Standard: Data Center Security

Similar documents
Standard: Risk Assessment Program

Information Services IT Security Policies L. Network Management

INFORMATION TECHNOLOGY POLICY

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, DOMINGUEZ HILLS. Audit Report June 15, 2012

Applications/Data To Include in Survey (include applications that meet one or more of the following criteria)

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, LONG BEACH. Audit Report July 24, 2012

01.0 Policy Responsibilities and Oversight

Standard: Workstation Hardware

Communications Room Policy

The Common Controls Framework BY ADOBE

SECURITY & PRIVACY DOCUMENTATION

UCLA AUDIT & ADVISORY SERVICES

Data Backup and Contingency Planning Procedure

Trust Services Principles and Criteria

INFORMATION SECURITY- DISASTER RECOVERY

ASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER

Colocation Service Terms

DATA BACKUP AND RECOVERY POLICY

1. Policy Responsibilities & Oversight

State of Rhode Island Department of Administration Division of Information Technol

Physical and Environmental Security Policy Document Number: OIL-IS-POL-PES

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification

UITS Data Center Access Policies and Procedures

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

IT CONTINUITY, BACKUP AND RECOVERY POLICY

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

Hosted Testing and Grading

Demand The Best. A guide to help select an Offsite Information Management Company

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Office Name: Enterprise Risk Management Questions

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Standard: Event Monitoring

Centeris Data Centers - Security Procedure. Revision Date: 2/28/2018 Effective Date: 2/28/2018. Site Information

Introduction To IS Auditing

SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, SAN BERNARDINO. Audit Report July 10, 2013

SAS SOLUTIONS ONDEMAND

Checklist: Credit Union Information Security and Privacy Policies

PHYSICAL AND ENVIRONMENTAL SECURITY

Records Retention Policy

Physical and Environmental Security Standards

Standard CIP Cyber Security Physical Security

Data Storage, Recovery and Backup Checklists for Public Health Laboratories

April Appendix 3. IA System Security. Sida 1 (8)

Records Information Management

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

Cellular Site Simulator Usage and Privacy

CCBC is equipped with 3 computer rooms, one at each main campus location:

Dude Solutions Business Continuity Overview

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

Standard CIP Cyber Security Physical Security

Information Technology Disaster Recovery Planning Audit Redacted Public Report

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

PROCEDURE POLICY DEFINITIONS AD DATA GOVERNANCE PROCEDURE. Administration (AD) APPROVED: President and CEO

BUSINESS CONTINUITY. Topics covered in this checklist include: General Planning

SAPP CENTER EMERGENCY ACTION PLAN

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Ulster University Policy Cover Sheet

EXHIBIT A. - HIPAA Security Assessment Template -

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Facility Security Policy

DISASTER RESPONSE & RECOVERY PLANNING. Information Technology Services

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Standard CIP-006-1a Cyber Security Physical Security

Recommendations for Implementing an Information Security Framework for Life Science Organizations

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

University of Hawaii Hosted Website Service

Table of Contents. Sample

NIST Risk Assessment for Part 11 Compliance: Evaluation of a GXP Case Study

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Security Standards for Electric Market Participants

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

KantanMT.com. Security & Infra-Structure Overview

INTERNATIONAL SOS. Information Security Policy. Version 2.00

Tuskegee Backup and Offsite Policy and Procedures

Physical Security Standard

Data Center Access Policies and Procedures

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Local Government Disaster Planning and what can be learned from it.

Data Center Operations Guide

Information Security Data Classification Procedure

Office of MN.IT Services Data Centers

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Part 11 Compliance SOP

SPRING-FORD AREA SCHOOL DISTRICT

Information Security Policy

Cybersecurity Checklist Business Action Items

EMERGENCY MANAGEMENT

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Subject: Audit Report 18-84, IT Disaster Recovery, California State University, Sacramento

peace of mind kit FAQ s Q: Is AccuPay bonded?

CYBER SECURITY POLICY REVISION: 12

INFORMATION TECHNOLOGY SERVICES DISASTER RECOVERY PLAN

Standard CIP-006-3c Cyber Security Physical Security

Mobility Policy Bundle

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Data Centre Security. Presented by: M. Javed Wadood Managing Director (MEA)

Transcription:

Standard: Data Center Security Page 1

Executive Summary The university data centers provide for the reliable operation of SJSU s computing systems, computing infrastructure, and communication systems. Per ICSUAM 8000, California SAM, local, State, and Federal law, this standard defines the requirements for security controls of machines hosted in SJSU data centers to safeguarding the confidentiality, integrity, and availability of information stored, processed and transmitted by SJSU. Page 2

Information Security Standards Data Center Security Standard IS-DCS Effective Date 11/10/2015 Email security@sjsu.edu # Version 4.0 Contact Mike Cook Phone 408-924-1705 Revision History Date Action 4/25/2014 Draft sent to Mike 5/13/2014 Reviewed with comments and sent to Mike 12/1/2014 Reviewed. Content suggestions. Added comments. Hien Huynh 11/10/2015 Incorporated changes from campus constituents Distributed to Campus. Page 3

Table of Contents Executive Summary... 2 Introduction and Purpose... 5 Scope... 5 Standard... 5 Storage of Unencrypted Level 1 Information is prohibited on servers... 5 Physical and Environmental Security... 5 Background Check of Employees... 5 Electronic Lock Required... 5 Networking Equipment Locked... 5 Management Control of Access... 5 Physical Need to Access... 5 Removal of Permissions upon Employee separation... 6 Audit of Key Cards... 6 Master Keys... 6 Moisture Detectors... 6 Smoke Detectors... 6 Environmental Reporting... 6 Fire Suppression... 6 Uninterruptible Power Supply (UPS)... 6 Glass Windows... 6 Power Generators... 6 Earthquake Protection... 6 Firewalls between data centers and core networks... 6 Emergency Preparedness and Training... 6 Test Data Center Emergency Procedures... 7 IT Disaster Recovery Plan... 7 Backup Tapes... 7 Food, Drink, Hazardous Materials... 7 Labels on Doors... 7 Data Center Owner Training... 7 Page 4

Introduction and Purpose This standard defines the requirements for security controls of machines hosted in SJSU data centers. This standard is composed to explicitly comply with ICSUAM 8000, California SAM, local, State, and Federal law. Scope This standard applies to all SJSU State, Self-Fund, and Auxiliary ( campus ) computer systems and facilities, with a target audience of SJSU Information Technology employees and partners. This standard applies to any machine storing unencrypted Level 1 data at rest, any machine providing internet-facing services outside the campus border firewall (i.e. Web Servers), and campus core network aggregation points. Standard Storage of Unencrypted Level 1 Information is prohibited on servers For any machine on the campus, storing level 1 unencrypted data at rest is prohibited unless an exception has been approved by the Information Security Office. For information classification and handling of Level 1 sensitive data, refer to the Information Classification and Handling Standard. Physical and Environmental Security Additional physical security controls are included in the Physical Security Standard. Background Check of Employees All new employees with entry access to data centers must pass a background check (Livescan) at time of hire. Electronic Lock Required Electronic locks are required on all entry doors to data centers storing level 1 data. Entry logs must be properly maintained showing who entered, time, and date. Entry logs must be maintained for at least 90 days. Networking Equipment Locked Networking equipment, including lab equipment, must be enclosed and locked in a secured room protected by a lock with logging capabilities.. Management Control of Access Management needs to have control over access to assets. Physical Need to Access Physical access to locked data center rooms is based on the physical need to access principal. Physical access is limited to individuals required to have access. Service employees, including custodians, should not have electronic access to data center locked rooms. University Police personnel are authorized to access the data center in emergency situations only via electronic lock, if functional, or physical access if necessary. Page 5

Removal of Permissions upon Employee separation Upon separation of employees, key cards and key should be immediately revoked. Alarm codes should be changed upon employee separation. Audit of Key Cards Key cards and physical keys must be audited annually and approved by Data Center management (MPP). Master Keys Physical locks must not accept master keys. Moisture Detectors Moisture Detectors should be in use and placed in data centers, in accordance with the Physical Security Standard. Smoke Detectors Smoke Detectors should be in use and placed in data centers, in accordance with the Physical Security Standard. Environmental Reporting Environmental alerting, such as temperature and moisture is required for server rooms storing level 1 data. Fire Suppression Fire extinguisher or fire suppression for electronic equipment, must be located in each Data Center. Data Centers must not be protected by water-based fire suppression systems. Uninterruptible Power Supply (UPS) UPS power in the data center should be capable of handling backup power in room for minimum of 5 minutes to provide ample time for generator startup. Glass Windows Glass windows to public areas allowing viewing of server rooms are prohibited. Power Generators Power generators capable of sustaining computer operations during a power outage are required for servers storing level 1 data. Earthquake Protection Full-Height server racks which are in excess of three times as tall as they are wide must be affixed to the structure on at least 2 faces to prevent damage in the event of a minor earthquake. Firewalls between data centers and core networks Firewalls are required between SJSU data centers and the core networks, as specified in the Network Security Standard. Emergency Preparedness and Training All personnel with access to data center rooms must undergo emergency preparedness training on an annual basis, including learning how to operate fire extinguishers, suppression, and emergency alarms. Page 6

Test Data Center Emergency Procedures All data center owners need to develop and test data center emergency procedures annually. Procedures must specify due care for safety and life preservation measures. IT Disaster Recovery Plan Data Centers must have an IT Disaster Recovery Plan identifying the critical systems in the data center, the assets necessary for those applications, and the plans for resuming services after an unplanned disruption. Backup Tapes Data center room sensitive servers must use backup tapes sent to an offsite location, in accordance with the Data Retention Standard. Tapes containing level 1 data must be encrypted. Data center backup tapes must be in compliance with CSU Executive Order 1031: Records Retention & Disposition Schedules Food, Drink, Hazardous Materials Food, drink, and hazardous materials are prohibited in Data Centers. Labels on Doors Labels on doors that list data center or telecom closet are prohibited. Data Center Owner Training Data center owners must maintain procedures for training, including the following areas: gaining physical access, removing physical access, visitor access (including logging), stop tailgating, alarm arm/disarm procedures, cleanliness (dust removal), facility services, development access to data center (including logging), and change control (including documentation). Page 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback