Information Technology Physical Access Policy

Policy Number
VII:01:26

Purpose

The purpose of the Information Technology (IT) Physical Access Policy is to establish guidelines for accessing the IT server room and intermediate distribution frame (IDF) closets. The IDF closets are limited access areas. The server rooms are restricted access areas. Either inadvertent or intentional damage or theft in these areas could severely impair critical campus communications. Theft of equipment or data storage from restricted access areas could result in the loss of confidential or personally identifiable information.

Access Requirements for Both IDF and Server Rooms

  1. Only personnel requiring constant or regular access to these areas will have card and/or key access issued to them. Employees having keys or cards permitting access to these areas will be documented on the IT Access List maintained by the Director of Information Technology.
  2. All requests for card/key access to the IT server room or IDF closets must be approved by the Director of Information Technology.
  3. If card access is available then keys must not be used so that access is logged via the card access system.
  4. Doors to these areas must not be propped open unless someone is actively monitoring to prevent unauthorized access.
  5. Vendor access to IDF closets.
    1. Under normal circumstances (non-emergency), the Director of Information Technology must be notified at least 24 hours in advance of vendors working in these areas.
    2. The responsible party must remain with the vendor any time they are in the IDF closets.

Vendor Access to Server Rooms

  1. Scheduled vendor access will be permitted during the normal working hours of 8:00 a.m. and 4:30 p.m. excluding holidays with a minimum of 24 hours notice to the Director of Information Technology.
  2. The Director of Information Technology must be notified at least two weeks in advance of scheduled vendor access requirements after normal work hours or on weekends and holidays.
  3. The party responsible for bringing the vendor in must notify the Director of Information Technology of work being performed in the server room, the time required, and who will have access to the area.
  4. After-hours emergency access will be provided by Campus Police. Campus Police will follow their documented procedures for access and notification.
  5. Individuals not on the IT Access List are required to record the following in the server room area log book: date, name, company or department, reason for entry, in time, and out time.
  6. Contractors will not receive key or card access to the IT Server rooms.

 

VSCC Source: President’s Cabinet, June 7, 2010