1.

07 - Secure Data Center Access Policy D-2012-12-18 QS LF RG MH QS

Standard Number:

1.07

Associated Standards/Regulations:

Effective Date:

xx/xx/2012

Policy applicable for:

IS&T

The International Traffic in Arms Regulations (ITAR)

Export Administration Regulations (EAR)
Office of Foreign Assets Control (OFAC)
ISO 27002, NIST, COBIT

Responsible Office(s): BU Information Security

Policy Statement
In order that IS&T may provide centrally supported resources and services with as few limitations on the
use of those resources as possible, only U.S. citizens and lawful permanent residents may have
unescorted physical access and administrative access to IS&T systems that may be used to contain or
process information subject to export control laws.

Reason for Policy / Implication Statement

Export control laws regulate the transfer of controlled technology, software source code or object code,
technical data and technical assistance as well as controlled physical items (such as scientific equipment)
to foreign colleagues and organizations in the United States and abroad.
Boston University is committed to complying with all United States export control laws and regulations,
including those implemented by the Department of State through its International Traffic in Arms
Regulations (ITAR), the Department of Commerce through its Export Administration Regulations (EAR)
and the Treasury Department through its Office of Foreign Assets Control (OFAC). Violation of export
control laws and regulations can result in significant civil and criminal penalties for the University and for
the individual researchers involved.

Covered Parties
IS&T data centers, systems, and services that may be used to store or process controlled information.

Responsibilities
The VP of Information Services and Technology or designee is responsible for the enforcement of this
policy. Audit responsibility to may be delegated to BU Information Security.

Procedures
I. Physical Access
Physical access (key or badge) to systems in the IS&T data center shall be granted only to U.S. citizens
and permanent residents who are approved by both the Director of IS&T Systems Operations and BU
Information Security. Any other person needing physical access to such systems must abide by the
visitor policy and procedures set forth below.
This physical control may be accomplished by any of the following:

1.07 - Secure Data Center Access Policy

Page | 1

1. Controlling access to the entire room by limiting badge access and issuing keys in accordance with the
requirements of this section, or
2. Controlling access to the system itself by installing lockable doors on both the front and back of the
rack in which such systems are housed and by having a keying system designed to allow access to
each individual rack upon need, subject to these requirements.
No rack may be unlocked unless a person assigned the role of supporting the system in that rack is
physically present. That designated person must ensure that the rack is locked again, both front
and back, before leaving the area.
Each rack must have a unique key allowing access to that rack and that rack only. The same key
may open both front and back.
The Vice President for Information Technology (or his/her designee) will assign a Data Center
Access Manager to manage access to the data center, racks, and systems therein; including the
issuing of keys to authorized personnel upon need and tracking the timely return of issued keys.
For systems that span multiple racks, there may be a master key for all racks used by that system,
but only the Data Center Access Manager and a limited number of operations personnel
specifically assigned to maintain the system in question may be issued a copy of the master key.
More detailed key control policies and guidelines may be obtained from BU Information Security.
II. Administrative Access
Administrative (or root) access to any system or service run by IS&T that may be used to contain or
process controlled information will only be granted to U.S. citizens and permanent residents approved
by both the Service Owner and BU Information Security.
III. Data Center Access Manager
The Vice President for Information Technology or his/her designee will assign one person and a back-up
to act as the Data Center Access Manager for each data center. The Data Center Access Manager (or, as
the case may be, his/her back-up) will be responsible for:
Ensuring that all requests for keys are approved by the Director of IS&T Systems Operations. This
includes confirming that the requirements of this policy are met;
Issuing keys to approved personnel and ensuring the timely return of such keys; and
Maintaining a log recording all access to the data center by personnel that have not been issued a
badge or key. The log is to include at a minimum the persons full name, company, date of visit,
time of entry and time of exit.
IV. Visitors
A visitor is any person that has not been granted badge or key access to the data center and may include
IS&T personnel that do not support data center operations, other staff, faculty, or students, outside
vendors, consultants, or auditors.
Visitor Access log
All visitors to an IS&T Data Center must sign both in and out on the visitors log provided by the Data
Center Access Manager.
Escort

1.07 - Secure Data Center Access Policy

Page | 2

Visitors to an IS&T Data Center or a Controlled Rack (depending on the security perimeter in force,
see I. Physical Access) must be escorted by a person who has been approved for access to such
center or rack.
Visitors shall not have access to any data unless they are U.S. Citizens or Lawful Permanent
Residents and provide a proof of U.S. Citizenship or copy of a green card.
V. Exception Requests & Approvals
All exceptions for access must be approved by the University Export Control Director in writing prior to
access.

1.07 - Secure Data Center Access Policy

Page | 3

References
The Boston University Office of Research Compliance, Export Control Office
www.bu.edu/orc/export
Federal Export Control Law
International Traffic in Arms Regulations (ITAR)
Export Administration Regulations (EAR)
Office of Foreign Assets Control (OFAC)
The Boston University Information Security Policy an Data Protection Standards:

BU Information Security Policy

Data Classification Guide (1.2.A)
Data Management Guide (1.2.B)
Access Management and Authentication Requirements (1.2.C)
Data Protection Requirements (1.2.D) & Media Destruction One-Sheets (1.2.D.1)
Minimum Security Standards (1.2.E)
Education, Compliance and Remediation (1.2.F)

Key Contacts
Export Control Director, Office of Sponsored Programs
Executive Director & Information Security Officer
VP of Information Services and Technology

Marie Hladikova
Quinn Shamblin
Tracy Schroeder

(617) 353-6753
(617) 358-6310
(617) 353-1155

History
Date

Action

By

Supersedes

xx/xx/2012

Original Proposed

Quinn, Shamblin, BU Information Security

--Original--

xx/xx/2012

Original Approved

Tracy Schroeder, VP Information Services and Technology

--Original--

1.07 - Secure Data Center Access Policy

Page | 4