Computer Operations Center Security (SS-08-016)
Topics:
SS-08-016 Computer Operations Center Security
Issue Date: 3/31/2008
Revision Effective Date: 3/31/2008
Review Date: 7/1/2018
PURPOSE
To ensure that agencies take appropriate measures to safeguard computer operation centers and critical productions systems from unauthorized access, damage or environmental threats.
STANDARD
Production computer and communications equipment shall be located within a physically secure area and protected from environmental threats.
State computer processing centers shall prevent external visual and audio observation and the walls shall be extended from true floor to true ceiling. (This height will prevent unauthorized entry and minimize environmental contamination such as that caused by fires and floods.)
The physical address or location within a facility of agency computer centers shall be confidential. No signs shall indicate the location.
Physical entry into computer centers shall have mechanisms or procedures that expressly restrict and monitor access to only authorized persons. All visitor access shall be with an escort.
Access into data centers shall be logged and maintained, containing names and entry/exit times.
Access lists/logs into computer centers shall be reviewed and updated regularly.
Computer Centers shall be equipped with alarm systems that monitor, log, and automatically alert staff to anomalies relating to fire/smoke, water, chemical and electrical effects and physical intrusion.
Continuity of power (e.g. UPS, backup generators) shall be provided to maintain the availability of critical production systems.
All facilities shall have a documented emergency plan for evacuation and protection of assets. Employees shall be aware of their roles and responsibilities outlined in the plan.
REFERENCES
NIST SP800-12 Information Security Handbook (Ch 15)