Data Center Access Policy (947.0)

This policy defines who may enter the University of Arkansas Data Centers, based on specific criteria for escorted and unescorted access.

University of Arkansas, Fayetteville Policy and Procedures.

1. Overview

This policy defines who may enter the University of Arkansas Data Centers based on specific criteria for escorted and unescorted access.

2. Purpose

The purpose of this policy is to ensure the physical security, safety, and integrity of the University of Arkansas’ Data Centers by regulating who may enter and the circumstances under which access is allowed. This policy outlines the access requirements and responsibilities for all individuals working in, visiting, or requesting entry to the Data Center.

3. Scope

This policy applies to all staff, faculty, contractors, and visitors to ensure that consistent procedures are followed to protect university systems and data housed within the Data Center.

4. Definitions
    
   1. Access Log – A digital record documenting all individuals who enter and exit the Data Center by badge access, including time stamps, maintained for security and auditing purposes. Not to be confused with the visitor’s log (which is the sign in /sign out sheet), this includes the card swipe information. The access log is digital and card- based.
   2. Access Request – A formal process through which university employees/ affiliates ask for permission to enter the Data Center. Requests are reviewed and approved based on the requestor’s job duties and need to be in the facility using a ticketing system.
   3. Approved Access List – A list of individuals who have been officially granted permission to enter the Data Center. To be added to this list, a person must submit a request through the ticketing system. Each request is reviewed to ensure the person has a valid business need. Once approved, the individual’s name is added to the list, and they may be granted either escorted or unescorted access, depending on their role and access level. Those on the Approved Access List are allowed in the Data Center.
   4. Authorized Access – Permission granted to specific individuals who have a business need to be in the Data Center. These individuals must follow all access rules and security procedures.
   5. Data Center – The University’s secure facility on campus that stores and runs the University’s critical computer systems, servers, and data. Only authorized people are allowed inside the Data Center to protect the equipment and information.
   6. Data Center Tour – Pre-arranged visits to the Data Center, typically for educational or informational purposes. All tour participants must provide a valid ID (can be university ID), sign in and sign out, and must be always accompanied by an authorized staff member while inside. Tours are limited to ten participants or fewer.
   7. Escorted Access – Access for individuals who are not regularly approved to be in the Data Center. These individuals must be always accompanied by an authorized staff member while inside.
   8. First Responders – Campus police (UAPD), fire, and emergency personnel who may enter the Data Center without an escort during emergencies, such as a fire alarm or medical emergency. When the first responders are called in, an incident form must be filled out.
   9. Host – An authorized person allowed to enter the Data Center, who is allowed to act as an escort for one visitor. Hosts are issued badges. Hosts have received authorized access for a recurring business need. FAMA and UAPD are considered Hosts. The difference between Authorized Individuals and Hosts, is that Hosts have approved business needs in the Data Center and can enter at any time, and Authorized visitors submit a request to enter the data center for a specific need to enter the Data Center and can only enter the Data Center during business hours.  
   10. Maintenance and Custodial Staff – University employees who clean or perform upkeep in the Data Center.
       1. Custodial Staff – have a scheduled routine to come in and perform their duties, the employees must be on the approved list and will be escorted while in the Data Center. They must also sign in and sign out daily.
       2. Maintenance Staff/ Vendors – These personnel work either internally full time or with a company full time and service our heating and cooling units, fire systems, or other maintenance services. Individuals need to have a prior work order assigned, and the Data Center has to have a copy of the work order 24 hours in advance. The individual performing the services must:
          • provide a badge or ID.
          • sign in and out of the visitor’s log.
          • have confirmation from the assigned company or department.
          • be escorted to the system requiring maintenance.
          • be monitored at all times during maintenance.
   11. Unescorted Access – Access granted to individuals who have received official approval to enter the Data Center on their own, without the need for an escort. These individuals typically have a regular business need to be in the facility and must use authorized credentials, such as a key card to enter. They must sign in and out on the visitor’s log and comply with all Data Center rules.
   12. Visitor – Any person who is not authorized for unescorted access to the Data Center. This includes faculty, staff, students, contractors, or guests who may occasionally enter the facility for a specific reason and must be always escorted by authorized personnel.
   13. Visitor’s Log – This is the physical sheet that is used to sign in and sign out. This record is used to document all visitors entering and exiting the Data Center. This log includes information such as the visitor’s name, time of entry and time of exit, purpose of visit, and the name of the escorting staff member, and it is maintained for safety and security tracking. The visitor’s log is physical and handwritten and located at the entrance of the Data Center.
        
5. Policy
    
   1. Primary Guidance

The University of Arkansas Data Center is a secured, restricted-access facility that requires a higher level of control than standard non-public campus areas. All individuals accessing the Data Center must adhere to the University of Arkansas policies, including information security policies (900 series,) facilities management, and safety regulations. Access is granted in accordance with business needs and must support the operational integrity of the Data Center. Exceptions to these access requirements are permitted only in emergency situations, such as medical services, fire services, or law enforcement officials requiring immediate entry.

All individuals or groups that access the Data Center must provide identification such as a university ID and sign in and sign out on the visitor’s log.

2. Access
    
   1. Requesting Access

Individuals must submit a request through the official IT ticketing system to request access to the Data Center and get on the approved access list. Each request must include justification, supervisor approval, and the type of access requested (Authorized, Escorted, or Visitor). Determination will be based on Data Center Management.

2. Authorized Access

Unescorted access is limited to personnel with an ongoing business need, such as UITS staff or designated departmental IT representatives. Authorized individuals will be granted badge or card access and must comply with all Data Center procedures. They are still required to sign in and sign out on the visitors’ log, but do not need to be escorted while in the data center. These individuals can come in after hours if needed.

These authorized individuals are assigned their badge and are considered a Host if they bring a visitor with them to the Data Center. If a Host exits the Data Center for any reason (including bathroom breaks), the visitor must also exit the Data Center.

3. Escorted Access

The access granted to individuals to enter the Data Center through the ticketing system but must be supervised during the time in the Data Center by a Data Center Operations staff member. These individuals must sign in and sign out, but do not have badge access. These individuals are not allowed after hours.

4. Visitors are individuals who do not have regular or authorized access to the Data Center but have a valid business need. (e.g., auditors, researchers, and facilities personnel). Visitors must schedule an appointment 24 hours in advance, are allowed access only during business hours, must present valid Identification, and must sign in and out.
    
5. Tours – Occasionally, tours of the Data Center are provided to students, researchers, or auditors. A ticket request must be submitted by an authorized person and approved by Data Center Operations staff at least two weeks prior to the tour. These tours can have a maximum of ten participants, have both the authorized access individual hosting the tour, and be escorted by an operational staff member on the tour. The participants in the tours must provide valid identification and sign in and out of the visitor’s log.
    
6. Badge and Access List Expiration – Badge Access is reviewed periodically and at least annually. For those with a badge, they must submit a new request to renew the badge access. Access is reviewed monthly and may be revoked without notice.
    
7. Visitor Badge Protocol – All visitors must wear a temporary name badge while in the Data Center. These badges expire at the end of the day.
    
8. Escalation pathway

The Data Center Staff has the final say as to who may enter the Data Center. Individuals that feel they should be able to access the Data Center must submit a new ticket with justification.

3. Data Center Doors

Data Center doors must remain closed and always locked to maintain security and environmental control. Propping doors open is strictly prohibited, and any malfunction should be reported immediately. The only access to the Data Center is through the front door. The other doors are to be locked and alarmed at all times.

4. Operations
   1. Temperature

Environmental conditions in the Data Center, including temperature and humidity, are monitored continuously. Only authorized personnel may adjust cooling systems, and thresholds are set to maintain equipment reliability.

2. Power

The Data Center operates on redundant power systems, including UPS and backup generators. Staff must follow procedures when connecting or disconnecting equipment to avoid overloading circuits.

3. Safety

Emergency procedures, including fire suppression and evacuation protocols, must always be followed. Safety equipment such as alarms, extinguishers, and emergency lighting must remain unobstructed.

5. Conduct
    
   1. All personnel and visitors must act professionally and avoid behavior that could damage equipment, disrupt services, or pose a safety risk. Food, drink, and unauthorized devices are not permitted in the Data Center.
   2. Only equipment necessary for servicing the Data Center is allowed inside. All personal items, such as phones, backpacks, or purses must be stored in the Data Center Management Office during the visit.
   3. Photos or video recordings are not allowed in the Data Center unless approved by the Data Center Manager.
   4. While in the Data Center, all activity is monitored and recorded.
   5. Authorized personnel must scan their own badge to gain entry and are not permitted to allow others to follow them (tailgating). Lost or stolen badges must be reported immediately to Data Center Management.
       
6. Equipment Deliveries and Pick-Ups
    
   1. All equipment entering or leaving the Data Center must be logged and approved by Data Center staff.
   2. Deliveries should be scheduled in advance, and items must be unpacked and staged by the recipient in designated areas prior to entering the Data Center itself.
   3. For after-hours deliveries, the Data Center staff can accept the item, but will store it in a secured area outside of the Data Center. The correct party should retrieve the delivery from the Data Center staff as soon as possible on the next business day.
       
7. Periodic Review and Termination of Access

Access permissions will be reviewed on the ticketing system at least annually and periodically to ensure they remain current. Data Center management will revoke access when no longer needed, or when an individual changes roles, leaves the university, or fails to comply with policy. All unreturned, expired, or inactive badges will be deactivated to maintain security.

8. Incident reporting

All security incidents, policy violations, or safety concerns must be reported immediately to the Data Center management. Incidents involving the compromise or suspected compromise of University Data must be reported directly to the Security team, at report.uark.edu. Reports will be reviewed, documented, and addressed according to university policies and procedures. In case of an emergency or immediate security concern, contact the UAPD.

6. Reporting and Addressing Suspected Violations
   
   Anyone who has reason to believe that another person has violated this policy shall report the matter promptly to the Office of the CISO (Chief Information Security Officer) and/or their supervisor or department head. Failure to report a suspected violation is a violation of this policy. After a suspected violation of this policy has been reported or discovered, the issue will be handled as soon as possible to mitigate any harm to the university and its affiliates.
    
7. Enforcement
   
   Violation of this policy may result in loss of access and disciplinary action up to and including termination. For additional information, see the Code of Computing Practices.
    
8. Exemptions

Exemptions from this policy must be approved. Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Office of the CISO. Please see the Exemption policy.

9. References

This policy defines the University’s approach to compliance with NIST 800-53 R5 and mapping to the NIST CSF 2.0.

10. Policy Version History
    1. Office of the CISO- May 2025. V1.