Topics Map > Miscellaneous > Security

DoIT Data Center Access Control Policy

This document details DoIT's data center access control policy.
Table of Contents
Preface
1.0 Scope
2.0 Purpose
3.0 Responsibility
4.0 Communication of Policy
5.0 Categories of Access
6.0 Permanent Access
7.0 Long-Term Access
8.0 Short-Term Access
9.0 Escort-Only Access
10.0 Tour Access
11.0 SEO Staff Offices Access (B332)
12.0 Badge Visibility
13.0 Use of Photo and Video Equipment
14.0 Conduct of Authorized Users
15.0 DC Access Control
Preface
In response to Legislative Audit Bureau findings, access controls needed for campus and system
ERP deployments, requests to potentially house payment-card industry (PCI) and Federal
Information Management Security Act (FISMA) regulated data, and independent security
assessments of DoIT's data centers conducted by CORE BTS, Inc. and UW Policy & Security,
DoIT's Systems Engineering & Operations staff have been engaged in a year-long effort to
assess, document, and remediate access control concerns for the Dayton Street and Walnut Street
data centers. Increased security protocols follow guidelines from NIST, ISO/IEC, PCI, and other

sources, and are modeled on best practices by other universities such as the University of
Washington and CIC partners.
Working with the UW Police Department (UWPD) and UW Facilities Planning & Management
(FP&M) staff, the following recommendations have been implemented:
1. Simplify management of control systems and establish business procedures across DoIT,
UWPD, and FP&M. A single authority should grant and audit access to the data centers.
2. Establish process for review and authorization of staff to access data center facilities.
Access levels should include permanent, long-term, short-term, escort-only, and a special
category for tours and special events.
3. Eliminate the mix of physical key and card-reader access through the use of card-readeronly access. Two-factor authentication (card-reader and PIN) should be used at key
access points to critical facilities to provide protection in case an ID badge is lost.
4. Eliminate all hard key access except for a special master key held by UW Police &
Security staff. This includes removing key access for building managers.
5. Provide a two-stage access control barrier before an individual reaches the data center.
Utilize the SEO front office area as an access control point. Maintain entry/exit log books
at this location. Triage requests for access to appropriate parties (requests for badge
access, requests for escort access, requests for tours or special events).
6. Eliminate the use of the B347 conference room for activities other than those necessary
for SEO operations. Minimize extraneous traffic in the main access hallway to the data
center.
7. Increase auditable video surveillance. Provide video coverage for all essential facilities,
access points, and sensitive areas. Provide periodic audits that video access records match
card reader records to ensure that all staff swipe in and out of sensitive areas and that we
do not have unauthorized people "piggybacking" on an authorized individual's access.
8. Provide visible video monitoring for operations and other key staff. This provides a
safety service for those staff needing to leave the secured area for shift changes, restroom,
food/beverage, and other breaks.
9. Provide alarm and notification systems to mark unauthorized access or egress with
appropriate escalation by SEO staff and by UW Police. UW Police will conduct access
policy enforcement as SEO staff are not in a position to intervene in a problem situation.
Addressing these points has led to physical and policy modifications for the data centers.
Physical changes include: door/latch reinforcement, additional access control points, two-factor
PIN pad installation, additional cameras, security glass, door alarming, hardened keyways, a DC
Access Control check-in window, and other physical space modifications. These changes have

largely been completed. Video monitoring has been increased with visible displays in the
operator's area and at the main SEO reception desk. Specific duties related to data center security
have been written into the position description for the SEO program assistant located in B332.
1.0 Scope
1.0.1 Document the policy and procedures for requesting, reviewing, authorizing, assigning, and
maintaining access rights for those who need to perform services or visit Division of Information
Technology (DoIT)-managed data centers at the University of Wisconsin-Madison (UWMadison).
2.0 Purpose
2.0.1 In support of UW-Madison DoIT data center data center access and physical security, these
policies and procedures provide a strong security strategy that protects DoIT employees, data,
and resources entrusted to DoIT by UW-Madison and its customers. These procedures are
intended to clarify access requirements for all DoIT-managed data centers.
3.0 Responsibility
3.0.1 UW-Madison DoIT Data Center Access Control is responsible for assigning access rights to
individuals for secured areas under its control based on management-approved requests and for
issuing all temporary security badges provided to DC Access Control by the UW-Madison Police
Department (UWPD). DC Access Control is the security liaison between UW-Madison, DoIT,
and anyone having equipment in DoIT data centers.
4.0 Communication of Policy
4.0.1 All sponsors of individuals with authorized access to DoIT data centers are responsible for
ensuring those individuals are aware of and comply with the policies and procedures identified in
this document.
4.0.2 All personnel who are authorized to access DoIT data centers must read, understand, and
comply with the policies and procedures identified in this document.
5.0 Categories of Access
There are five categories of access to DoIT data centers: Permanent Access, Long-Term Access,
Short-Term Access, Escort-Only Access, and Tour Access:

5.1 Permanent Access

o For UW-Madison employees with a business need to provide services in DoIT
data centers
o Requires a valid Wiscard

o Requires a UW-Madison supervisor as a sponsor

o No escort required
o Refer to section 6.0 for details regarding the acquisition of Permanent Access

5.2 Long-Term Access

o For contractors/vendors who have long-term support agreements to provide
services for equipment in DoIT data centers
o Requires a DoIT supervisor as a sponsor
o No escort required
o Refer to section 7.0 for details regarding the acquisition of Long-Term Access

5.3 Short-Term Access

o For those with limited-term engagements to provide a defined service over a
defined period of time
o For individuals who are familiar with data center policies
o Requires DC&SCS manager sponsorship
o No escort required
o Refer to section 8.0 for details regarding the acquisition of Short-Term Access

5.4 Escort-Only Access

o For co-location customers or contractors without long- or short-term access
o Requires a DC Access Control-approved escort at all times while in DoIT data
centers
o Appointments for access should be scheduled at least 24 hours in advance
o Badges are issued at the DC Access Control point (refer to section 15) at the time
of access
o Refer to section 9.0 for details regarding the acquisition of Escort-Only Access

5.5 Tour Access

o For individuals with no primary business need to access DoIT data centers other
than for education or demonstration purposes
o Tour appointments must be scheduled at least 24 hours in advance
o Badges are issued at the DC Access Control point (refer to section 15)
o Requires a DC Access Control-approved escort at all times while in DoIT data
centers

6.0 Permanent Access

6.0.1 Permanent access is generally approved for UW-Madison DoIT staff when job duties
require access to DoIT data centers.

6.1 Obtaining Permanent Access

o 6.1.1 In order to be granted permanent access to DoIT data centers, the applicant
must:

6.1.1.1 Complete the required permanent access request form (obtainable

from DC Access Control) and submit it to DC Access Control (refer to
section 15).

6.1.1.2 Obtain approval from the requestor's supervisor, the DC&SCS

manager, and the System Engineering & Operations (SEO) director.

6.1.1.3 Must have a valid Wiscard that is also in the Central Card Access
System (CCAS). Refer to http://www.wiscard.wisc.edu/service.html for
details.

6.1.1.4 The applicant must visit DC Access Control to select a PIN and
have approved access areas assigned.

6.2 Maintaining Permanent Access

o 6.2.1 Badges must not be altered or defaced in any way; badges must not be bent,
written on, have anything affixed to, or have holes punched in them. Refer to the
Proper Care section at http://www.wiscard.wisc.edu/service.html.
o 6.2.2 The individual's supervisor must immediately report any change in job
duties or employment status to DC Access Control that would change the need to
have data center access.

6.3 Replacing Permanent Access Badges

o 6.3.1 For damaged, lost, or stolen badges, get a replacement Wiscard. Refer to
http://www.wiscard.wisc.edu/service.html.
o 6.3.2 Notify DC Access Control when a replacement Wiscard is issued so access
rights can be transferred to your new Wiscard.
o 6.3.3 If required, a temporary badge will be issued by DC Access Control until the
replacement Wiscard is obtained. Refer to Section 8.0.1

6.4 Returning Permanent Access Badges

o 6.4.1 Refer to http://www.wiscard.wisc.edu/service.html, sections General
Information and Using your Photo ID.

7.0 Long-Term Access

7.0.1 Long-Term Access is generally granted to vendors who have annual support contracts to
perform routine and emergency support of hardware and software used in DoIT data centers.

7.1 Obtaining Long-Term Access

o 7.1.1 Requests for long-term access must be initiated by a DoIT sponsor using the
long-term access request form, available from DC Access Control (refer to section
15).
o 7.1.2 DC Access Control will process each request.
o 7.1.3 UWPD will issue approved badges:

7.1.3.1 To obtain long-term badges, individuals requesting access must

visit UWPD Access Control, located at 1429 Monroe St, using the side
entrance. Refer to http://www.uwpd.wisc.edu/infrastructure-securityaccess-control.htm.

7.1.3.2 Individual must present government-issued photo identification to

UWPD Access Control.

o 7.1.4 The applicant must visit DC Access Control with badge to have a PIN and
approved access areas assigned.

7.2 Maintaining Long-Term Access

o 7.2.1 Badges must not be altered or defaced in any way; badges must not be bent,
written on, have anything affixed to, or have holes punched in them.
o 7.2.2 The individual's DoIT sponsor must immediately report any change in job
duties or employment status to DC Access Control that would change the need to
have data center access.
o 7.2.3 The individual must retain sole possession of the badge for the duration of
their approved use. The individual is responsible for badge use. Badge use is not
transferable and cannot be shared.

7.3 Replacing Long-Term Access Badges

o 7.3.1 If a card is damaged, lost, or stolen, it must be reported to DC Access
Control. A Replacement badge can be obtained from UWPD Access Control.
Refer to section 7.1.3.
o 7.3.2 If a replacement badge cannot be obtained within an appropriate amount of
time, a temporary badge can be issued by DC Access Control. Refer to section
8.0.1.

7.4 Returning Long-Term Access Badges

o 7.4.1 A badge assigned to an individual is non-transferable and may not be used
by anyone other than the assigned badge holder.
o 7.4.2 Return the badge to DC Access Control (refer to section 15).

8.0 Short-Term Access

8.0.1 Short-Term access is generally assigned to those who only require data center access for
short-term project work.
Short-term badges can sometimes be issued as temporary replacements to previously-approved
individuals who currently don't have their assigned badge or are in the process of replacing a
lost, stolen, or damaged badge.

8.1 Obtaining Short-Term Access

o 8.1.1 Requests for short-term badges must be initiated at the direction of the
DC&SCS manager using the short-term access request form available from DC
Access Control (refer to section 15).
o 8.1.2 DC Access Control will process each request

o 8.1.3 DC Access Control will issue approved short-term badges

o 8.1.4 The applicant must visit DC Access Control to obtain the badge and a PIN.
The applicant will have to present government-issued identification.

8.2 Maintaining Short-Term Access

o 8.2.1 Badges must not be altered or defaced in any way; badges must not be bent,
written on, have anything affixed to, or have holes punched in them.
o 8.2.2 The individual must retain sole possession of the badge for the duration of
their approved use. The individual is responsible for badge use. Badge use is not
transferable and cannot be shared.

8.3 Replacing Short-Term Access Badges

o If a card is damaged, lost, or stolen, it must be reported immediately to DC Access
Control. A replacement will be issued by going to DC Access Control. Refer to
section 8.0.1.

8.4 Returning Short-Term Access Badges

o 8.4.1 A badge assigned to an individual is non-transferable and may not be used
by anyone other than the individual the badge was assigned to.
o 8.4.2 Surrender the badge to DC Access Control (refer to section) 15 upon
request.

9.0 Escort-Only Access

9.0.1 Escort-only access is generally for co-location customers, contractors, or vendors who have
not been approved for short- or long-term access. This is typically for situations where less than
one day of work needs to be performed. The work will be monitored at all times by a DC Access
Control-approved escort.

9.1 Obtaining Escort-Only Access

o 9.1.1 Requests for escorted access to DoIT data centers must be arranged by
communicating with the individual's DoIT contact, who will facilitate scheduling
with DC Access Control.
o 9.1.2 Requests should be scheduled with DC Access Control at least 24 hours in
advance.
o 9.1.3 Escorted groups will be limited to three individuals.

o 9.1.4 The escort will be a DoIT employee with Permanent Access.

o 9.1.5 Individuals with approved Escort-Only Access must sign in at DC Access
Control, obtain an Escort-Only badge, and meet their escort. Government-issued
photo identification will be required.

9.2 Returning Escort-Only Access Badges

o 9.2.1 When the work is finished, the individuals must return their badges and sign
out at DC Access Control.

10.0 Tour Access

10.0.1 Tours of a DoIT data center are granted under limited circumstances. Tours are for
educational purposes and are for viewing only.

10.1 Obtaining Tour Access

o 10.1.1 Requests for tours must be arranged with DC Access Control in person, by
phone, or via email (refer to section 15). Include the purpose of the tour, names of
those attending, and preferable dates and times.
o 10.1.2 Tours must be approved by the DC&SCS manager (or their designee).
o 10.1.3 Tours must be requested at least five business days in advance.
o 10.1.4 A Data Center Team tour guide will coordinate the tour.
o 10.1.5 Approved tour groups will meet their tour guide at DC Access Control,
sign in, and be issued their tour badge(s). Individuals in the tour group will be
required to present government-issued photo identification.
o 10.1.6 The tour will be escorted at all times when in DoIT data centers.

10.2 Returning Tour Badges

o 10.2.1 When the tour is finished, the individuals must return their badges and sign
out at DC Access Control.

11.0 SEO Staff Offices Access (B332)

11.0.1 Access will be maintained at the same level defined in section 6.0.
12.0 Badge Visibility

12.0.1 While in DoIT data centers or related secured areas, badges must be worn with the photos
on them visible at all times. Acceptable badge display areas are on the chest or either front hip.
13.0 Use of Photo and Video Equipment
13.0.1 Taking pictures or video is not allowed within DoIT data centers except by DoIT
employees with Permanent Access.
13.0.2 Exceptions to this policy will be evaluated on a case-by-case basis, and any granted
exceptions will require authorization by the DC&SCS manager (or their designee). In such an
instance, all pictures or video taken will be reviewed by and require the approval of the
DC&SCS manager (or their designee) prior to leaving the secured area.
14.0 Conduct of Authorized Users
14.0.1 No food or drink is allowed within DoIT data centers.
14.0.2 Visitors may not tamper or interact with equipment that is not theirs.
14.0.3 Individuals must comply with all Data Center Team instructions while in DoIT data
centers.
14.0.4 Badges are non-transferable and may not be used by anyone other than the person the
badge was originally assigned to.
14.0.5 Individuals must present their access credentials at each access control point to ensure a
valid access event is registered (i.e., no tailgating).
15.0 DC Access Control
DC Access Control assigns and maintains access to DoIT data centers. DC Access Control is
located in room B332 in the basement of the Computer Sciences and Statistics building at 1210
W Dayton St, Madison, WI 53706. They can be reached by phone at 608-890-3193 or via email
at dcaccesscontrol@doit.wisc.edu.
Forms
Permanent
Long-Term
Short-Term