• Technology Help
• System Status

STANDARDS & GUIDELINES

GUIDELINE—Physical Security for Critical Servers (Appendix R)

Responsible Office: Office of Information Technology
Responsible Officer: Chief Information Officer

GUIDELINE
A guideline is highly recommended.

Introduction

The Chief Information Officer is designated by the "Acceptable Use of Information Technology Resources Policy" as the institutional officer responsible to identify standards and guidelines for access and acceptable use of information technology resources. This guideline defines the physical security for critical University servers necessary for the protection of University data and systems.

Servers (computers used by multiple users at a time or that are a central data repository) that are designated as critical to the operation of the University are required to be physically secured to a high standard. The University is committed to providing secure and environmentally appropriate facilities for these mission critical computer systems in a fiscally responsible and efficient manner.

Multiple departmental audits have identified inadequate physical security (including access, environmental protections, etc.) as representing a substantial risk to the University community in terms of time, money, and potential data loss or disclosure. To respond to these concerns and to better protect data, industry best practices have been reviewed and summarized in this guideline, which is the minimum level of protection necessary.

For exceptional situations the nature of the exception and the risk mitigation alternative recommended in lieu of the above requirement should be documented and approved by both the department as well as the University CIO. If the exception or alternative is not feasible, servers should be relocated to a compliant University data center.

Minimum Protection Level

• Servers must be protected by backup and offsite data storage. The offsite storage of backup media must be in a secure University or backup-vendor secure facility (not staff homes, cars, etc).
• A facility with Uninterruptible Power Supply (UPS) supporting all servers and essential peripheral equipment (console servers, etc).
• A facility with a climate controlled environment separate from the building HVAC, (dedicated air conditioning with in-room temperature controls).
• A facility with cooling and electrical capacity that is planned and monitored for outages.
• Secured access to the facility with documentation listing all individuals who currently have access and monitoring/auditing of ingress/egress via staff/video/etc.
• Servers in the facility must require authentication for local access (i.e. consoles are not left logged in while unattended).
• A facility with the capability to quickly change “access codes” (not key locks) if personnel changes warrant.  Access codes must be changed at least annually.
• A facility with automated fire detection and suppression systems.

Implementation

The Office of Information Technology (OIT) and coordinate campus central IT units will offer centrally-funded data center facilities for critical servers.  These facilities will provide an environmentally protected and professionally managed facility.  They will help protect University data from unauthorized acquisition and promote compliance with state and federal laws and contractual commitments.  The University will conduct periodic data center audits to confirm compliance to security, environmental, and management standards.

Resources and Links:

Acceptable Use of Information Technology Resources:  http://policy.umn.edu/Policies/it/Use/ITRESOURCES.html

Securing Private Data Standard:
http://www.umn.edu/oit/security/privatedata.html

Critical Server Identification:
http://www.umn.edu/oit/security/criticalserv.html