UDC Security Standards
Security Policy Aligned with NIST PE1-PE17
Section 1.0 Purpose
The purpose of this standards document is to ensure that appropriate measures are put in place to protect the equipment and infrastructure at the University Data Centers (UDC) of the University of Texas at Austin.
The objectives of the UDC Security Standards are:
- Secure the University’s assets against fraud, breach of confidentiality or privacy, theft, mischievous or accidental damage; and
- Protect the University from liability or damage arising from the use of UDC facilities for purposes conflicting to the University of Texas at Austin policies.
This standards document serves as a supplement to the Information Resources Use and Security Policy, which was drafted in response to Texas Administrative Code 202 and UT System UTS-165. Adherence to the standards will increase the security of systems and help safeguard university information technology resources. This standards document exists in addition to all other university policies and federal and state regulations governing the protection of the university's data.
Compliance with this document is required for all departments that locate systems in a UDC Data Hall and for all personnel who visit a UDC facility.
Section 2.0 Scope
This standards document applies to all University Data Center facilities operated by Information Technology Services at The University of Texas at Austin. Physical variations in the different buildings may result in slightly different operating procedures, depending on the building environment.
Section 3.0 Revision
|
Version |
Date |
Name |
Description |
|
6.0 |
March 6, 2023 |
Wilson, Aaron |
Final |
Section 4.0 Audience
- All students, faculty and staff within University and System.
- All visitors.
- University Data Centers (UDC) – the department that facilitates the Operation and Support of UDC Facilities, Data Halls, and Infrastructure.
- University Data Center Facility – the building that houses a UDC Data Hall, the UDC infrastructure and the offices supporting UDC or ITS personnel.
- University Data Center Data Hall – the secure area that houses the collocated equipment, including NAPs (NOCs) and Demarcation areas.
- University Data Center Infrastructure – Critical equipment area that support a UDC Facility and/or a UDC Data Hall.
Section 5.0 Definitions
- University Data Centers (UDC) – the department that facilitates the Operation and Support of UDC Facilities, Data Halls, and Infrastructure.
- University Data Center Facility – the building that houses a UDC Data Hall, the UDC infrastructure and the offices supporting UDC or ITS personnel.
- University Data Center Data Hall – the secure area that houses the collocated equipment, including NAPs (NOCs) and Demarcation areas.
- University Data Center Infrastructure – Critical equipment area that support a UDC Facility and/or a UDC Data Hall.
Section 6.0 Physical and Environmental Protection Policy and Procedures
(NIST PE-1) (UTS165 S-2, S10, S12, S15, S16)
The University Data Center has established physical and environmental protection standards and procedures for effective management of security controls and enhancements to the University Data Center Facilities and systems and University resources managed onsite.
Section 7.0 Physical Access Authorization
(NIST PE2) (UTS165 S-2, S-3, S16, S22)
Only authorized personnel have access to the University Data Center facilities, data halls, and infrastructure as approved by the University Data Center director. Authorized personnel are audited for necessity and accuracy. All visitors to the data center must provide identification in the form of UT or government issued identification.
Section 8.0 Physical Access Control
(NIST PE-3) (UTS165 S-2, S-3, S16)
University Data Center enforces access control to the data center facilities and infrastructure: verifying individual access authorizations for all facility access requests, utilizing building access control technologies, escorting and monitoring visitor activities and maintaining access audit logs, and securing physical access devices, including keys and combinations.
Section 9.0 Access Control for Transmission Media
(NIST PE-4) (UTS165 S-4, S11)
The University Data Center has security safeguards in place to protect information system distribution and transmission. Network Operations Centers are a secure area located within a Data Hall.
Section 10.0 Access Control for Output Devices
(NIST PE-5) (UTS165 S-4)
All output devices are in secured areas accessible only to authorized personnel that are able to monitor access control of devices (printers, copiers, and monitors).
Section 11.0 Monitoring Physical Devices
(NIST PE-6) (UTS165 S-4, S-5 and S-11)
University Data Center monitors physical access to information systems to detect and respond to physical security incidents or suspicious physical access activities. University Data Centers employ physical intrusion detection and prevention controls which include intrusion alarms and video surveillance throughout the Data Center Facility and Data Halls. Additional control enhancements have been implemented for additional monitoring of the Data Halls and secured media storage areas. Two factor authorization is used in all Data Center Halls.
Section 12.0 Visitor Access Records
(NIST PE-8) (UTS165 S-4 and UTS165 S-5)
University Data Centers maintain visitor access records to the controlled areas or facilities where the information systems reside and records are review on a reoccurring basis. All Administrative, Unescorted and Escorted Visitors must sign into the Visitor Log prior to gaining access to a Data Hall.
Section 13.0 Power Equipment and Cabling
(NIST PE-9)
University Data Centers employ redundant power cabling paths that are physically separated to help ensure that power continues to flow in the event one of the cables is cut or otherwise damaged. University Data Centers also employ automatic voltage controls.
Section 14.0 Emergency Shutoff
(NIST PE-10)
The data center facility has the capability of shutting off power to the agency information system or individual system components in emergency situations; emergency shutoff controls installed in data hall exits and infrastructure rooms facilitate safe and easy access for personnel.
Section 15.0 Emergency Power
(NIST PE-11)
The University Data Center provides short-term uninterruptible power supplies to facilitate: an orderly shutdown of the information system; transition of the information system to long-term alternate power in the event of a primary power source loss. University Data Centers primary site also provides generators as a secondary source of power in the event of primary power source failure.
Section 16.0 Emergency Lighting
(NIST PE-12)
The University Data Center employs and maintains automatic emergency lighting for the information systems that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
Section 17.0 Fire Protection
(NIST PE-13)
The University Data Center employs and maintains fire suppression and detection devices/systems for the information systems that are supported by an independent energy source.
Section 18.0 Temperature and Humidity Controls
(NIST PE-14)
University Data Center maintains and monitors temperature and humidity levels within the Data Center Data Halls.
Section 19.0 Water Damage Protection
(NIST PE-15)
The University Data Center protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
Section 20.0 Delivery and Removal
(NIST PE-16) (UTS165 S-1)
The University Data Center authorizes, monitors, and controls information systems components entering and exiting the facility and maintains records of those items.
Section 21.0 Alternate Worksite
(PE-17) (UTS165 S-6)
An Alternate Work Site is readily available and capable of taking production environment control in the event that operations cannot continue at the primary location.
Section 22.0 Contingency Plan
(NIST CP) (UTS165 S-6)
University Data Centers has a disaster recovery and business continuity plan in place and regularly performs testing to ensure plans remain current.
Section 23.0 Media Protection
(NIST MP) (UTS165 S-11)
University Data Center restricts physical access to digital, non-digital and magnetic data to only authorized personnel. All media is destroyed by the degaussing of hard drives prior to leaving the facility, unless otherwise requested by the media owner. UDC provides a Secure Storage area for all commissioned and decommissioned devices and maintains chain of custody records. UDC assists in the maintaining the lifecycle of the equipment by ensuring proper inventory policies are followed as prescribed by UT Policy.
Section 24.0 Incident Response Training
(NIST IR) (UTS165 S-12)
University Data Centers have an incident response plan and provide incident response training with assigned roles and responsibilities of personnel to ensure the appropriate content and level of detail is included in such training.
Section 25.0 Awareness and Training
(NIST AT) (UTS165 S-18)
University Data Centers have required training for Data Center personnel that addresses basic understanding of the need for information security and awareness of the need for operations security.
Section 26.0 Non-Disclosure
(UTS165 S-22)
As a condition of obtaining access to the facility, all UT faculty, staff, students and third-parties shall agree to not disclose information they may obtain about the facility except to those who are required to have the information to conduct legitimate university business.
Section 27.0 Audit and Control
(UTS165 S-8, S-15, and S-16)
Periodic audits are performed to ensure compliance.
Section 28.0 Related UT Austin Policies and Best practices
Information Resources Use and Security Policy
Texas Admininstrative Code 202
UT Austin Acceptable Use Policy