited by Information Security. [PE-3, PE-6, PE-6(1), PE-8, PR.AC-2, DE.CM-2, DE.CM-7, DE.DP-3, RS.AN-1].<\/p>\n<p>Distribution and transmission lines are protected with conduit or cable trays, and access to networking closets and power equipment is controlled with keys or electronic locks.\u00a0 Emergency power shut-off is located within data centers to protect from unauthorized activation. [PE-4, PE-9, PE-10, PR.AC-2].<\/p>\n<p>Power and environmental conditions are monitored, and deviations trigger an alert to appropriate responders, such as Data Center Operations or Public Safety.\u00a0 Short-term power problems, such as surge or sag, are managed with Uninterrupted Power Supply (UPS) units or equivalent.\u00a0 Emergency lighting for exits and evacuation routes in facilities holding a data center automatically turn on for power outages. [PE-11, PE-12].<\/p>\n<p>Temperature and humidity are controlled with redundant systems, such as air conditioning units, in-rack cooling, or in-row cooling mechanisms. [PE-14].<\/p>\n<p>Fire suppression systems are installed, operate without human presence, and are not dependent upon building power for operation.\u00a0 When activated, notification is sent to BU and emergency responders.\u00a0 Carbon Dioxide (CO2) canisters and other fire suppression systems are periodically tested. [PE-13, PE-13(1)(2)(3)].<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Approved by Tracy Schroeder, Vice President of Information Services &amp; Technology, March 25, 2020 Purpose and Scope This policy builds upon the University\u2019s Data Protection Standards to specify the required safeguards at all IS&amp;T and BUMC IT Data Centers on the Charles River Campus and Medical Campus. This policy defines the University\u2019s approach to compliance&#8230;<\/p>\n","protected":false},"author":4697,"featured_media":0,"parent":21310,"menu_order":6,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/106412"}],"collection":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/users\/4697"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/comments?post=106412"}],"version-history":[{"count":6,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/106412\/revisions"}],"predecessor-version":[{"id":146897,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/106412\/revisions\/146897"}],"up":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/21310"}],"wp:attachment":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/media?parent=106412"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}