Skip Ribbon Commands
Skip to main content
Navigate Up
Sign In
University of Louisville
 OFFICIAL
UNIVERSITY
ADMINISTRATIVE
 POLICY
 
 
This policy applies to all persons while conducting/performing work, teaching, research or study activity or otherwise using university resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.
 
POLICY NAME
Data Facility Security
EFFECTIVE DATE
July 23, 2007
POLICY NUMBER
ISO-009
v2.0
 
POLICY STATEMENT
 
Data Facilities are controlled facilities devoted to housing servers, networking equipment and other computing devices. Access to the university, school, division or other data facilities must be controlled and restricted to appropriate personnel as required by their position and job responsibilities.
 
REASON FOR POLICY
 
To establish access and environmental controls for areas housing university servers, networking equipment and other computing devices.
 
 
RELATED INFORMATION/STANDARDS
 
 

Administrative Standards

 

General: 

  • Access control procedures must be in place to ensure that only authorized personnel have access to a data facility.
  • Visitor, contractor or other appropriate but non-routine access to a data facility must be granted and logged through designated personnel.
  • Either a visitor or service badge must be assigned or the person must be escorted while in the data facility.
  • Access log records, access control devices and their related maintenance records must be well maintained.
  • Procedures must be in place for contingency operations. IS PS002 Business Continuity and Disaster Recovery.

 

 

Information Technology Division Computing Data Facilities

  • If access to the data facility is required on a regular basis, a card key and Personal Identification Number (PIN) should be issued.
  • All authorized personnel entering the data facility must wear their University of Louisville identification or the visitor/service badge assigned.

 

Technical standards:

 

General:

  • Adequate conditioned power, uninterruptible power supplies, fire suppression devices, climate control and other environmental maintenance equipment must be used if an assessment of the criticality and sensitivity of systems housed within the computing operational center deems it appropriate.
  • Security and technical controls are applicable to both on-site and off-site (DR) facilities and storage.
    Note: The need for and depth of these types of services within the data facility should support and be consistent with requirements of the Business Continuity and Disaster Recovery Plan (see
    IS PS002 Business Continuity and Disaster Recovery).

 

 

Information Technology Data Facilities

  • Access Control - key card and personal identification number and/or campus card with proximity chip must be used for authentication and access control.
 
RESPONSIBILITIES
 
Policy Authority/Enforcement:  The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.
 
Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.
 
HISTORY
 
 
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council
 
 
Revision Date(s):
 
1.0   / July 23, 2007 / Original Publication
1.1.  / June 21, 2011 / Link Update
1.2.  / January 29, 2013 / Content Update
1.3.  / September 26, 2013 / Content Review
2.0   / March 8, 2016 / Content review and update to new template
 
Reviewed Date(s):  March 8, 2016; June 12, 2017; July 31, 2018
 
ADMINISTRATIVE AUTHORITY
 
Vice President for Risk, Audit, and Compliance
 
RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION
 

Information Security Office
502/852-6692
isopol@louisville.edu

The University Policy and Procedure Library is updated regularly.  In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.

 

 
 
Privacy Statement