IU Data Center Access Control Policy

This document details IU's data center access control policy.

Table of Contents

1.0 Scope
2.0 Purpose
3.0 Responsibility
4.0 Communication of Policy
5.0 Categories of Access
6.0 Faculty, Staff and Student Access
7.0 IU Affiliate Access
8.0 Daily Access
9.0 Visitor/Tour Access
10.0 Card Visibility
11.0 Conduct of Authorized Users
12.0 Data Center Access Review Board

Preface

Due to the sensitive nature of the data and information systems maintained within its facilities, security and access are important aspects of the Office of Vice President for Information Technology/University Information Technology Services (OVPIT/UITS) environment. In most cases, Indiana University is contractually and legally obligated to limit access to only those who have IT responsibilities requiring frequent access.

Security cameras are located throughout OVPIT/UITS buildings. These cameras record footage for follow-up in the case of a security incident. They also provide an effective deterrence function in the safe operation of the building. IU Data Centers use two layer authentication proximity cards and biometric hand scanners to grant access to the facilities.

These increased security protocols follow guidelines from NIST 800-53, PCI DSS, SOC 2 and other sources, and are modeled on best practices by other universities such as the CIC partners.

1.0 Scope

1.0.1 Document the policy and procedures for requesting, reviewing, authorizing, assigning, and maintaining access rights for those who need to perform services or visit University Information Technology Services (UITS)-managed data centers at Indiana University.

2.0 Purpose

2.0.1 In support of IU data centers, data center access and physical security, these policies and procedures provide a strong security strategy that protects IU employees, data, and resources entrusted to UITS by IU and its customers. These procedures are intended to clarify access requirements for all UITS - managed data centers.

3.0 Responsibility

3.0.1 UITS Facilities is responsible for assigning access rights to individuals for secured areas under its control based on management-approved requests and adherence to IU Data Center Access Policy. Public Safety and Institutional Assurance is the owner of the card access system and is responsible for its system administration. Data Center Operations manages and provides operational support for the IU Data Centers.

4.0 Communication of Policy

4.0.1 All sponsors of individuals with authorized access to IU data centers are responsible for ensuring those individuals are aware of and comply with the policies and procedures identified in this document.

4.0.2 All personnel who are authorized to access IU data centers must read, understand, and comply with the policies and procedures identified in this document.

4.0.3 All individuals applying for access to IU data centers must comply, understand and acknowledge that they have read the IU Data Center Access Policy and the IU Data Center Standards Document. https://dcops.iu.edu/policies/standards.php

5.0 Categories of Access

There are four categories of access to IU data centers: Faculty, Staff and Student Access, IU Affiliate Access, Daily Access, and Visitor/Tour Access:

  • 5.1 IU Faculty/Staff/Student Access
    • For IU employees with a business need to provide services in IU data centers
    • Requires a valid Indiana University ID card
    • Requires a IU supervisor as a sponsor
    • No escort required
    • A review will take place verifying the Data Center’s access list every 60 days (refer to section 12.0 for details).
    • Access will expire on an annual basis and must be renewed by completing the form and obtaining the appropriate approvals (refer to section 12.0 for details).
    • Refer to section 6.0 for details regarding the acquisition of Faculty, Staff and Student Access
  • 5.2 IU Affiliate Access
    • For contractors/vendors who have long-term support agreements to provide services for equipment in IU data centers
    • Requires a IU supervisor as a sponsor
    • No escort required
    • A review will take place verifying the Data Center’s access list every 60 days (refer to section 12.0 for details).
    • Access will expire on an annual basis and must be renewed by completing the form and obtaining the appropriate approvals (see Section 12.0 for details).
    • Refer to section 7.0 for details regarding the acquisition of IU Affiliate Access
  • 5.3 Daily Access
    • For co-location customers or contractors without IU Affiliate Access
    • For those with limited-term engagements to provide a defined service
    • For individuals who are familiar with IU Data Center Standards
    • Requires Data Center Operations (DCOPS) manager sponsorship
    • Visitor badges are issued at the Data Center Operations Center at the time of access.
    • Requires escort by individual with IU Faculty/Staff/Student Access.
    • Access expires in 24 hours.
    • Refer to section 8.0 for details regarding the acquisition of Daily Access
  • 5.4 Visitor/Tour Access
    • For individuals with no primary business need to access IU data centers other than for education or demonstration purposes
    • Tour appointments must be scheduled at least 24 hours in advance
    • Visitor badges are issued at the DC Operations Center
    • Requires escort by individual with IU Faculty/Staff/Student Access at all times while in IU data centers
    • Refer to section 9.0 for details regarding the acquisition of Visitor/Tour Access

6.0 Faculty, Staff and Student Access

6.0.1 Faculty, Staff and Student Access is generally approved for IU staff when job duties require access to IU data centers.

  • 6.1 Obtaining Faculty, Staff and Student Access
    • 6.1.1 In order to be granted Faculty, Staff and Student access to IU data centers, the applicant must:
      • 6.1.1.1 Complete the required Faculty, Staff and Student access request form and submit it.
      • 6.1.1.2 Access form will be routed for approval from the requester's supervisor, the DCOPS manager, the Enterprise Business Systems Director and UITS Facilities.
      • 6.1.1.3 Must have a valid Indiana University ID. An access card will be assigned in the card access system.
      • 6.1.1.4 The applicant must visit DCOPS with card to register in the Biometrics hand scanner system and have approved access areas assigned. https://kb.iu.edu/data/azzk.html (Note: the internal document requires authentication).
  • 6.2 Maintaining Faculty, Staff and Student Access
    • 6.2.1 Cards must not be altered or defaced in any way; cards must not be bent, written on, have anything affixed to, or have holes punched in them.
    • 6.2.2 The individual's supervisor must immediately report any change in job duties or employment status that would eliminate the need for data center access to DC Access Control dcaccess@iu.edu.
    • 6.2.3 The individual must retain sole possession of the card for the duration of their approved use. The individual is responsible for card use. Card use is not transferable and cannot be shared. Anyone caught allowing another individual to use their card will have their data center access immediately deactivated.
    • 6.2.4 Faculty, Staff, and Student Access must be renewed on an annual basis.
  • 6.3 Replacing Faculty, Staff and Student Access Cards
    • 6.3.1 Lost or stolen cards must be immediately reported to IU Data Center Access Control via email dcaccess@iu.edu or call 812-855-9910.
    • 6.3.2 For damaged, lost, or stolen cards, a replacement card will be assigned with the previously approved access areas.
  • 6.4 Returning Faculty, Staff and Student Access Cards
    • 6.4.1 Upon termination of employment or change in job responsibilities, it’s the supervisor/sponsors responsibility to return access cards to DC Access Control and access will be removed.

7.0 IU Affiliate Access

7.0.1 IU Affiliate Access is generally granted to vendors who have annual support contracts to perform routine and emergency support of hardware and software used in IU data centers.

  • 7.1 Obtaining IU Affiliate Access
    • 7.1.1 Requests for IU Affiliate Access must be initiated by an IU sponsor using the IU Affiliate Access request form.
    • 7.1.2 DC Access Control will process each request.
    • 7.1.3 DC Access Control will issue approved cards:
      • 7.1.3.1 To obtain long-term cards, individuals requesting access must visit Cyber Infrastructure Building, located at 2709 East 10th Street, Bloomington, IN or ICTC, 535 West Michigan Street, Indianapolis, IN.
      • 7.1.3.2 Individual must present government-issued photo identification in order to receive their card.
    • 7.1.4 The applicant must visit DCOPS with card to register in the Biometrics hand scanner system and have approved access areas assigned.
  • 7.2 Maintaining IU Affiliate Access
    • 7.2.1 Cards must not be altered or defaced in any way; cards must not be bent, written on, have anything affixed to, or have holes punched in them.
    • 7.2.2 The individual's IU sponsor must immediately report any change in job duties or employment status that would eliminate the need for data center access to DC Access Control dcaccess@iu.edu.
    • 7.2.3 The individual must retain sole possession of the card for the duration of their approved use. The individual is responsible for card use. Card use is not transferable and cannot be shared. Anyone caught allowing another individual to use their card will have their data center access immediately deactivated.
    • 7.2.4 IU Affiliate Access must be renewed on an annual basis.
  • 7.3 Replacing IU Affiliate Access Cards
    • 7.3.1 Lost or stolen cards must be immediately reported to IU Data Center Access Control via email dcaccess@iu.edu or call 812-855-9910
    • 7.3.2 If a card is damaged, lost, or stolen, a replacement card will be assigned with the previously approved access areas.
  • 7.4 Returning IU Affiliate Access Cards
    • 7.4.1 Upon termination of employment or change in job responsibilities, it’s the individual's responsibility to return access cards to DC Access Control and access will be removed.

8.0 Daily Access

8.0.1 Daily Access is generally assigned to those who only require data center access for short-term project work.

  • 8.1 Obtaining Daily Access
    • 8.1.1 Requests for short-term cards must be initiated at the direction of the DCOPS manager using the Data Center sign in form available from DCOPS.
    • 8.1.2 DCOPS will process each request
    • 8.1.3 DCOPS will issue approved short-term cards
    • 8.1.4 The applicant must visit DCOPS to obtain the card. The applicant will have to present government-issued identification.
  • 8.2 Maintaining Daily Access
    • 8.2.1 Cards must not be altered or defaced in any way; cards must not be bent, written on, have anything affixed to, or have holes punched in them.
    • 8.2.2 The individual must retain sole possession of the card for the duration of their approved use. The individual is responsible for card use. Card use is not transferable and cannot be shared. Anyone caught allowing another individual to use their card will have their data center access immediately deactivated.
    • 8.2.3 Daily Access cards expire in 24 hrs
  • 8.3 Replacing Daily Access Cards
    • 8.3.1 Lost or stolen cards must be immediately reported to IU Data Center Access Control via email dcaccess@iu.edu or call 812-855-9910
    • 8.3.2 If a card is damaged, lost, or stolen, it must be reported immediately to DC Access Control. A replacement will be issued by going to DCOPS. Refer to section 8.0.1.
  • 8.4 Returning Daily Access Cards
    • 8.4.1 Surrender the card to DCOPS upon signing out and leaving the DC.

9.0 Visitor/Tour Access

9.0.1 Visitor/Tour Access for an IU data center is granted under limited circumstances. Tours are for educational purposes and are for viewing only.

  • 9.1 Obtaining Tour Access
    • 9.1.1 Requests for tours must be arranged with DCOPS in person, by phone, or via email (refer to section 15). Include the purpose of the tour, names of those attending, and preferable dates and times.
    • 9.1.2 Tours must be approved by the DCOPS manager (or designee).
    • 9.1.3 Tours must be requested at least 24 hours in advance.
    • 9.1.4 A Data Center Team tour guide will coordinate the tour.
    • 9.1.5 Approved tour groups will meet their tour guide at DCOPS, sign in, and be issued their Visitor badge(s). Individuals in the tour group will be required to present government-issued photo identification.
    • 9.1.6 The tour will be escorted at all times when in IU data centers.
  • 9.2 Returning Visitor Badges
    • 9.2.1 When the tour is finished, the individuals must return their Visitor badge(s) and sign out at DCOPS.

10.0 Card Visibility

10.0.1 While in IU data centers or related secured areas, ID badges must be worn and visible at all times. Acceptable card display areas are on the chest or front hip.

11.0 Conduct of Authorized Users

11.0.1 No food or drink is allowed within IU data centers.

11.0.2 Visitors may not tamper or interact with equipment that is not theirs.

11.0.3 Individuals must comply with all Data Center Operations team instructions while in IU data centers.

11.0.4 Cards are non-transferable and may not be used by anyone other than the person to whom the card was assigned.

11.0.5 Individuals must present their access credentials at each access control point to ensure a valid access event is registered (i.e., no tailgating).

12.0 Data Center Access Review Board

12.0.1 The Data Center Access Review Board is an authoritative governing body that reviews and approves all data center access requests.

UITS

12.0.2 UITS Facilities assigns and maintains access to IU data centers.

12.0.3 A review will take place verifying the ICTC and IUB Data Centers access list every 60 days. Data Center access will be deactivated after 60-days of inactivity.

12.0.4 The Data Center Access Review Board will review any justifications for renewing expired access. If it is determined that Data Center access is no longer needed the access will not be renewed.

12.0.5 An audit log of all Data Center Access provisioning and deprovisioning will be kept for at least 90 days.

12.0.6 Upon termination of employment or in the event of a disciplinary action, Data Center access will be immediately deactivated and suspended. In the case of disciplinary action, a justification and review process will be required for future access.

12.0.7 Data Center Access Review Board can be reached by phone at 812-855-9910 or via email at dcaccess@iu.edu.