14.11 Data Center
Purpose
The University of Northern Iowa acknowledges its obligation to ensure appropriate security and availability for data and IT resources in its domain of ownership and control. Furthermore, the University recognizes its responsibility to protect servers, network gear, and other sensitive IT resources in centrally-managed data centers.
The University of Northern Iowa develops, publishes, and enforces policies, procedures, and standards in order to achieve and maintain appropriate protection of university data and data centers. This document along with related security policies, procedures, and standards identifies key issues for which individuals, colleges, departments, and units are responsible.
Scope
This policy applies to all faculty, staff, and students as well as any other individuals or entities who use data and servers at the University of Northern Iowa. This policy applies to all university data, even if stored without the use of an IT resource. Further, this policy applies to all IT resources owned or leased by UNI.
Policy Statement
The University of Northern Iowa maintains two data centers on campus and also utilizes an off-campus data center facility.
Servers must be housed in a data center and must not be located in offices, storage rooms, or other makeshift facilities. No other data center or data closet (excluding those with network gear) residing at UNI will be permitted without the oversight and permission of the Chief Information Officer (CIO) or designee. This policy does not preclude the use of outsourced or “cloud” data center services if they are a benefit to the University and approved by the CIO or designee.
The CIO or designee shall publish appropriate procedures and standards to protect the confidentiality, integrity, and availability of the university data centers. The procedures and standards shall be updated regularly as advances in technology occur and will have the full force and effect of this policy.
UNI employees shall follow all applicable policies and procedures of the Information Technology Facility (ITF) when installing or servicing equipment at that location.
Procedures
Data Center Requirements
Data centers shall provide the following minimum services and resources:
- Redundant power circuits per rack
- Backup power generator
- Uninterruptible power supply for all IT resources
- Redundant cooling
- Environmental monitoring (temperature, humidity, water ingress)
- Automatic clean agent fire suppression
- Security camera coverage for points of entry and exit
- Security camera coverage for all equipment
- Security alarm system
- Multifactor authentication for entry (ID card plus PIN)
Only IT-Network & Infrastructure Services (IT-NIS) staff may install and remove equipment in the data centers located at UNI. At their discretion, IT-NIS may allow other staff to assist in the installation or removal of equipment, but only under IT-NIS supervision. Equipment must meet minimum standards that shall be published by IT-NIS or be purchased after consultation with IT-NIS. An inventory of all equipment contained in the data centers shall be maintained by IT-NIS.
Access to the data centers shall be audited by the security officer on a quarterly basis. A review of personnel with access to the data centers shall occur quarterly. Visitors to the data centers shall sign a log book and be escorted at all times unless it is more practical to monitor the visitor via security cameras at the discretion of the IT-NIS director. Student employees of IT may access the data centers as a non-visitor with permission of the Director of IT-NIS.
Risk Assessment
Risk assessment is a systematic process used in determining the potential impact of a negative event by evaluating the nature of the information and information systems. The data centers will have a risk assessment conducted at an interval prescribed by the CIO or designee. The results of risk assessments will be placed on file for audit and accountability purposes. The risk assessment shall include risks to confidentiality, integrity, and availability.
Specific Roles and Responsibilities
Director, IT-Network & Infrastructure Services
The Director of IT-Network & Infrastructure Services shall have direct oversight of all data center functions. At their discretion, the director of IT-NIS, in cooperation with the Chief Information Officer, has authority to grant exceptions to this policy when in support of the University’s mission. Such exceptions must be documented and justified by the requester and approved in writing by the director of IT-NIS. The director of IT-NIS is responsible for approving access to UNI’s data centers.
Data Custodian
The data custodians, as a group, are responsible for recommending and establishing policies, procedures, standards, and guidelines for data administration activities. Data custodians shall inform the Director of IT-NIS of any required security protocols for data housed in the data centers.
Third Party Vendors or Service Providers
Third party vendors or service providers requiring access to equipment located in UNI’s data centers are subject to this and other university security policies and will be required to acknowledge their obligations in contractual agreements.
Disciplinary Action
Violations of this policy may be referred for disciplinary action as indicated in Policy 14.04 Acceptable Use of Information Technology Resources.
Reporting of Data Security Incidents
A critical component of data center security is to address security breaches promptly and with the appropriate level of action. All individuals must follow the Information Security Incident Response Policy (UNI policy 14.02).
Usage of Terms
AVAILABILITY – Availability is the ability to assure that systems work promptly and service is not denied to authorized users. A loss of availability is the disruption of access to or use of information or an information system.
CONFIDENTIALITY – Confidentiality ensures that confidential information is only disclosed to authorized individuals. A loss of confidentiality, for the purposes of this policy, is the unauthorized disclosure of information.
DATA CENTER — A data center is a facility to house servers, network gear, and other IT resources in an environment that provides additional power, cooling, safety, security, and reliability for the equipment.
DATA CUSTODIAN – Data custodians are senior university officials who have planning, management, and policy-level responsibility for data within their functional areas. A data custodian has the authority to authorize or deny access to data. For example, the Registrar, Director of Human Resource Services, Director of Business Operations, and Director of Admissions, Department Heads, Deans, Vice Presidents, and the University President would all be data custodians. University administrators may act as data custodians for departments under their authority.
INTEGRITY – Integrity is the appropriate maintenance of information and systems. A loss of integrity is the unauthorized modification or destruction of information.
IT RESOURCE – IT resource may include computers, software, servers, network utilization, storage utilization, virtual machine capacity, tablets, phones, multimedia devices, storage devices, wireless spectrum, and any other in-demand resource managed by IT staff.
POTENTIAL IMPACT – Potential impact is the level of adverse effect a loss of confidentiality, integrity, or availability could be expected to have on university operations, university assets, or individuals.
SERVER — Nearly all computers may function as a server. For this policy, a server is generally an IT resource that provides centralized services to other IT resources and has specialized hardware and/or software to ensure reliability and capacity.
UNIVERSITY DATA – University data are information that supports the mission and operation of the University. It is a vital asset and is owned by the University. Some university data are shared across multiple units of the University as well as outside entities.
USER – User includes any faculty, staff, student, developer, contractor, vendor, or visitor as well as any other individual or entity using information, university data, and/or IT resources of the University of Northern Iowa.
VISITOR — A visitor to a data center is any non-UNI employee unless otherwise designated by the director of IT-NIS. Further, a visitor is also any employee with no business need to access the data center.
Information Technology, approved February 22, 2019
University Council, approved April 15, 2019
President and Executive Management Team, approved May 6, 2019