Oxford Univ _ Data Center Security Policy

https://www.it.ox.ac.uk/data-centres/data-centre-security-policy

Skip to main content

Header shortcuts

Getting started

Manage accounts

Nexus email

Service status

IT rules

Blogs

Social networking links

Subscribe to our RSS feed

Follow us on Twitter

Find us on Facebook

Find us on GitHub

University of Oxford

IT Services

delivering responsive, innovative IT at the University of Oxford

Search Google Appliance

Enter the terms you wish to search for.
Search within:
all
help

Contact the service desk

View requests

Visit the IT Help site

Top Nav

Home

What we do

I want to...

Services

About

News & events

Data Centre security policy

1. Preamble
The primary function of the IT Services data centre and the University Shared Data Centre is to
provide a secure, resilient, engineered and monitored environment for the location of a diverse
range of equipment required for the provision of IT services to the collegiate University, many of
which are critical to the successful fulfilment of the University's business. The purpose of the
data centre security policy is to help ensure that the data centre, and the equipment hosted

therein, remains secure by having in place a policy and procedures to restrict access to the data
centre to authorised persons.
The Data Centre Policy uses as its basis the Information Security Policy for the University. The
[draft] IS Policy includes a sub-policy on the security of the physical information environment:

8. Physical and Environmental Security

Procedures should be in place to ensure that secure areas are protected by appropriate entry
controls to ensure that only authorised personnel are allowed access. Security perimeters should
be defined to protect areas that contain confidential or sensitive information and/or information
systems. Appropriate physical security for offices, rooms, facilities etc. should therefore be
implemented and offices housing systems containing non-public data should be kept locked.
Where appropriate, physical protection should be provided against damage from natural, or manmade disasters, such as fire, flood, explosion etc. All users are required to ensure that systems are
not left open to access by intruders to buildings, or by unauthorised colleagues.
Procedures should be in place to ensure that equipment hosting data not open for public access
are not accessible in public areas. Equipment should be sited or protected to reduce the risks
from environmental threats and hazards, and opportunities for unauthorised access. Equipment
should be protected from power failures and other disruptions caused by failures in supporting
utilities. Procedures should be in place to ensure that media containing information is protected
against unauthorised access, misuse or corruption during transportation beyond the
unit's/University's physical boundaries.
Procedures exist to ensure that equipment, information or software is not taken off-site without
prior authorisation. Security should be applied to off-site equipment taking into account the
different risks of working outside the University/unit's premises. Procedures should exist to
ensure that any sensitive data and licensed software have been removed or securely overwritten
when equipment is sold on, transferred or scrapped.
(Information Security Policy (draft), 5 May 2011, section 8)
The Data Centre Security Policy seeks to follow good practice, as far as possible, in securing the
physical environment in which reside the networking, servers, storage and other hardware
underpinning the University's information and communications services. The policy aims to
minimise the risk to the security of the University's information systems and to help ensure the
safety of staff working within the data centre. In principle, the data centre environment should
aim to be as secure as the servers hosted within the data centre.

2. Authority
Changes to this policy, in so far as it applies to data centres under the jurisdiction of IT Services,
must be authorised by the IT Services Senior Managers Group.

The Data Centre Manager is responsible for day to day operations within the data centre;
monitoring usage; and maintaining security.

3. Access to the data centre

Entrances to the data centre should remain locked at all times. Entry by authorised staff should
be by means of a physical token (e.g. iButton).

4. IT Services staff
IT Services staff are only permitted entry to the data centre in order to undertake specific tasks
with respect to the installation, maintenance, auditing, and decommissioning of equipment
housed there and for which they have responsibility.
General entry to the data centre by staff, including for access to other parts of the building
(except in emergencies), is not generally permitted.

5. Other University staff

Where there is an agreement that another department may host equipment in the data centre then
access will be granted, on application, to individual IT support staff within that department. The
data centre manager is responsible for authorising such access and will maintain a log of
individuals who have been granted access, including a record of access tokens provided. The log
will be shared with the IT Services buildings manager. Access to the data centre is granted to an
individual and no other individual should assume they have access unless specifically authorised
by the data centre manager. In particular, access keys and codes must not be shared with any
other individual.

6. Contractors and authorised visitors

External contractors who require access to the data centre in order to undertake maintenance or
similar work relating to equipment housed in the data centre should be notified, where
reasonably possible, to the Data Centre Manager in advance, and accompanied, by the member
of staff responsible for the contractor. In any case, all such visitors should abide by the
Department's rules for visitors entering the Department's private areas, including signing-in at
Reception and wearing a visitor badge or University identification. Contractors must be made
aware of the health and safety and other rules relating to working in the data centre.
Contractors requiring access to the Data Centre outside working hours must be accompanied at
all times by an authorised member of University staff.
Deliveries requiring access via the loading bay and external door should be agreed with the data
centre manager in advance.

Casual visitors, including tour groups, are not permitted access to the data centre except in
exceptional circumstances and only with the prior permission of the Director of Computing
Systems and Services.

7. Data Centre Security Rules

Only authorised staff and visitors may enter and work within the data centre. To seek
authorisation please contact the Data Centre Manager in the first instance
(datacentre@it.ox.ac.uk). All persons must abide by these rules:
1. You must make yourself familiar with applicable health and safety rules for working within a
data centre.
2. You must not bring food, drink or other 'wet' items (e.g. coats and umbrellas) into or through
the data centre.
3. You must remove all packaging and associated materials from the data centre.
4. You should arrange for the removal of any equipment no longer required as soon as possible
after decommissioning.
5. You must use appropriate tools for the job (e.g. for the removal of floor tiles) and rehouse
them when completed.
6. You must avoid obstructing aisles or walkways, introducing trip hazards or leaving floor tiles
unsettled anywhere in the data centre.
7. You must not leave unlocked or prop open any access door to the data centre.
8. You must not enable unauthorised persons to enter the data centre. In particular, you must not
share your key or access codes with any other individual and nor must you be accompanied by
any unauthorised person.
9. You must inform the data centre manager of any breaches to this security policy known to you.
Status of Document: Version 0.9, created 10 May 2011; approved by OUCS Senior Managers
Group, 24 May 2011; version 1.0, 17 July 2011; minor edits and published 31 July 2011.

Data centres

Data Centre security policy

Data Centres pricing

University Private Cloud

Service desk
13 Banbury Road, Oxford, OX2 6NN
tel: (+44) 1865 612345

Administrative address
Dartington House, University Offices, Wellington Square, Oxford OX1 2JD

Our offices
13 Banbury Road, Oxford OX2 6NN
tel: (+44) 1865 273200

Dartington House, University Offices, Wellington Square, Oxford OX1 2JD

tel: (+44) 1865 270202

23-38 Hythe Bridge Street, Oxford OX1 2EP

tel: (+44) 1865 270000

Gibson Building, Radcliffe Observatory Quarter, Woodstock Road, Oxford OX2 6GG
tel: (+44) 1865 283835

footer links

Accessibility

Jobs

Privacy

Cookies

Legal

Picture credits

Contact webmaster

Related sites

Staff Intranet

IT Learning Programme courses catalogue

IT Services online shop

Sharepoint

WebLearn

Footer text
Ucisa member