University Data Center
University Data Center Security Policy
Effective Date: June 15, 2010
Last reviewed: May 1, 2011
Last edited: September 1, 2011
This policy describes the physical security requirements and the authorization process by which personnel may obtain access to the University Data Center (UDC) at The University of Texas at Austin.
This policy serves as a supplement to the Information Resources Use and Security Policy, which was drafted in response to Texas Administrative Code 202 and UT System UTS-165. Adherence to the policy will increase the security of systems and help safeguard university information technology resources. This policy exists in addition to all other university policies and federal and state regulations governing the protection of the university's data.
Compliance with this policy is required for all departments that locate systems at the UDC and for all personnel who visit the facility.
This policy applies to all University Data Center facilities operated by Information Technology Services at The University of Texas at Austin. Variations in the different buildings may result in slightly different operating procedures, depending on the building in question.
All students, faculty and staff with systems located at the UDC. All visitors to the UDC.
Access to the data center’s exterior infrastructure is restricted to authorized personnel only.
The UDC exterior and interior are monitored 24x7.
Server cabinets are secured and may be shared by multiple departments. Access to server cabinets is restricted to authorized personnel only. Actions within cabinets shared by multiple departments will be monitored by UDC personnel to ensure that only the intended equipment is modified.
The physical structures that house IT equipment are properly installed with no loose or moving components.
The UDC raised-floor space is equipped with an access-controlled man trap per industry standards.
Electronic access control system and alarms
Access to all entry points into and within the UDC is controlled by electronic access control mechanisms that allow only authorized individuals to enter the facility.
Provisioning process for authorized personnel
University personnel who require access to the UDC for the purpose of working on co-located systems in the UDC must obtain authorization prior to accessing the facility. In order to be authorized, you must:
- Be a UT Austin student, faculty or staff member.
- Agree to abide by this security policy.
- System administrators must have completed the Position of Special Trust.
- Complete the University Data Center Access request form.
Requesters may also be required to review educational materials.
UDC management must approve all access requests.
Physical access to the facility shall not be granted on an “emergency” basis to individuals who have not obtained authorization. In the event that an authorized staff member is not available, the manager from the requesting unit must provide written approval to the UDC director or assistant director prior to access being granted.
Access requests must be renewed annually to maintain approved access. Access permissions are reviewed at least quarterly. Managers shall notify the UDC immediately when access is no longer required due to an employee’s termination or a change in job responsibilities.
Access to IT facilities
Approved system administrators (SAs) who require access to service their co-located equipment will be granted badge access to enter the building. They present their valid UT ID card. UDC staff may escort SAs to their equipment in the UDC raised-floor space and may escort them to the server build room. When practical, if hardware parts need to be replaced, that work should be done in the server build room. Visits to the UDC raised-floor space and server build room shall be for business reasons and should be limited to the time required to complete a task. Loitering is prohibited.
Critical systems with 24-hour-a-day, 365-days-a-year support provided by a vendor should be identified in advance so UDC personnel can provide necessary access to those SAs and vendor representatives. SAs should notify UDC staff as soon as possible after they become aware that a vendor support visit is planned. Vendor representatives will be escorted in the facility.
All vendors are required to present UT ID cards or valid government-issued identification and will be checked into and out of the facility.
All UT faculty, staff, students, and third-parties visiting the facility are required to present their UT ID cards or valid government-issued identification and will be checked into and out of the facility. General business visitors to the data center must be admitted to the facility by UDC staff. They will be escorted to the general business area. Visitors will be accompanied at all times.
Facilities maintenance personnel
Maintenance of equipment and the facility by UT staff and third parties is required. Maintenance may include but is not limited to general cleaning, raised floor space cleaning, and maintenance on electrical and mechanical systems. Maintenance visits by non-UDC staff must be scheduled in advance and known by the facility manager of the UDC. Maintenance staff may be escorted and/or under surveillance. All maintenance personnel must carry an approved identification credential and adhere to UDC policies and procedures.
Co-location customers should schedule/notify the facility manager of deliveries at least one business day in advance if possible, or as soon as they become aware of a pending delivery.
As a condition of obtaining access to the facility, all UT faculty, staff, students and third-parties shall agree by signature (electronic or otherwise) to not disclose information they may obtain about the facility except to those who are required to have the information to conduct legitimate university business.
The UDC building is under video recording and surveillance.
Food, drink, and tobacco products
Food and drink are not allowed in the raised floor area or server build room. Tobacco products are prohibited in the facility.
Taking of pictures and/or video, including by cell phones equipped with cameras, is prohibited without authorization from the facility director or assistant director.
Statement on Auditing Standards (SAS) 70 “Data Center Physical Security Best Practices for SAS 70 Compliance.”
Trouble viewing the documents available on this page? Download the Adobe PDF Reader.