by

1.        Purpose

Many large enterprises employ numerous servers to support their needs. These servers, hosting a business’ most critical applications, are often physically stored at one single location within the enterprise. This concept, commonly referred to as a server farm, provides the benefits of centralized control and management. Nevertheless, this approach has its inherent weaknesses as a collection of servers are more vulnerable to physical damage than distributed servers. This issue, however, can be properly addressed by appropriate security measures. The Company IT’s Server Room Security Procedure addresses the issue and provides policy guidelines necessary to sustain server operations.

2.        Scope

The Server Room Security Procedure is applicable to all those employees at The Company whose responsibilities require access to and interaction with the server room.

3.        Owner

The Company, IT.

4.        Policy

In order to ensure the security of the server room, the following guidelines must be taken into account by those involved with the server room.

  • Access to the server room is restricted to the IT system administration team. By default, this team consists of five members of the IT staff.
  • Other members of the IT department that desire access to the server room must obtain the Server Room Access Request Form (TBD) from the IT helpdesk. After completing this form, the requester should submit the form to the IT helpdesk. The IT helpdesk will check the form whether or not it’s completed, and if complete, will forward the request to the IT manager for review and (dis)approval.
  • Members of the IT system administration team are assigned a four-digit pin code necessary for accessing the server room.
  • Access to the server room requires the member’s employee pass in combination with his personal four-digit pin code.
  • Pin codes should be regularly changed.
  • To access the server room, the member must first go through the adjacent computer room.
  • Access to the computer room also requires authentication with the member’s pass and pin code.
  • Access to the computer room is restricted to members of IT. These members will also be assigned a four-digit pin code for access to the computer room. They, however, cannot access the server room with their pin codes.
  • In the case of maintenance of server room equipment by third party companies (such as China Telecom), the maintenance engineer must be accommodated by at least one member of the IT system administration team during the period of maintenance.
  • One member of the IT system administration team must be assigned to the task of checking the server room on a daily basis.
  • In order to prevent system malfunctioning due to overheating, the air conditioners in the server room must be configured to maintain the temperature at between 21 and 23 degrees Celsius.

5.        Roles and Responsibilities

The Server Room Security Procedure involves the following roles and corresponding responsibilities.

Role Responsibilities
   
IT System Administration Team (SAT) (also System Team)
  • The IT SAT is responsible for performing daily checks of the server room to ensure continuance of server operations.
  • The IT SAT is responsible for maintaining the temperature in the server room at between 21 and 23 degrees Celsius.
  • The IT SAT is responsible for checking all servers and ensuring sufficient disk space is available for proper functioning of systems.
  • The IT SAT is responsible for assigning pin codes to SAT members for access to the server room.
  • The IT SAT is responsible for regularly changing the pin codes that provide access to the server room.

 
IT Manager
  • The IT manager is responsible for reviewing applications for access to the server room that are submitted to him by the IT helpdesk.
  • The IT manager is responsible for periodical review and adjustment of the Server Room Security Procedure.
  • The IT manager is responsible for returning (dis)approved requests to the IT helpdesk.

 
IT helpdesk
  • The IT helpdesk is responsible for managing the supply of Server Room Access Request Forms.
  • The IT helpdesk is responsible for checking the forms submitted to them for whether or not they are complete.
  • The IT helpdesk is responsible for contacting the requester in case of incomplete forms and (dis)approved requests.
  • The IT helpdesk is responsible for forwarding completed forms to the IT manager.

 
IT personnel (other than SAT)
  • IT personnel are responsible for requesting access to the server room according to the procedure.

 

6.        Definition and Abbreviations

6.1.     Definitions

Server:                                    A computer which provides some service for other computers connected to it via a network.

Server farm:                           A server farm is a collection of computer servers usually maintained by an enterprise to accomplish server needs far beyond the capability of one machine. It also allows the distribution of tasks so that when one particular server (such as email) fails, the entire system is not stopped.

6.2.    Abbreviations

IT:                            Information Technology

SAT:                                System Administration Team

7.        Procedure details

7.1.    Procedure definition

7.1.1.     Accessing the server room

IT SAT members access the server room at second floor by using their employee ID cards and the personal pin code assigned to them by the SAT team. Accessing the computer room and the adjacent server room both require authentication.

7.1.2.     Requesting access to the server room

IT personnel that require access to the server room, but are not part of the SAT can request access to the server room. They should obtain the Server Room Access Request Form (TBD) from the IT helpdesk. After completing the form, the requester should submit the form to the IT helpdesk for further processing. The IT manager is responsible for reviewing and (dis)approving the request.

7.1.3.     Checking and maintaining the server room

Daily checks must be performed by SAT in order to proactively identify possible problems that might compromise the system. If any vulnerabilities are identified, the SAT must take immediate action to address the issue. Moreover, SAT must ensure that sufficient disk space is available on the servers for normal operation. SAT must also ensure that the temperature in the server room measures between 21 and 23 degrees Celsius; proper climate control is a necessity.

7.1.4.     Reviewing and updating the Server Room Security Procedure

Similar to other procedures, the Server Room Security Procedure must be regularly reviewed and adjusted to reflect the current conditions. The IT manager should first assess the changes that affect the procedure. Subsequently, he should edit the current version of the Server Room Security Procedure and replace it with the updated version.

7.2.    Procedure flow charts

7.2.1.     Accessing the server room

TBD

7.2.2.     Requesting access to the server room

TBD

7.2.3.     Checking and maintaining the server room

TBD

7.2.4.     Reviewing and updating the Server Room Security Procedure

TBD