Minimum Physical Security Standards for Critical IT Spaces
What is a Critical IT Space?
Critical IT Spaces are areas that contain Critical IT Infrastructure. Critical IT Spaces include:
- Data Centers (e.g. Amazon Web Services, Microsoft Azure, Google Cloud Platform)
- Network/Telecom main distribution rooms
- Telecom remote closets
What is Critical IT Infrastructure?
Critical IT Infrastructure is an IT System that meets any of the following criteria:
- An IT system that unrelated IT systems have a dependency on, and/or;
- An IT system that is complex or specialized in nature. This complexity requires special protections beyond Yale’s Minimum Security Standards.
All Critical IT Infrastructure is designated by Yale’s Chief Information Security Officer. Email us with any questions, including:
- The designation of an IT System as Critical IT Infrastructure.
- The designation of an area as a Critical IT Space.
Minimum Physical Security Standards for Critical IT Spaces
These physical security standards categorize Critical IT Spaces based on their criticality.
- Level 1 Critical IT Spaces include Data Centers and Network/Telecom main distribution rooms.
- Level 2 Critical IT Spaces include Telecom remote closets.
Like Yale's Minimum Security Standards, requirements are listed as:
- Required - This means the standard is currently required for the Critical IT Space.
- Upcoming - This means the standard will be required for the Critical IT Space in the future.
- Not Required - This means the standard is not required for the Critical IT Space.
Minimum Physical Security Standard 1: Safety
| Safety Standard | Additional Requirements | Level 2 Critical IT Spaces | Level 1 Critical IT Spaces |
|---|---|---|---|
| 1.1 Critical IT Space aisles are clear of all materials. | No additional requirements | Required | Required |
| 1.2 No items on top of equipment or cabinets. | No additional requirements | Required | Required |
| 1.3 All fire extinguishers are current on inspections. | No additional requirements | Required | Required |
| 1.4 No raised floor openings in the raised floor areas. | 1.4.1 If raised floor openings are necessary, they are identified with safety cones. | Not Required | Required |
| 1.5 No damaged or missing raised floor or ceiling tiles. | 1.5.1 Damaged tiles are required to be replaced as soon as damage occurs. | Not Required | Required |
| 1.6 Lighting is adequate to ensure activities can be performed safely. | No additional requirements | Required | Required |
| 1.7 All physical safety and emergency procedures are visibly posted. | 1.7.1 Emergency procedures include, but are not limited to, shutting down utilities, shutting down power, and activating/deactivating fire suppression equipment. | Required | Required |
Minimum Physical Security Standard 2: Security
| Security Standard | Additional Requirements | Level 2 Critical IT Spaces | Level 1 Critical IT Spaces |
|---|---|---|---|
| 2.1 A door alarm is implemented to notify Yale Security when the door is left open. |
2.1.1 The alarm is configured to trigger when the door is left open for a maximum of 4 minutes (240 seconds). 2.1.2 The alarm may not be disabled without documented, authorized permission. 2.1.3 Yale security is responsible for contacting ITS Foundational Technology Services (FTS) to determine if further action is required. |
Not Required | Required |
| 2.2 Access to the Critical IT Space is locked using two-factor key card authentication or proxy authentication. | 2.2.1 The master key method is only allowed for legacy spaces. All new Moderately Critical IT Spaces must use a two-factor card or proxy authentication. If using the master key method for access, you must go through an official approval process to check out the key. You may not loan the key out to someone else or make copies of the key. The key must be returned as soon as the job that required access to the Critical IT Space has been completed. | Required | Required |
| 2.3 Guest access must be approved and logged. |
2.3.1 All guest access (i.e… vendors) are to log arrival time, departure time, and reason for site visit. 2.3.2 A Service-Now request is submitted to grant any and all visitor access to the Critical IT Space. |
Not Required | Required |
| 2.4 Authorized personnel list is documented, reviewed, and updated on a quarterly basis. | 2.4.1 Remove access to the Critical IT Space from those who no longer need it. | Not Required | Required |
| 2.5 Access history and login book logs are reviewed on a quarterly basis. | No additional requirements | Not Required | Required |
| 2.6 Cameras must monitor the entryways and interior of the Critical IT Spaces 24x7x365. |
2.6.1 Cameras monitoring the Critical IT Space must have a full coverage view of the infrastructure. Full coverage means there is no reasonable way an individual can move through the equipment without being seen by the monitoring system. 2.6.2 The cameras must be monitored on a 24x7x365 basis by ITS Data Center Operations. 2.6.3 The cameras must record whenever they sense motion in the Critical IT Space. These recordings must be kept for a minimum of 45 days. |
Not Required | Required |
| 2.7 No photography or video of the space without pre-approval from ITS Foundational Technology Services (FTS) management. | 2.7.1 If there is a need to take photos or videos of the Critical IT Space, there must be documented pre-approval. The pre-approval must come from ITS FTS management. Approval will only be granted for valid business justifications. Additional, documented approval is required to publish these photos or videos. This approval must also come from ITS FTS management. | Required | Required |
| 2.8 An annual reminder of security roles and responsibilities is provided to individuals granted access to the Critical IT Space. | No additional requirements | Required | Required |
| 2.9 Racks are cable locked. | 2.9.1 If cable locking racks is not feasible, a camera is set up to monitor each aisle 24x7x365. No exception request is required to implement a camera in place of cable locking the racks. | Not Required | Required |
Minimum Physical Security Standard 3: Housekeeping
| Housekeeping Standard | Additional Requirements | Level 2 Critical IT Spaces | Level 1 Critical IT Spaces |
|---|---|---|---|
| 3.1 No combustible materials are to be stored in the Critical IT Space. | No additional requirements | Required | Required |
| 3.2 Equipment racks cannot be used for storage. | No additional requirements | Required | Required |
| 3.3 Notes and/or miscellaneous papers cannot be taped to walls or racks. | No additional requirements | Required | Required |
| 3.4 Parts and other items that need to be in the Critical IT Space must be stored in an enclosed cabinet. | No additional requirements | Required | Required |
Minimum Physical Security Standard 4: Labeling
| Labeling Standard | Additional Requirements | Level 2 Critical IT Spaces | Level 1 Critical IT Spaces |
|---|---|---|---|
| 4.1 All entrances to the Critical IT Space must have a sign that states this a “secured surveillance space.” | 4.1.1 The sign must be visible at all times. | Not Required | Required |
| 4.2 A sign must be posted stating no photography or video permitted without consent. | 4.2.1 The sign must be visible at all times. | Required | Required |
| 4.3 A sign must be posted stating that no food or drink is permitted in the Critical IT Space. | 4.3.1 The sign must be visible at all times. | Required | Required |
| 4.4 Racks and equipment are clearly labeled. | No additional requirements | Required | Required |
| 4.5 All power sources are clearly labeled. | 4.5.1 Power sources include, but are not limited to, UPS, PDUs, RPPs, and Circuit Breakers. | Required | Required |
| 4.6 All equipment cabling data or power are clearly labeled. | No additional requirements | Required | Required |
| 4.7 All switches and buttons serving the Critical IT Space are clearly labeled. | No additional requirements | Required | Required |
Minimum Physical Security Standard 5: Documentation
| Documentation Standard | Additional Requirements | Level 2 Critical IT Spaces | Level 1 Critical IT Spaces |
|---|---|---|---|
| 5.1 All documentation pertaining to the Critical IT Space are accessible online. | No additional requirements | Required | Required |
| 5.2 Inventory of the infrastructure equipment in the Critical IT Space must be clearly labeled and readily available. | No additional requirements | Required | Required |
Minimum Physical Security Standard 6: Cabling
| Cabling Standard | Additional Requirements | Level 2 Critical IT Spaces | Level 1 Critical IT Spaces |
|---|---|---|---|
| 6.1 All cabling is routed neatly in overhead ladder trays, where available, or neatly otherwise. | No additional requirements | Required | Required |
| 6.2 All cabling in cabinets/racks is neatly routed along the side of the cabinet/rack. | 6.2.1 Cables are secured using Velcro strips. The use of tie wraps is not permitted. | Required | Required |
| 6.3 All abandoned and/or unused cabling is removed when a piece of equipment is removed or decommissioned. | No additional requirements | Required | Required |
Minimum Physical Security Standard 7: Data Storage
| Data Storage Standard | Additional Requirements | Level 2 Critical IT Spaces | Level 1 Critical IT Spaces |
|---|---|---|---|
| 7.1 All removable media containing live data is stored off-site. | No additional requirements | Required | Required |
| 7.2 All removable media containing live data is to be stored in a locked, fireproof container until it is moved off-site. | No additional requirements | Required | Required |
Minimum Physical Security Standard 8: General Visual Checks
| General Visual Checks Standard | Additional Requirements | Level 2 Critical IT Spaces | Level 1 Critical IT Spaces |
|---|---|---|---|
| 8.1 An assurance check is performed on a quarterly basis to ensure all Minimum Physical Security Standards for Highly Critical IT Spaces are in place. | No additional requirements | Not Required | Required |
| 8.2 New equipment to be installed in the Critical IT Space should not be uncrated before brought into the space. | No additional requirements | Not Required | Required |
| 8.3 All blinking and/or amber lights that are noticed should be recorded and a ticket submitted to the correct responsible group. | No additional requirements | Required | Required |
| 8.4 All visual and/or audible alarms that are noticed should be recorded and a ticket submitted to the correct responsible group. | No additional requirements | Required | Required |
| 8.5 Any water presence in a Critical IT Space that is noticed should be recorded and a ticket submitted to the correct responsible group. | No additional requirements | Required | Required |
| 8.6 Cleaning schedule is maintained. | 8.6.1 The Critical IT Space is required cleaned at least once per year. | Required | Required |
| 8.7 Food and drink are not permitted in the Critical IT Space. | 8.7.1 A sign stating that food and drink are not permitted is visible at all times. | Required | Required |