Communications Room Policy

Transcription

1 Information Security Policies Communications Room Policy Author : David Rowbotham Date : 01/07/2014 Version : 1.1 Status : Initial Release MAG Information Security IT Policies Page: 1

2 1 Table of contents Contents 1 Table of contents Document Control Introduction Scope Policy Entry Systems and Access Data Centre Room Etiquette Out of Hours Access Closed Circuit Television Safety Overview Signs and Information Contact Information Health and Safety Considerations Emergency Exits and Fire Alarm Procedures Fire detection and Fire extinguishers Electrical Safety Communications Room Use Hours of Operation Equipment Delivery Control of Equipment and Spares Prohibited Items Services Communications Room Equipment Introduction Environment Control Packaging Change and configuration management Overview Access Approval routes Data Centre / MA IS contact Information Table Policy review... 9 MAG Information Security IT Policies Page: 2

3 2 Document Control Ver Date Change Description Author Oct 2013 First draft Ian Waterhouse Dec 2013 Amendments from David Rowbotham Ian Waterhouse Jun 2014 Amendments from Aaron Bazler David Rowbotham st July 2014 Baseline David Rowbotham th July 2014 Minor revision David Rowbotham MAG Information Security IT Policies Page: 3

4 3 Introduction The purpose of Information security policies is to ensure that appropriate measures are implemented, to protect the data, systems, services, equipment and associated infrastructure of the Manchester Airport Group from internal and external threats, whilst ensuring timely access to information for authorised personnel and preventing unauthorised access or modification The vulnerability of business critical information systems and the data they contain within the Communications Room make the site a high value asset which requires a high degree of protection. A range of security measures are therefore in place to protect employees, information and physical assets, along with the interested third parties with equipment in the Communications Room. 4 Scope This policy applies to all MAG employees including contractors and vendors with access to MAG systems, or any other persons otherwise affiliated but not employed by MAG, who may utilise MAG IS infrastructure and/or access MAG applications 5 Policy 5.1 Entry Systems and Access Access is controlled via a combination of RFID card readers or keypad locks, some doors are fitted with sensors to detect unauthorised or prolonged opening. Staff and visitors must not adjust or otherwise tamper with door fittings. Any suspected faults with doors, lights or any security equipment should be reported to the MAG service desk at the earliest opportunity. Automated Access Keycard (card swipe) holder A list of authorised personnel that have been granted access to the communications rooms is owned by the Pass Office and must be reviewed on a monthly basis, with any changes to be communicated to the IS Service Desk, anyone requiring permanent access must first be authorised via the Information Security Forum with pass numbers recorded and room Access Control lists updated accordingly. The number of permanent pass holders is limited to the following personnel unless by agreement in the MA IS security forum; MA IS Installations & Cabling Engineers MA IS Network & Infrastructure Team On-site Technical Support Teams by prior agreement. Nominated personnel from Internal Engineering Manual Access non-keycard holder Authorised DC customers will be provided 24x7 access to their equipment housed in the MA IS DCs. The customer representative responsible for (and who signs) any service agreement with MA IS must provide a list of employees who are authorised to enter the Data Centre. (Maximum of 2no. persons) When access is required, proper notification and justification will need to be provided in accordance with the policy set out in the relevant section of this document. Customers authorised personnel with pre-approved manual access to the data centre are required to contact the MA IS Service Desk at which point the necessary access request can be generated. All non-permanent entries onto the Access Control Lists (ACL) for the suites will be time bound and will automatically age-out on reaching the limit of their agreed access. MAG Information Security IT Policies Page: 4

5 Visits must be agreed at least 5 days In advance. Unannounced/unescorted visitors will be denied access. In the case of business critical systems and general emergencies, exceptions must be supported by a member of staff with authorised access and in such circumstances, escorting will be provided for access to relevant suites. Tailgating into restricted areas is forbidden. Care must therefore be taken by all authorised staff to prevent this. During deliveries authorised staff must supervise such work at all times. Any persons allowing others to tailgate into Communication Rooms will have their system access removed. 5.2 Data Centre Room Etiquette In order to maintain a clean room environment and allow all work performed within the Data Centre to be carried out as effectively as possible, it is mandatory for all persons working within the suite to adhere to the following rules of etiquette; 1. All work areas to be kept clean and free of debris. Upon completion of any work, staff performing the work should ensure they have left the area as clean as it was before their work began. 2. All Rack enclosures should be kept neat and free of manuals, media, cables. Doors on all racks should remain closed at all times except during periods of scheduled maintenance. 3. Cables should never be strung outside of rack enclosures. Cabling between racks are to route through installed cable management systems. Where none exists, temporary installations are permitted and notice of temporary installation posting to the N&I Manager for action. 4. Under no circumstances should any customer; a. Lift floor tiles without prior knowledge, consent and oversight of the MA IS dept. b. Modify Power Distribution Units (PDU) within the Data Centre rooms unless specified in job registration and reflected within the submitted RAMS. c. Connect any device into another cabinet s PDUs. d. Configure or modify in any way Computer Room Air Conditioning (CRAC) within the Data Centre environment. e. Open cabinets or computer racking unless explicitly specified in job registration and/or RFC content. 5.3 Out of Hours Access MA IS Network & Infrastructure are responsible for maintenance of all Data Centre suites. If access is required without a supporting RFC or prior approval from N&I Manager and/or IS Security Manager, access will be denied. Where access is required in reaction to an unplanned outage, approval must be sought from N&I Manager and supporting documentation supplied. 5.4 Closed Circuit Television Closed Circuit Television (CCTV) monitoring and recording is in operation throughout the communications rooms and is centrally monitored by MA IS. 6 Safety 6.1 Overview Information Systems (IS) seeks to operate the DC environments according to the MAG Health and Safety Policy, a summary of which can be found on the Intranet. MAG Information Security IT Policies Page: 5

6 6.2 Signs and Information Safety signs and information are posted at access points to the Communications Room. General notices are also posted around the Communications Room providing detailed information on first aid, emergency contacts and general Health and Safety issues. 6.3 Contact Information Information on emergency and out-of-hours maintenance contacts is posted at all entrances to the Communications Room. A list of first aid contacts is posted throughout the Communications Room. Help can also be obtained by contacting any member of the IS Service desk. Any fire safety concerns should be raised with a member of the IS Service Desk who will deal with the matter with the involvement of the MAG Fire service if required. 6.4 Health and Safety Considerations There are a number of Health and Safety considerations when working in the Communications Rooms, and all persons responsible for completing works should have completed the necessary training in advance of the scheduled maintenance. MAG H&S Policy should be consulted for the avoidance of doubt and referenced in any RAMS prior to Job registration. All MAG Health and Safety policies are available on the internal Intranet at the following address; Emergency Exits and Fire Alarm Procedures Emergency exits are clearly signed and illuminated and must not be obstructed by any equipment or packaging before, during or after any planned works. 6.6 Fire detection and Fire extinguishers The Communications Rooms are fitted with fire detection systems linked to audible and visual alarms. If an alarm is activated leave the room immediately at the designated exit points and exit the building at ground level via the stairs. Never use the lifts. Users should then go the designated meeting point. For small incidents fire extinguishers are placed throughout the Communications Room alongside instruction signs 6.7 Electrical Safety PAT testing is carried out on all computer equipment and cables used in the Communications Rooms by trained staff. Equipment should be PAT tested before it is deployed. 7 Communications Room Use 7.1 Hours of Operation The Communications Room operates on a continuous basis, with staff in attendance between 04:00am and 20:00 daily. MAG Information Security IT Policies Page: 6

7 7.2 Equipment Delivery No deliveries are accepted at the Communications Rooms locations. All deliveries to be directed to MA IS Olympic House and the IS Helpdesk. 7.3 Control of Equipment and Spares No equipment is to be left unattended within the communications rooms at any time. Any equipment found in contravention of this will be removed and the owners access to the Communications Rooms revoked. 7.4 Prohibited Items The following items are prohibited from the Communications Room: Combustible materials such as paper and cardboard (except reference manuals as needed) Food and liquids Tobacco products Explosives and weapons Hazardous materials Alcohol, illegal drugs and other intoxicants Electro-magnetic devices that could cause interference with computer and telecom equipment Radioactive materials Photographic or recording equipment (other than backup media) 8 Services 8.1 Communications Room The Communications Room aims to provide a secure, controlled environment suitable for locating rackmountable computer systems. Power, cooling and networking connectivity are provided, and in some cases UPS is available to protect systems from power fluctuations and short outages. Where UPS is not available rack-mount UPS units are installed, monitored and maintained for all Core and Distribution tier equipment 8.2 Equipment Introduction IS must be notified in advance of any plans to add or remove equipment in the hosted room area. All new equipment installs must be agreed in advance with IS following the IT change process and must be authorised by the IS change advisory board prior to their introduction. Please ensure you have the full agreement of IS to host your equipment before you purchase, otherwise your equipment may be refused or delayed access to supporting infrastructure. 8.3 Environment Control Cooling, power and UPS provision is centrally controlled by BMS Engineering. Only authorised personnel are allowed to alter settings on any such equipment. Any persons found altering or changing core services will have their access to communications rooms revoked. MAG Information Security IT Policies Page: 7

8 8.4 Packaging Cardboard and other items that can generate dust and are easily combustible should remain outside Communications Rooms. Therefore packing or unpacking of equipment must take place outside the room. 9 Change and configuration management 9.1 Overview The Change Management Process covers all changes on Configuration Items (CIs) included in the IS Configuration Management Database (CMDB). The functional areas within the scope include, but are not necessarily limited to ~ All Communications Room equipment and software including IS and hosted equipment All Communications Room facilities equipment and software running on them including electricity, air conditioning, etc. equipment All Network equipment (including all cabling and communications infrastructure) and related software All voice system equipment and software All desktop equipment and software All licensed production software (Software under development is outside the scope.) Operational processes and documentation Release to production and decommissioning of all equipment, IT environment and services managed by a project Non-production equipment (test and development servers, etc) is also subject to change control as per the above. 9.2 Access Approval routes Please refer to the Communications Room Access Process document for further information. Request How to Submit Required Notice Planned DC Site visit Request via MA IS Service Desk (Refer to Process) Unplanned DC site visit Required Info 5 days Nature/Scope & Complete RAMS statement. Will not be allowed access to the communications rooms. Required Approvals N&I DC Manager/IS Security Manager Emergency DC site Visit Vendor/Supplier access to facility* Scheduled delivery of equipment Contact N&I Manager in the first instance with details of situation. (Note: attendees will need to be escorted without MAG Security Pass) Request via MA IS Service Desk (Refer to Process) 5 days Nature/Scope & complete RAMS statement. Deliveries are not received at communications rooms. N&I DC Manager/IS Security Manager.. General DC Questions.. to DC.Operations@magairports.com MAG Information Security IT Policies Page: 8

9 9.3 Data Centre / MA IS contact Information Table Support / Operations Contacts Contact Telephone Primary Contact MA IS Service Desk Mag.servicedesk@magairports.com Escalation 1 Network Support Network.Support@magairports.com Escalation 2 Network & David.Rowbotham@magairports.com Infrastructure Manager Escalation 3 IS Operations Dir. Aaron.Bazler@magairports.com Policy review This policy will be reviewed on an annual basis. It will be amended in response to changes in operational and legal requirements. Every effort will be made to ensure individual users are made aware of changes when they occur. If you have any queries or questions about this policy contact the MAG Information Security Manager or MAG Network & Infrastructure Manager. MAG Information Security IT Policies Page: 9