Policy Approval Authority | President |
Responsible Division | Division of Information Technology |
Responsible Officer(s) | Director of Information Security, University Privacy Officer |
Contact Person | Bob Barton |
Primary Audience |
Faculty
Staff |
Date Submitted to Policy Library | 02-03-2022 |
Status | Active |
Last Review Date | 02-03-2022 |
Policy Category/Categories |
Information Technology
|
NIU data center facilities are secured areas. Entry is prohibited except for authorized individuals, and those they accompany, for official university purposes only. This policy governs access to the NIU data center locations.
University employees that need access to a NIU data center location, must complete the Facilities Key Control and Division of IT (DoIT) authorization and approval process. Those that have been authorized will receive OneCard swipe access to only the data center location needed. In addition, some employees in Facilities and the Division of IT will have approval for physical key access based on required job duties.
If the University enters a contract with a vendor for paid support services that requires frequent access to a NIU data center location, the vendor must provide proof of their staff’s background check or NIU must perform a background check; the Department owning the contract must follow the sponsored account process for the vendor’s staff member; and each vendor staff member must be explicitly approved by the authorization process above before being issued an individual OneCard for swipe card access to the data center facilities. The sponsoring Department is responsible for the cost of the sponsored account OneCard. The sponsoring Department is responsible for requesting revocation of sponsored account access as soon as they are aware that the sponsored individual no longer needs access.
Any individual not explicitly approved by the authorization process above, herby designated as a third party, may not access a NIU data center unless:
All authorized employees must use card swipe for access unless key access is required. Tail-gating or “piggy backing” on someone else’s swipe card is not allowed. Each authorized person should swipe for their own access. All staff who enter without swiping, regardless of whether they have a card access or not, must sign in.
Every third party must sign in and sign out on the access log located near the door of each facility. It is the responsibility of the employee escort to ensure that the third party signs this logbook. The escort is also responsible to ensure that third party access be restricted to the immediate area surrounding the systems that the escort and/or third party is authorized to access.
Everyone that signs the log must state the reason for their visit. Examples could be: XYZ server maintenance, SMRF #1234, work order #1234, project #1234, etc. Access is limited only to those areas, racks, and systems the employee is authorized for.
Hours of access for authorized individuals that are not Division of IT or Facilities staff, are Monday-Friday 7 a.m.-5 p.m. Authorized individuals requesting access to a DoIT facility after hours, are required to follow the Division of IT after hours on call support model and will be charged $35/hr with a minimum of two hours charged.
Access for non-DoIT, and non-Facilities employees expires annually and must be renewed.
Access will be revoked immediately upon separation from the University.
Tours may be scheduled with the Division of IT at least one month in advance. A list of individuals participating in the tour should be supplied by the person requesting the tour. The list should be attached to the sign-in log and the individual requesting the tour must sign in for the tour group. Recording devices are prohibited. Exceptions made by the Office of Information Security only.
A member of DoIT staff or management will escort the authorized individuals into the facility.
The following rules of conduct apply to all who enter the computer and network facilities:
All events that have any potential negative consequences for the management of the data center, the equipment therein, or the confidentiality, integrity and availability of the data and network, must be reported to the Division of Information Technology Service Desk as soon as possible after discovery. DoIT will review the event to determine what response is necessary.
Examples of events may be:
Anyone who is found not in compliance with this policy will have their authorization to access the NIU computer and network facilities revoked, and university corrective action will be administered up to and including termination depending on the severity of the situation.
Policy Library
815-753-5560
policy-library@niu.edu