Skip to main content

Action required - Security vulnerability for Apple devices

This information only applies to Apple devices.

Immediate action required: Please run all available updates on all Apple devices as soon as possible. All Yale ITS-managed computers running the Apple macOS operating system will be updated automatically. 

Read More

Minimum Physical Security Standards for Critical IT Spaces

What is a Critical IT Space? 

Critical IT Spaces are areas that contain Critical IT Infrastructure. Critical IT Spaces include:

  • Data Centers (e.g. Amazon Web Services, Microsoft Azure, Google Cloud Platform)
  • Network/Telecom main distribution rooms
  • Telecom remote closets
data center

What is Critical IT Infrastructure?

Critical IT Infrastructure is an IT System that meets any of the following criteria: 

  • An IT system that unrelated IT systems have a dependency on, and/or;
  • An IT system that is complex or specialized in nature. This complexity requires special protections beyond Yale’s Minimum Security Standards. 

All Critical IT Infrastructure is designated by Yale’s Chief Information Security Officer. Email us with any questions, including:

  • The designation of an IT System as Critical IT Infrastructure.
  • The designation of an area as a Critical IT Space.

Minimum Physical Security Standards for Critical IT Spaces 

These physical security standards categorize Critical IT Spaces based on their criticality.

  • Level 1 Critical IT Spaces include Data Centers and Network/Telecom main distribution rooms.
  • Level 2 Critical IT Spaces include Telecom remote closets. 

Like Yale's Minimum Security Standards, requirements are listed as:

  • Required - This means the standard is currently required for the Critical IT Space.
  • Upcoming - This means the standard will be required for the Critical IT Space in the future.
  • Not Required - This means the standard is not required for the Critical IT Space.

Minimum Physical Security Standard 1: Safety

Safety Standard Additional Requirements Level 2 Critical IT Spaces Level 1 Critical IT Spaces
1.1 Critical IT Space aisles are clear of all materials. No additional requirements Required Required
1.2 No items on top of equipment or cabinets. No additional requirements Required Required
1.3 All fire extinguishers are current on inspections. No additional requirements Required Required
1.4 No raised floor openings in the raised floor areas. 1.4.1 If raised floor openings are necessary, they are identified with safety cones. Not Required Required
1.5 No damaged or missing raised floor or ceiling tiles. 1.5.1 Damaged tiles are required to be replaced as soon as damage occurs. Not Required Required
1.6 Lighting is adequate to ensure activities can be performed safely. No additional requirements Required Required
1.7 All physical safety and emergency procedures are visibly posted. 1.7.1 Emergency procedures include, but are not limited to, shutting down utilities, shutting down power, and activating/deactivating fire suppression equipment. Required Required

Minimum Physical Security Standard 2: Security

Security Standard Additional Requirements Level 2 Critical IT Spaces Level 1 Critical IT Spaces
2.1 A door alarm is implemented to notify Yale Security when the door is left open.

2.1.1 The alarm is configured to trigger when the door is left open for a maximum of 4 minutes (240 seconds). 

2.1.2 The alarm may not be disabled without documented, authorized permission.

2.1.3 Yale security is responsible for contacting ITS Foundational Technology Services (FTS) to determine if further action is required.

Not Required Required
2.2 Access to the Critical IT Space is locked using two-factor key card authentication or proxy authentication. 2.2.1 The master key method is only allowed for legacy spaces. All new Moderately Critical IT Spaces must use a two-factor card or proxy authentication. If using the master key method for access, you must go through an official approval process to check out the key. You may not loan the key out to someone else or make copies of the key. The key must be returned as soon as the job that required access to the Critical IT Space has been completed. Required Required
2.3 Guest access must be approved and logged.

2.3.1 All guest access (i.e… vendors) are to log arrival time, departure time, and reason for site visit.

2.3.2 A Service-Now request is submitted to grant any and all visitor access to the Critical IT Space.

Not Required Required
2.4 Authorized personnel list is documented, reviewed, and updated on a quarterly basis. 2.4.1 Remove access to the Critical IT Space from those who no longer need it. Not Required Required
2.5 Access history and login book logs are reviewed on a quarterly basis. No additional requirements Not Required Required
2.6 Cameras must monitor the entryways and interior of the Critical IT Spaces 24x7x365.

2.6.1 Cameras monitoring the Critical IT Space must have a full coverage view of the infrastructure. Full coverage means there is no reasonable way an individual can move through the equipment without being seen by the monitoring system.

2.6.2 The cameras must be monitored on a 24x7x365 basis by ITS Data Center Operations. 

2.6.3 The cameras must record whenever they sense motion in the Critical IT Space. These recordings must be kept for a minimum of 45 days.

Not Required Required
2.7 No photography or video of the space without pre-approval from ITS Foundational Technology Services (FTS) management. 2.7.1 If there is a need to take photos or videos of the Critical IT Space, there must be documented pre-approval. The pre-approval must come from ITS FTS management. Approval will only be granted for valid business justifications. Additional, documented approval is required to publish these photos or videos. This approval must also come from ITS FTS management. Required Required
2.8 An annual reminder of security roles and responsibilities is provided to individuals granted access to the Critical IT Space. No additional requirements Required Required
2.9 Racks are cable locked. 2.9.1 If cable locking racks is not feasible, a camera is set up to monitor each aisle 24x7x365. No exception request is required to implement a camera in place of cable locking the racks. Not Required Required

Minimum Physical Security Standard 3: Housekeeping

Housekeeping Standard Additional Requirements Level 2 Critical IT Spaces Level 1 Critical IT Spaces
3.1 No combustible materials are to be stored in the Critical IT Space. No additional requirements Required Required
3.2 Equipment racks cannot be used for storage. No additional requirements Required Required
3.3 Notes and/or miscellaneous papers cannot be taped to walls or racks. No additional requirements Required Required
3.4 Parts and other items that need to be in the Critical IT Space must be stored in an enclosed cabinet. No additional requirements Required Required

Minimum Physical Security Standard 4: Labeling

Labeling Standard Additional Requirements Level 2 Critical IT Spaces Level 1 Critical IT Spaces
4.1 All entrances to the Critical IT Space must have a sign that states this a “secured surveillance space.” 4.1.1 The sign must be visible at all times. Not Required Required
4.2 A sign must be posted stating no photography or video permitted without consent. 4.2.1 The sign must be visible at all times. Required Required
4.3 A sign must be posted stating that no food or drink is permitted in the Critical IT Space. 4.3.1 The sign must be visible at all times. Required Required
4.4 Racks and equipment are clearly labeled. No additional requirements Required Required
4.5 All power sources are clearly labeled. 4.5.1 Power sources include, but are not limited to, UPS, PDUs, RPPs, and Circuit Breakers. Required Required
4.6 All equipment cabling data or power are clearly labeled. No additional requirements Required Required
4.7 All switches and buttons serving the Critical IT Space are clearly labeled. No additional requirements Required Required

Minimum Physical Security Standard 5: Documentation

Documentation Standard Additional Requirements Level 2 Critical IT Spaces Level 1 Critical IT Spaces
5.1 All documentation pertaining to the Critical IT Space are accessible online. No additional requirements Required Required
5.2 Inventory of the infrastructure equipment in the Critical IT Space must be clearly labeled and readily available. No additional requirements Required Required

Minimum Physical Security Standard 6: Cabling

Cabling Standard Additional Requirements Level 2 Critical IT Spaces Level 1 Critical IT Spaces
6.1 All cabling is routed neatly in overhead ladder trays, where available, or neatly otherwise. No additional requirements Required Required
6.2 All cabling in cabinets/racks is neatly routed along the side of the cabinet/rack. 6.2.1 Cables are secured using Velcro strips. The use of tie wraps is not permitted. Required Required
6.3 All abandoned and/or unused cabling is removed when a piece of equipment is removed or decommissioned. No additional requirements Required Required

Minimum Physical Security Standard 7: Data Storage

Data Storage Standard Additional Requirements Level 2 Critical IT Spaces Level 1 Critical IT Spaces
7.1 All removable media containing live data is stored off-site. No additional requirements Required Required
7.2 All removable media containing live data is to be stored in a locked, fireproof container until it is moved off-site. No additional requirements Required Required

Minimum Physical Security Standard 8: General Visual Checks

General Visual Checks Standard  Additional Requirements Level 2 Critical IT Spaces Level 1 Critical IT Spaces
8.1 An assurance check is performed on a quarterly basis to ensure all Minimum Physical Security Standards for Highly Critical IT Spaces are in place. No additional requirements Not Required Required
8.2 New equipment to be installed in the Critical IT Space should not be uncrated before brought into the space. No additional requirements Not Required Required
8.3 All blinking and/or amber lights that are noticed should be recorded and a ticket submitted to the correct responsible group. No additional requirements Required Required
8.4 All visual and/or audible alarms that are noticed should be recorded and a ticket submitted to the correct responsible group. No additional requirements Required Required
8.5 Any water presence in a Critical IT Space that is noticed should be recorded and a ticket submitted to the correct responsible group. No additional requirements Required Required
8.6 Cleaning schedule is maintained. 8.6.1 The Critical IT Space is required cleaned at least once per year. Required Required
8.7 Food and drink are not permitted in the Critical IT Space. 8.7.1 A sign stating that food and drink are not permitted is visible at all times. Required Required

Need Help?

Email us with questions or concerns about these standards.