Technology: On Premise Facilities

The objective of these guidelines is to set forth physical security requirements to prevent unauthorized access, damage and interference to university owned and controlled technology premises; data center, network wiring centers, cable TV head-end. These guidelines define the requirements for protecting university information and technology resources from physical and environmental threats in order to reduce the risk of loss, theft, damage, or unauthorized access to those resources, or interference with Bryant University operations.

All university owned and controlled technology premises shall be protected by appropriate entry controls and audit logging to ensure only authorized personnel are allowed access.

GENERAL

University equipment shall be installed in suitably protected areas with only the minimum required indication of their purpose (signage on building and/or room). The following controls shall be implemented:

• All doors and entrance locations of the technology premises shall be locked when unattended and protected during non-business hours by electronic alarms.
• Physical access controls such as locks and keys, swipe cards, video cameras are necessary to ensure protection and safety of technology resources, and property, and the safety of personnel using the facilities, and to comply with health and safety regulations.
• Back-up media stored on-site is considered a technology resource and shall be protected in the same fashion.
• The data center shall be located in secure environment protected by key card access controls and video surveillance to mitigate unauthorized access and use.
• Data center access shall be restricted to administrators and other authorized IT personnel and authorized third parties when escorted.
• Protection must be implemented against fire, flood, and other environmental factors that could damage the resources.
• Access to/use of publicly accessible network-ports shall be restricted in locations.

Specific requirements for the data center:

• Comply with all requirements listed above.
• Install fire suppression equipment.
• Provide emergency power shutdown controls.
• Equipment is to be located on racks raised above floor level.
• Provide an uninterruptible power supply.
• Annual testing will be performed on all fire and protective systems.
• A video camera will be pointed at the door with recordings retained for two weeks.
• Environmental controls will be implemented to ensure that temperature and humidity are maintained within limits for the equipment contained therein.
• Electrical power for servers hosting enterprise and departmental services must be protected by uninterruptable power supplies (UPS) to ensure continuity of services during power outages and to protect equipment from damage due to power irregularities. Each UPS should have sufficient capacity to provide at least 20 minutes of uptime to the systems connected to it. Systems hosting confidential data should also be protected with a standby power generator where feasible.
• All Network information technology resources must be fitted with effective surge protectors to prevent power spikes and subsequent damage to data and Hardware.
• Secured access devices (e.g. access cards, keys, combinations, etc.) must not be shared with or loaned to others by authorized users.

ENFORCEMENT

The University considers any violation of the directives outlined within this document to be an objectionable offense. Failure to comply may subject the violator to disciplinary action by the University.

EXCEPTIONS

Any exceptions to directives outlined within this document are to be reviewed and approved by the Information Security Program Committee as needed.