University of Ulster Policy Cover Sheet Document Title DATA CENTRE ACCESS POLICY 2.0 Custodian Data Centre & Operations Manager Approving Committee ISD Committee Policy approved date 2012-01-12 Policy effective from date 2012-01-12 Policy review date 2013-01-12 Changes to previous version Primary change in formatting to conform to University standard format. Change in room and access for the data centre at the Belfast campus. Security staff access to data centres out of hours. Various updates. DATA CENTRE ACCESS POLICY 2.0 INTRODUCTION AND BACKGROUND This policy sets out the controls and rules that govern access to ISD Data Centre room environments within University of Ulster. These are required as there are times when people require access to carry out their duties or are paid to carry out changes to the environment or the hosted equipment within these secure areas. POLICY STATEMENT There shall be no unauthorised access to any University Data Centre without the permission of either the Head of Infrastructure or via an arranged request to the Data Centre & Operations Manager and under the supervision of an Infrastructure team member. Violations of the conditions listed below may result in disciplinary action under the University’s disciplinary procedures if a member of University staff or withdrawal of any future access for any contracted persons. AIMS, PURPOSE AND SCOPE OF THE POLICY Aims:      To enable staff entering the room to perform authorised duties To enable contractors to enter the room and perform authorised duties To establish rules for conduct that must be observed by all people entering a Data Centre room (Appendix B) To keep appropriate records of Data Centre room activities To provide health and safety guidelines for staff entering Data Centre rooms (Appendix A) It establishes the following rules:    Requirements of people entering Data Centre rooms. ISD staff responsibility. Record keeping requirements. Purpose: The policy is required because of the need to provide both access and high levels of security to these locations as they host “core business” computer and network systems and associated software. Page 1 of 8 DATA CENTRE ACCESS POLICY 2.0 Scope: This policy applies to Data Centre rooms falling under the responsibility of Information Services and it has the approval of the Deputy Director of Finance & Information Services (ISD). It establishes the process to authorise the following people to access Data Centre rooms in the following situations:     Work-related access that cannot be undertaken by other means, for example via a networked and secure desktop computer. Typically covers physical access to hardware and work to the physical environment1. Contractor/Consultant access. Visitor access. Emergency access. ISD Campus Data Centres –     Belfast – 82D31 - Card-based access system controlled by PRD – ICT Infrastructure staff and Campus ICT Manager (Belfast) Jordanstown – 7C34 - Card-based access control system authorised by ICT Head of Infrastructure is used to grant access to the Data Centre room Coleraine – K011 - Card-based access control system authorised by ICT Head of Infrastructure is used to grant access to the Data Centre room Magee – MF118 - Card-based access control system authorised by ICT Head of Infrastructure is used to grant access to the Data Centre room Note: Security have access to the Data Centres for out-of-hours emergency contractor access. DEFINITIONS AND CLARIFICATION Terms: FIS – Finance and Information Services ISD – Information Services ICT Infrastructure – Division within ISD responsible for the University’s Data Centres PRD – Physical Resources Department responsible for Data Centre Environment 1 For example by Physical Resources staff who may have to enhance the electrical socket provision or undertake similar development or maintenance work Page 2 of 8 DATA CENTRE ACCESS POLICY 2.0 PROCEDURE Work-related (Permanent) Permanent card based access to Data Centre rooms must only be authorised by the Head of Infrastructure A written request must be made with the following detail: a) b) c) d) e) f) The person’s name The department or section where they are located The reason they require this access From when access is required For what period of time is access required Frequency of access On satisfaction of these details, individuals will be given an access control card which permits them to enter the room. An access register (maintained by the Data Centre and Operations Manager) stores these details. This register is reviewed on an annual basis by the Data Centre and Operations Manager. The Document given below must be read before entering the Data Centre for the first time. It is located beside the Visitor Log book at each Data Centre door. Note that access will be monitored both via a security system and via camera. Upon leaving the employ of the University, the access card MUST BE RETURNED to the Data Centre & Operations Manager. Contractor/Consultant/Visitor (Temporary) Contractors or Consultants or Visitors may require access to a Data Centre room frequently or infrequently but do not satisfy the conditions of gaining permanent access, for example an air conditioning engineer. In order for a visitor to obtain access, the following conditions must be satisfied:  They must be employed by the University or contracted to perform work by the University  They must give adequate time to allow access to be considered and supervision to be arranged. This must be requested from the Head of Page 3 of 8 DATA CENTRE ACCESS POLICY 2.0  Infrastructure who authorises the access or in the case of required contracted work at least one day’s notice given to the Data Centre Manager (Note that normal working hours are weekdays between 8.45am and 5pm.)  They must require access to the room to perform authorised duties. In addition to the above conditions, visitors must satisfy the following requirements. They must be supervised at all times by an Infrastructure staff member who has a permanent authority to enter the Data Centre rooms and who will assume responsibility for the visitor’s actions The person authorising/supervising the visitor will be responsible for the following: 1. To ensure that all the conditions above are satisfied. 2. To ensure that they have read the Evacuation Procedures document located at the Data Centre door entrance. 3. To ensure that the permitted access has been properly logged as detailed in the record keeping section i.e. the visitor log at the Data Centre door entrance. 4. To monitor activities of this person in the Data Centre room. Note that for Minor works requested by ISD but executed by PRD, either using their own or contracted staff, All such works must have an accompanying suite of Methods Statements as a mandatory constituent of any associated project documentation. The responsibility to provide will reside with PRD and the responsibility to ensure its provision resides with the authorised Infrastructure manager who is responsible for requesting the works. Emergency (Temporary)    In the event of an emergency out of normal working hours, security personnel should contact the Estates department If the situation is resolved without a member of ISD being present, the attending Estates officer must report the details to the Data Centre Manager next working day If deemed necessary, the Estates officer and/or nominated member of ISD will escort the contractor on-site IMPLEMENTATION This policy is implemented across all four of the University Data Centres. The policy has been approved by the Head of infrastructure and is to be reviewed every 2 years. Page 4 of 8 DATA CENTRE ACCESS POLICY 2.0 RULES OF CONDUCT The following rules apply to all people granted authority to enter a Data Centre room.         Only authorised persons can enter Data Centre rooms All persons must have read the document titled Evacuation Procedures relating to University Data Centres Access cards must be returned if staff leave ISD or cancelled if not returned All persons are expected to work safely at all times, in line with Health and Safety requirements The Data Centre room should be treated as a clean room environment and care should be taken to ensure that contamination of this area is prohibited The room must be kept clean and tidy at all times In the event that an emergency arises from work being undertaken, you must notify ISD staff and University Security staff immediately All persons must, in the event of a fire alarm, follow the directions to the nearest assembly point No food, drink or smoking is allowed in Data Centre rooms RECORD KEEPING A visitor log must be maintained that records each permitted temporary entry into the Data Centre room. This log will be stored directly outside each room. It shall record the following for each entry: Date Name of visitor and company they work for Reason for access to the room Who requested/authorised this visit Time of arrival and Departure Supervised by signatory As mentioned earlier, a register is kept showing details of staff who have been allocated swipe cards. COMPLAINTS If there are objections to this policy, these must be given in writing to Head of Infrastructure, Mr. C. Spice. OTHER RELEVANT PROCEDURES The document which must be read prior to first entering any of the Data Centres is: Evacuation Procedures Relating to University Data Centres. Page 5 of 8 DATA CENTRE ACCESS POLICY 2.0 There are other Risk Assessment forms relating to various activities which may take place within the confines of the Data centres which should be checked if a member of University staff. External Contractors will have their own. The Data Centre Manager holds a CD a Safe Working Induction provided by the Physical Resources Department. CONTACTS AND FURTHER INFORMATION Approval: Head of Infrastructure, Mr. C. Spice Email: [email protected] Notification: Data Centre & Operations Manager, Mrs. J. A. Asquith Email: [email protected] Security: In case of Emergency telephone 028 90362222 Other Internal Relative Documents for University Staff:      ISD Hardware Commissioning and Installation Business Process H&S Risk assessments for the following can be obtained from the Data Centre & Operations Manager – Risk Assessment on Data Centres Risk Assessment on Installation of Network Switches into Data Centre Racks Risk Assessment on Installation of servers into Data Centre Racks Page 6 of 8 DATA CENTRE ACCESS POLICY 2.0 Appendix A: ISD Health and Safety Policy Guidelines Key objectives include preventing accidents and injuries, minimise loss and to provide a safe place to work, when necessary. Members of staff with access to Data Centre rooms should always be very aware of any risks to themselves and others. Our objectives are to:    Set down standards which will protect the health and safety of anyone entering Data Centre rooms Have a working environment that is, as far as is possible, without risk to health and safety Ensure that any guidelines in place are adhered to at all times Carry out regular health and safety, fire checks, risk assessments and PATs ISD Health and Safety Management Policy v2.0 Supplement 2: ICT Infrastructure’ “Execution of ISD’s Health and Safety Policy” Page 7 of 8 DATA CENTRE ACCESS POLICY 2.0 Appendix B: Guidelines for staff entering Data Centre rooms Staff must always: Observe all safety rules, procedures and instructions. Have separate area for storing and unpackaging equipment. Use all work items and equipment appropriately. Ensure ‘good housekeeping’ routines. Keep area clear of obstructions and packaging. Report any observed defects/damage to equipment. Report any hazards that come to their attention. Vacate premises immediately if alarms sound. Report stolen, lost or damaged cards to Data Centre & Operations Manager. Immediately report any accidents or serious incidents. Staff must not: Install or leave cables or other items within the area of designated walkways. or access points that may constitute a tripping hazard. Saw, grind or cut materials in or around the vicinity of Data Centre rooms. Lend their access card or keys to anyone. Misuse/abuse equipment. Attempt to lift heavy objects alone. Use Data Centre room as storage area. Re-enter Data Centre room after any incident, until given the all clear. Eat or drink while in room. Allow unauthorised persons access to Data Centre room. Things to do prior to, and upon, entering Data Centre room: Familiarise self with evacuation procedures on outer door. Locate nearest First Aid box before entering Data Centre room. Find out where recognised First Aiders can be located. Check Fire Extinguisher locations. Ensure that lighting and visibility is good. Check that noise levels are not inordinately high. Check that any possible escape routes are not blocked. Check floor for tiles not being in place. Check that carpet on tiles does not pose possible danger, i.e. tripping. If working alone ensure that at least one other person, preferably your Line Manager, knows where you are. Page 8 of 8