Status of Document: Version 0.9, created 10 May 2011; approved by OUCS Senior Managers Group, 24 May 2011; version 1.0, 17 July 2011; minor edits and published 31 July 2011.
The primary function of the OUCS data centre and the University Shared Data Centre is to provide a secure, resilient, engineered and monitored environment for the location of a diverse range of equipment required for the provision of IT services to the collegiate University, many of which are critical to the successful fulfilment of the University's business. The purpose of the data centre security policy is to help ensure that the data centre, and the equipment hosted therein, remains secure by having in place a policy and procedures to restrict access to the data centre to authorised persons.
Procedures should be in place to ensure that secure areas are protected by appropriate entry controls to ensure that only authorised personnel are allowed access. Security perimeters should be defined to protect areas that contain confidential or sensitive information and/or information systems. Appropriate physical security for offices, rooms, facilities etc. should therefore be implemented and offices housing systems containing non-public data should be kept locked. Where appropriate, physical protection should be provided against damage from natural, or man-made disasters, such as fire, flood, explosion etc. All users are required to ensure that systems are not left open to access by intruders to buildings, or by unauthorised colleagues.
Procedures should be in place to ensure that equipment hosting data not open for public access are not accessible in public areas. Equipment should be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access. Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities. Procedures should be in place to ensure that media containing information is protected against unauthorised access, misuse or corruption during transportation beyond the unit's/University's physical boundaries.
Procedures exist to ensure that equipment, information or software is not taken off-site without prior authorisation. Security should be applied to off-site equipment taking into account the different risks of working outside the University/unit's premises. Procedures should exist to ensure that any sensitive data and licensed software have been removed or securely overwritten when equipment is sold on, transferred or scrapped.
(Information Security Policy (draft), 5 May 2011, section 8, http://www.oucs.ox.ac.uk/network/security/ISBP/ispolicy.xml)
The Data Centre Security Policy seeks to follow good practice, as far as possible, in securing the physical environment in which reside the networking, servers, storage and other hardware underpinning the University's information and communications services. The policy aims to minimise the risk to the security of the University's information systems and to help ensure the safety of staff working within the data centre. In principle, the data centre environment should aim to be as secure as the servers hosted within the data centre.
Changes to this policy, in so far as it applies to data centres under the jurisdiction of OUCS, must be authorised by the OUCS Senior Managers Group.
The Data Centre Manager is responsible for day to day operations within the data centre; monitoring usage; and maintaining security.
3. Access to the data centre
Entrances to the data centre should remain locked at all times. Entry by authorised staff should be by means of a physical token (e.g. iButton).
4. OUCS staff
OUCS staff are only permitted entry to the data centre in order to undertake specific tasks with respect to the installation, maintenance, auditing, and decommissioning of equipment housed there and for which they have responsibility.
General entry to the data centre by staff, including for access to other parts of the building (except in emergencies), is not generally permitted.
5. Other University staff
Where there is an agreement that another department may host equipment in the data centre then access will be granted, on application, to individual IT support staff within that department. The data centre manager is responsible for authorising such access and will maintain a log of individuals who have been granted access, including a record of access tokens provided. The log will be shared with the OUCS buildings manager. Access to the data centre is granted to an individual and no other individual should assume they have access unless specifically authorised by the data centre manager. In particular, access keys and codes must not be shared with any other individual.
6. Contractors and authorised visitors
External contractors who require access to the data centre in order to undertake maintenance or similar work relating to equipment housed in the data centre should be notified, where reasonably possible, to the Data Centre Manager in advance, and accompanied, by the member of staff responsible for the contractor. In any case, all such visitors should abide by the Department's rules for visitors entering the Department's private areas, including signing-in at Reception and wearing a visitor badge or University identification. Contractors must be made aware of the health and safety and other rules relating to working in the data centre.
Contractors requiring access to the Data Centre outside working hours must be accompanied at all times by an authorised member of University staff.
Deliveries requiring access via the loading bay and external door should be agreed with the data centre manager in advance.
Casual visitors, including tour groups, are not permitted access to the data centre except in exceptional circumstances and only with the prior permission of the Director of Computing Systems and Services.
7. Data Centre Security Rules
Only authorised staff and visitors may enter and work within the data centre. To seek authorisation please contact the OUCS Data Centre Manager in the first instance (firstname.lastname@example.org). All persons must abide by these rules: