Status of Document: Version 0.9, created 10 May 2011; approved by OUCS Senior Managers Group, 24 May 2011; version 1.0, 17 July 2011; minor edits and published 31 July 2011.

1. Preamble

The primary function of the OUCS data centre and the University Shared Data Centre is to provide a secure, resilient, engineered and monitored environment for the location of a diverse range of equipment required for the provision of IT services to the collegiate University, many of which are critical to the successful fulfilment of the University's business. The purpose of the data centre security policy is to help ensure that the data centre, and the equipment hosted therein, remains secure by having in place a policy and procedures to restrict access to the data centre to authorised persons.

The Data Centre Policy uses as its basis the Information Security Policy for the University. The [draft] IS Policy includes a sub-policy on the security of the physical information environment:

8. Physical and Environmental Security

Procedures should be in place to ensure that secure areas are protected by appropriate entry controls to ensure that only authorised personnel are allowed access. Security perimeters should be defined to protect areas that contain confidential or sensitive information and/or information systems. Appropriate physical security for offices, rooms, facilities etc. should therefore be implemented and offices housing systems containing non-public data should be kept locked. Where appropriate, physical protection should be provided against damage from natural, or man-made disasters, such as fire, flood, explosion etc. All users are required to ensure that systems are not left open to access by intruders to buildings, or by unauthorised colleagues.

Procedures should be in place to ensure that equipment hosting data not open for public access are not accessible in public areas. Equipment should be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access. Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities. Procedures should be in place to ensure that media containing information is protected against unauthorised access, misuse or corruption during transportation beyond the unit's/University's physical boundaries.

Procedures exist to ensure that equipment, information or software is not taken off-site without prior authorisation. Security should be applied to off-site equipment taking into account the different risks of working outside the University/unit's premises. Procedures should exist to ensure that any sensitive data and licensed software have been removed or securely overwritten when equipment is sold on, transferred or scrapped.

(Information Security Policy (draft), 5 May 2011, section 8, http://www.oucs.ox.ac.uk/network/security/ISBP/ispolicy.xml)

The Data Centre Security Policy seeks to follow good practice, as far as possible, in securing the physical environment in which reside the networking, servers, storage and other hardware underpinning the University's information and communications services. The policy aims to minimise the risk to the security of the University's information systems and to help ensure the safety of staff working within the data centre. In principle, the data centre environment should aim to be as secure as the servers hosted within the data centre.

2. Authority

Changes to this policy, in so far as it applies to data centres under the jurisdiction of OUCS, must be authorised by the OUCS Senior Managers Group.

The Data Centre Manager is responsible for day to day operations within the data centre; monitoring usage; and maintaining security.

3. Access to the data centre

Entrances to the data centre should remain locked at all times. Entry by authorised staff should be by means of a physical token (e.g. iButton).

4. OUCS staff

OUCS staff are only permitted entry to the data centre in order to undertake specific tasks with respect to the installation, maintenance, auditing, and decommissioning of equipment housed there and for which they have responsibility.

General entry to the data centre by staff, including for access to other parts of the building (except in emergencies), is not generally permitted.

5. Other University staff

Where there is an agreement that another department may host equipment in the data centre then access will be granted, on application, to individual IT support staff within that department. The data centre manager is responsible for authorising such access and will maintain a log of individuals who have been granted access, including a record of access tokens provided. The log will be shared with the OUCS buildings manager. Access to the data centre is granted to an individual and no other individual should assume they have access unless specifically authorised by the data centre manager. In particular, access keys and codes must not be shared with any other individual.

6. Contractors and authorised visitors

External contractors who require access to the data centre in order to undertake maintenance or similar work relating to equipment housed in the data centre should be notified, where reasonably possible, to the Data Centre Manager in advance, and accompanied, by the member of staff responsible for the contractor. In any case, all such visitors should abide by the Department's rules for visitors entering the Department's private areas, including signing-in at Reception and wearing a visitor badge or University identification. Contractors must be made aware of the health and safety and other rules relating to working in the data centre.

Contractors requiring access to the Data Centre outside working hours must be accompanied at all times by an authorised member of University staff.

Deliveries requiring access via the loading bay and external door should be agreed with the data centre manager in advance.

Casual visitors, including tour groups, are not permitted access to the data centre except in exceptional circumstances and only with the prior permission of the Director of Computing Systems and Services.

7. Data Centre Security Rules

Only authorised staff and visitors may enter and work within the data centre. To seek authorisation please contact the OUCS Data Centre Manager in the first instance (datacentre@oucs.ox.ac.uk). All persons must abide by these rules:

  1. You must make yourself familiar with applicable health and safety rules for working within a data centre;
  2. You must not bring food, drink or other 'wet' items (e.g. coats and umbrellas) into or through the data centre.
  3. You must remove all packaging and associated materials from the data centre;
  4. You should arrange for the removal of any equipment no longer required as soon as possible after decommissioning;
  5. You must use appropriate tools for the job (e.g. for the removal of floor tiles) and rehouse them when completed;
  6. You must avoid obstructing aisles or walkways, introducing trip hazards or leaving floor tiles unsettled anywhere in the data centre;
  7. You must not leave unlocked or prop open any access door to the data centre;
  8. You must not enable unauthorised persons to enter the data centre. In particular, you must not share your key or access codes with any other individual and nor must you be accompanied by any unauthorised person.
  9. You must inform the data centre manager of any breaches to this security policy known to you.