Educause Security Discussion mailing list archives
Re: physical security of datacenter with hosting services
From: Michael Sana <msana () HPU EDU>
Date: Fri, 27 Apr 2007 09:28:10 -1000
Aloha Bob, Not sure how your team has addressed PCI compliance, but keep it in mind if your cardholder environment will be inside this data center, then you may have to take into consideration Requirement 9 of the PCI DSS standard. Requirement 9 states requirements for restricting access to card holder data, but subsections 9.2 to 9.4 pertain more closely to the data center itself. With more people using a centralized data center, you may have to review and reiterate the policies in place to ensure/maintain compliance. You can find a copy of the PCI DSS 1.1 here: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf mike.sana. -----Original Message----- From: Bob Bayn [mailto:Bob.Bayn () USU EDU] Sent: Friday, April 27, 2007 7:36 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] physical security of datacenter with hosting services Our central data center of about 1800 sq ft is being overhauled and upgraded after about 20 years of service: new water cooled air conditioning, UPS, standard rack systems with hot and cold aisles and elimination of operations staff. After the overhaul the facility will provide additional hosting capability for the wide assortment of servers scattered across campus and will give campus planning services the opportunity to reject attempts to create mini-datacenters in departments in favor of using our improved location to host their servers. The consequence of concern to me is that we will have many more people expecting to have access to their equipment in the data center which we will no longer have staffed. We will have access control by biometric scanner and will have cameras throughout the facility. However, someone authorized to manage the server for the department of redundancy department will also have physical access to all of the core services housed in the same room. They will have signed security agreements but their visits to the data center may not be directly monitored. How do others manage the physical access by 30-50 people to an unstaffed central data center and maintain assurances that core systems are uncompromised? Bob Bayn IT Security Team Utah State University Logan, Utah No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.467 / Virus Database: 269.6.1/778 - Release Date: 4/27/2007 1:39 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.467 / Virus Database: 269.6.1/778 - Release Date: 4/27/2007 1:39 PM
Current thread:
- physical security of datacenter with hosting services Bob Bayn (Apr 27)
- <Possible follow-ups>
- Re: physical security of datacenter with hosting services Bill Kyle (Apr 27)
- Re: physical security of datacenter with hosting services Julian Y. Koh (Apr 27)
- Re: physical security of datacenter with hosting services Lovaas,Steven (Apr 27)
- Re: physical security of datacenter with hosting services Michael Sana (Apr 27)
- Re: physical security of datacenter with hosting services William C. Moore II (Apr 27)