Access to Secure Computing Facilities (F-32)
Original Implementation: July 14, 1998
Last Revision: January 30, 2007
A secure environment must be maintained for all central computer systems managed by Information Technology Services (ITS). To that end, physical access to all central facilities must be strictly regulated. The process of regulating access will include, but is not limited to, setting guidelines for personnel that will be allowed access, monitoring the physical area for access violations and reporting any suspected violations to the appropriate authorities.
Secure computing facilities at the Boynton Computer Center will be defined as the Boynton Computer Center Machine Room and the adjoining hallway between the east and west entrances to this area containing the report distribution lock boxes.
Guidelines for Access to Secure Facilities
Types of Access Allowed
Full Access — The individual will be given keys, door codes, card swipe access, and alarm codes for access to the Boynton Computer Center Machine Room and may enter the facility at will.
Limited Access — The individual can be let in to the facility to perform designated tasks that require access to the Boynton Computer Center Machine Room.
Escorted Access -- Individual(s) can enter the Boynton Computer Center Machine room only under continuous escort by Operations or Technical Support Staff.
Report Access – The individual can be granted swipe card access to the hallway containing the lock boxes, or they can be let in by ITS operations personnel.
Criteria Determining Access
Full Access
To be granted full access to secure computing facilities, an individual must meet all the following criteria:
- A regular, recurring need for unimpeded access to equipment located within the machine room 24 hours a day, 7 days a week.
- Must be employed by Information Technology Services in the Operations or Technical Support Areas, or Director of ITS.
Limited Access
To be granted limited access to secure computing facilities, an individual must meet all the following criteria:
- An occasional or intermittent need for access to secure computing facilities to perform scheduled maintenance to equipment located within the machine room.
- A member of the Operations or Technical Support Staff can give the individual access to the secure area.
- The individual must be employed by the University.
Escorted Access
To be granted escorted access to secure computing facilities, an individual must meet some or all of the following criteria:
- Member of a tour group.
- A contractor or maintenance person not employed by the University that must perform maintenance, installation, construction, de-installation, or other well-defined task that requires access to the secure area.
- A member of the Operations or Technical Support Staff must accompany the individual(s) without interruption during the duration of the individual’s stay in the secure area.
Report Access
To be granted report access to the hallway, an individual must meet all of the following criteria:
- The individual must be employed by the University.
- The individual is responsible for retrieving output generated in the computer center on a regular basis.
General Guidelines for Monitoring Access to Secure Facilities
Monitoring of the secure computing facilities shall be carried out by the Operations and Technical Support Staff employed by Information Technology Services. Operations and Technical Support staff should conduct regular walkthroughs of the facility while on duty. All ITS staff members are encouraged to report any activity they even remotely regard as suspicious or hostile to a member of the Operations or Technical Support Staff. Access to the machine rooms will be logged. All individuals granted escorted access to the machine room will sign in on a log provided at the door. All entrances and exits are being video recorded.
Loud or disruptive behavior will not be tolerated in secure areas of the Computer Center. Such behavior detracts from the security monitoring process as well as distracting personnel performing complex tasks in these areas. Individuals or groups engaging in this type of behavior will be asked to leave the area at once; individuals refusing to comply will face disciplinary action. The University Police Department can be engaged in enforcing this policy if the situation warrants.
Times of Access to Secure Area
At all times the hallway doors are locked via magnetic locks. Access to the hallway is logged when access is granted by the card swipe or proximity card reader.
- Business Hours - During the hours of 7 AM - 6 PM, Monday through Friday excluding holidays, the East and West Entrances to the secure area will grant access via the magnetic card readers to individuals with Full Access, Limited Access, and Report Access. In addition, the East entrance to the Boynton Building at the corner of Aikman and East College will be unlocked during this same period. During these periods, Operations and Technical Support Staff will regularly check that the doors to the machine room are closed and locked, and that no unauthorized individuals are in the Machine Room.
- Off Hours - Any time other than normal business hours, access to the secure area is only permitted to individuals with Full Access. In addition, the East entrance to the Boynton Building at the corner of Aikman and East College will be closed and locked. During these periods, Operations and Technical Support on-duty staff will regularly check that all entrances to the secure area are properly closed and locked and that no unauthorized personnel are within the secure area. At any time that on-duty personnel have to leave the secure area during off-hours, no matter how brief, the alarm / security system that protects this area is to be engaged and it will be physically confirmed by the individual that all doors are locked and the bolts to these doors are properly engaged.
Guidelines for Reporting Suspected Violations
During normal business hours, the person discovering an access violation will immediately report it to the Director or the Assistant Director of ITS. The University Police Department (UPD) will then be notified at once by one of these individuals. In the event the Director or Assistant Director of ITS are not available, the person discovering the violation should immediately contact UPD directly.
During off-hours, the on-duty Operations staff should immediately contact University Police at once and request assistance. Operations staff should then call the Assistant Director of ITS and report the situation. The Assistant Director can then assess the situation and advise the Director of ITS and others as needed. In the absence of the Assistant Director, the Systems Programmers or the Operations Manager may be called to initiate action.
At any time one of the contacts can initiate the disaster recovery plan if the situation includes damage or potential further damage to the computer center that would impact normal operations. Under no circumstances should a staff member confront individual(s) committing an access violation that might even remotely be considered a threat. Staff should move to a safe location and call University Police at once. The Department of Audit Services is to be notified in writing of any access violation within 24 hours.
Cross Reference: None
Responsible for Implementation: Vice President for Finance and Administration
Contact for Revision: Director of Information Technology Services
Forms: None