Skip Maine state header navigation
Dept. of Administrative & Financial Services
Office of Information Technology
OIT Data Center Access Control Procedure
It is the responsibility of the Enterprise Operations and Monitoring (EOM) section of Core Technologies Services (CTS) to provide a secure, stable physical environment for servers and mainframes for both OIT and outside agencies.
The purpose of this document is to clarify and delineate the process by which employees, contractors, vendors, and other individuals are authorized for access, and the conditions for controlling that authorized access. EOM must be able to guarantee that the physical environment is maintained and operated in a professional manner equivalent to what one would expect of a commercial facility.
General procedures regardless of access level:
· All persons, regardless of their method of entry, must make a log entry in the log book inside the OIT Data Centers (e.g. Edison Drive Operations Center [EDOC] and Central Maine Commerce Center [CMCC]) listing:
· their name, and
· a description of the reason for their entry, a Request for Change (RFC) number, an EOM Project footprints ticket number, or a Customer Support Project Footprints Ticket number, and
· the date and time of their entry, and
· the date and time of their departure.
· It is expected that handwriting will be legible and narratives will be sufficiently descriptive to indicate the nature of the problem being worked on. Log entries such as “Server”, “GIS”, “Network”, or “Service” are not acceptable and will be reported to management as a violation.
· ALL personnel are required to use their access card at the card reader outside the data center when entering the data center, including when in a group, and even if their card is not authorized to grant access. The action will be automatically recorded in the access control system log files and can be compared to the sign-in book if necessary.
· Upon entering the EDOC Data Center, all persons must check in with Operations staff on duty (when Operations staff is readily available) with a notification of their presence, the nature of their business and their whereabouts in the room.
· Personnel are expected to notify Facility Services in advance of any known electrical needs, physical server changes, or any other action involving the electrical power system or physical connection to the network through the use of a footprints ticket under the OIT Facilities project (Work Order) or the OIT Change Management Project (RFC) as appropriate . Personnel must not plug equipment into any connection or make any other physical changes without authorization from Facility Services personnel as recorded in these tickets, as a circuit overload may result.
· Any staff member with card authorization who is escorting a visitor without access privilege will verify that the visitor has checked in with EDOC Security for a Visitor’s badge or a Vendor/Contractor badge. This applies to only the EDOC Data Center.
· Authorized staff members will be totally responsible and held accountable for an escorted individual’s or group’s actions at both EDOC and CMCC Data Centers.
· On occasion (e.g., weekends when there may be only one individual on duty), the EDOC Data Center may be unstaffed for a short period of time for breaks. During these ‘after hours’ times, the operators will carry a cell and/or pager. The contact number(s) will be posted on the wall just above the ‘Sign-in Book’ inside the Data Center. NOTE: You cannot use the phone just outside the double doors of the EDOC Data Center entry for these numbers. It is ‘direct’ to a dedicated phone within the Data Center.
· Anyone responding to an automated contact by WEBNM or some other form of ‘call home’ system must follow procedures as outlined in this document.
· If Standard Operating Procedures (SOP) on file in Operations are not sufficient to resolve a given situation, then an escalation process will be initiated by the EOM Duty Operator based on the Duty Roster (see http://csn.state.me.us/login.php )
Specific Guidelines and Procedures
24/7 Access (24 hour access 7 days per week) procedures:
· Permanent 24/7 access permission is reserved for EOM, and Security staff only. All other persons are considered Data Center Visitors.
Daytime access (6 am – 7 pm Monday through Friday, No Holidays):
· Management will select a limited list of staff members for Data Center support between the hours of 5 AM to 7 PM, in order to keep the large number of personnel down to a controllable number.
· All other personnel needing access to any Data Center must:
· be ‘escorted’ by staff having an authorized entry card
· or, for the EDOC Data Center only, use the phone outside the EDOC Data Center to check in with the Duty Operator for identification and stating the nature of the entry. If approved, the Duty Operator will ‘buzz’ the person in.
Off-Hours and Emergency Access (7 PM to 6 AM M-F, Holidays, and weekends):
Off hours access to Data Centers are subject to the following:
· Name must appear on a pre-approved 24/7 list such as the OIT Duty Roster or EOM Organizational Chart,
· or, be escorted by staff on a pre-approved 24/7 list,
· or, reference an OIT Change Management project Request For Change (RFC) number. (See OIT Change Management RFC procedure below)
· or, have an Authorizing Agent (see definition below) notify EOM Duty Operator of access approval to OIT Data Center (See Emergency Access Customer Support Ticket procedure below)
· Emergency access will be granted for a maximum of 24 hours only. If access is required beyond that, the task should be transferred to an emergency RFC.
Pre-Approval process (General):
· Individuals must pass a Maine State Police (MSP) background check as detailed in “Procedure to Obtain Clearance for Unescorted Access to OIT Data Centers” before they may be granted approval for badge access to OIT Data Centers.
· Individuals must also be determined by their supervisor to have job duties which require their physical presence in the Data Center.
· Vendors, Contractors, outside Agency personnel and other visitors whose presence is regularly required to support EDOC or CMCC Data Centers may be granted pre-approved access (see OIT Access request form at http://inet.state.me.us/OIT/EForms/Net/AccessRequest/Default.aspx ). Depending on the frequency of the access requirement, the individual may be issued a permanent badge. Individuals who are not pre-approved will be issued an OIT non-access visitor’s badge, and must be accompanied and escorted by pre-approved personnel.
Pre-Approval process (OIT Change Management RFC) – EDOC Security Staff Procedure
· RFC must include the beginning and ending dates and times of access as well as names of those requiring access.
· In order to enter or modify the dates and names, the user must select EDOC, CMCC, or BOTH for the Data Facility Access field, and then update the dependant fields appropriately.
· If the access begin and end times are the same or if the end time is before the begin time, access cannot be granted.
· EDOC security staff will routinely monitor RFCs that are assigned to edoc.security. They will:
1. Compare the names listed in the RFC against a list of individuals who have passed a MSP background check.
2. Submit a request to Building Control Center (BCC) through their E-Logger system to apply the appropriate access level to the named individuals and the Start and End date/time of the access.
3. Update the RFC indicating the E-Logger log number.
· BCC staff will update the access for the requested individuals prior to the start time, and revoke the access after the requested end date/time.
Pre-Approval process (Emergency Access Customer Support Ticket) - Enterprise Operations and Monitoring Emergency Access Procedure
· EOM staff may approve OIT staff for Data Center access under the following conditions:
1. When an SOP requires them to call in support staff to respond to an incident.
2. When contacted by an authorizing agent (see definition below) who will approve support staff for emergency off hours Data Center access to respond to an incident.
· EOM Staff will create a Customer Support ticket or update an existing Customer Support ticket documenting the incident.
1. New tickets should be filled out as normal documenting the incident.
2. EOM Access Authorization section of the ticket must be completed on new and existing tickets (see SOP for authorizing access).
· EOM staff will submit an E-Logger request to building control to add the appropriate access level(s) to the requestor(s) card(s) (see SOP for submitting E-Logger).
· EOM staff will submit an E-Logger requesting removal of added access level(s) from the requestor(s) upon notification of ticket closure, or after 24 hours, whichever is less.
This procedure applies to access to OIT managed data centers, most notably the data centers at EDOC (Edison Drive Operations Center) and at CMCC (Central Maine Commerce Center). This procedure must be adhered to by any and all persons who may have occasion to enter these data centers for any reason.
· Data Center Visitors: Data Center Visitors are responsible for complying with this procedure.
· Supervisory Personnel: Managers and Supervisors are responsible for enforcing procedure compliance by Data Center Visitors under their supervisory control.
· OIT Management: OIT management is responsible for maintaining a list of employees and contractors who have passed the Maine State Police Background check and who also have work duties which require a physical presence in a Data Center.
· Enterprise Operations and Monitoring: EOM staff and management are responsible for implementing, monitoring, and enforcing this procedure related to emergency off-hours access requests.
· Security: EDOC Security Officers (contract security staff) are responsible for monitoring access requests under the RFC process as detailed in this procedure.
1. Authorizing Agent – An authorizing agent is an on-call responder, the on-call duty manager, or other OIT manager who can verify to EOM staff the work reason and dispatch of specific individuals to address incidents requiring those individuals to access OIT Data Centers.
2. Data Center – A room managed by EOM for the purpose of providing optimal environmental, power, and security conditions for the operation of State of Maine critical information processing hardware. Currently the facilities at CMCC (Central Maine Commerce Center) and EDOC (Edison Drive Operations Center) are the only two facilities considered Data Centers. Access control for both these facilities is handled as if they are one facility. Any reference to “OIT Data Center” or “OIT Data Centers” is inclusive of both these facilities.
3. Data Center Visitor – A data center visitor is any person who is not part of EOM or Security staff and therefore does not have permanent 24/7 access to the Data Centers.
4. Duty Roster – A list of support personnel and Duty Manager who are responsible for addressing problems encountered with various OIT areas and systems when established Standard Operating Procedures (SOP) are insufficient to resolve the situation.
5. EOM – Enterprise Operations and Monitoring
1. OIT Access request form: http://inet.state.me.us/OIT/EForms/Net/AccessRequest/Default.aspx
2. On-Call Duty Roster http://csn.state.me.us/login.php (You must log in with your AD credentials to access this information).
1. Document Reference Number: 29
2. Category: Security and Privacy
3. Adoption Date: April 2, 2012
4. Effective Date: April 2, 2012
5. Review Date: April 2, 2014
6. Point of Contact: Robert L. Witham, Jr., Information Systems Security Analyst, State House Station 145, Augusta, ME 04333-0145, (207) 624-9439
7. Approved By: Greg McNeal, Chief Technology Officer, State House Station 145, Augusta, ME 04333-0145, (207) 624-9471
8. Position Title(s) or Agency Responsible for Enforcement: Jon Richard, Director, Enterprise Operations and Monitoring, State House Station 145, Augusta, ME 04333-0145, (207) 624-9861
9. Legal Citation: 5 MRSA, Chapter 163, Section 1973, paragraphs B and D, read in part: [The Chief Information Officer shall] "Set policies and standards for the implementation and use of information and telecommunications technologies, including privacy and security standards…" and "Identify and implement information technology best business practices and project management"
10. Waiver Process: The CIO or his/her designee may authorize an exception on a case-by-case basis.
Apply for a waiver as follows:
· Document a compelling technical or business case that identifies the specific action and how it warrants exemption.
· Include any supporting documentation you may have.
When a decision has been reached in granting or denying the waiver, the CIO will respond to the submitter, the CTO, the TBC, and the following three designated people whose names are located on the policy/standard for which the waiver is being sought: Point of Contact, Approved By and Position Title(s) or Agency Responsible for Enforcement.