2

I'm new to this site but have found the articles and feedback very useful. We have a Server Room which our Organisation owns and controls, yet there are several thirs party companies that have open access to this room. As such, we have been asked to put together a protocol paper that stipulates the standards that we expect to be adhered to when working in this room. Other than the monitoring of UPS loads, Air Cooling functionality, alarm systems etc, does any one have any guidance on the kind of issues that need to be documented to make this protocol all encompassing? I'm thinking along the lines of not leaving cardboard or other combustibles in the room, not having food and drink in the room, not altering the fabric of the building by drilling through walls etc?

Many thanks in advance for any guidance provided.

Matthew E
  • 21
  • 2

5 Answers5

2

I would add the additional requirement of CAT-5 color coding standards, if your group adheres to them and will be at all responsible for maintenance or support of the installations.

Matt Simmons
  • 20,218
  • 10
  • 67
  • 114
0

I think general "keep this clean !!!!" policy is very much so a good thing.

What this means:

Don't come in with muddy feet, because mud dries and turns to dust and gets sucked up by the fans of all the servers / switches and alike there (UPS..) and can seriously wreak havoc on all those plastic fans over time, seriously hindering the cooling capabilities, under load, of your servers.

Entity_Razer
  • 465
  • 1
  • 5
  • 17
0

We have a sign in sign out book for the server room too which might be an idea for fault tracking, we also make sure 'untrusted' third parties are escorted at all times. The cat5 colour coding is also damn useful when you're trying to find a problem in a hurry as well as keeping them neat in the first place. Basically be tidy! (something which I normally find difficult :-) ). All that should be in the server room is Server and communication related equipment. Lasty I would say Server rooms are not store rooms! That includes computer related equipment.

Dennis Williamson
  • 60,515
  • 14
  • 113
  • 148
ItsAMystery
  • 51
  • 1
  • 5
0

Label equipment. How do you know which particular server in one of several racks is your database server or web server?

Organize cables - not just color coded, but don't have cables running across the floor. Not only is it a safety hazard, but walking on them isn't all that good.

Make sure there is a good console area work desk, where two or three people can sit around the screens, and also have space for writing pads / manuals.

Ken Ray
  • 123
  • 2
  • 8
0

As a information security professional, I will answer from a security perspective and suggest items that should be included in the policy paper.

Managing Physical access for 3rd party vendors / contractors

  1. Require multi-factor authentication (ex: Token and biometric)
  2. Require visitor sign in using a log that is continuously monitored
  3. Require users from 3rd party companies be escorted by an authorized member of your organization
  4. Require periodic review of 3rd party access to the server room. In alignment with least privilege, if access is no longer required for job function, then revoke access ASAP
  5. Require physical audits of the server room periodically given that 3rd parties have access. This increases risk given these 3rd party users are not under the control of your company.
  6. Document policy for notification of your company when a 3rd party user no longer needs access or is terminated from the job. Who is responsible for communicating what?
Anthony
  • 101
  • 1