Skip Maine state header navigation
Maine State Government
Dept. of Administrative & Financial Services
Office of Information Technology
Data Centers Access Control Procedures
It is the responsibility of the Enterprise Operations and Monitoring (EOM) section of Core Technologies Services (CTS) to provide a secure, stable physical environment for servers and mainframes for both OIT and outside agencies.
The purpose of this document is to clarify and delineate the process by which employees, contractors, vendors, and other individuals are authorized for access, and the conditions for controlling that authorized access. EOM must be able to guarantee that the physical environment is maintained and operated in a professional manner equivalent to what one would expect of a commercial facility.
General procedures regardless of access level:
· All persons, regardless of their method of entry, must make a log entry in the log book inside the OIT Data Centers (e.g. Edison Drive Operations Center [EDOC] and Central Maine Commerce Center [CMCC]) listing:
· their name, and
· a description of the reason for their entry, a Request for Change (RFC) number or a Footprints ticket number, and
· the date and time of their entry, and
· the date and time of their departure.
· It is expected that handwriting will be legible and narratives will be sufficiently descriptive to indicate the nature of the problem being worked on. Log entries such as “Server”, “GIS”, “Network”, or “Service” are not acceptable and will be reported to management as a violation.
· ALL personnel are required to swipe their access card upon entry, including when in a group, and even if their card is not authorized for access. The action will be automatically recorded in the access control system log files and can be compared to the sign-in book if necessary.
· Upon entering the EDOC Data Center, all persons must check in with Operations staff on duty (when Operations staff is readily available) with a notification of their presence, the nature of their business and their whereabouts in the room.
· Personnel are expected to notify Facility Services in advance of any known electrical needs, physical server changes, or any other action involving the electrical power system or physical connection to the network. Personnel must not plug into a connection or make any other physical changes without having been authorized by Facility Services personnel, as a circuit overload may result.
· Any staff member with card authorization who is escorting a visitor without access privilege will verify that the visitor has checked in with EDOC Security for a Visitor’s badge or a Vendor/Contractor badge. This applies to both EDOC and CMCC Data Centers. In any situation, the authorized staff member will be totally responsible and held accountable for an escorted individual’s or group’s actions.
· On occasion (e.g., weekends when there may be only one individual on duty), the EDOC Data Center may be unstaffed for a short period of time for breaks. During these ‘after hours’ times, the operators will carry a cell and/or pager. The contact number(s) will be posted on the wall just above the ‘Sign-in Book’ inside the Data Center. NOTE: You cannot use the phone just outside the double doors of the EDOC Data Center entry for these numbers. It is ‘direct’ to a dedicated phone within the Data Center.
· Anyone responding to an automated contact by WEBNM or some other form of ‘call home’ system must follow procedures as outlined in this document.
· If Standard Operating Procedures (SOP) on file in Operations are not sufficient to resolve a given situation, then an escalation process will be initiated by the EOM Duty Operator based on the Duty Roster (see http://csn.state.me.us/login.php )
Specific Guidelines and Procedures
24/7 Access (24 hour access 7 days per week) procedures:
· Permanent 24/7 access permission is reserved for EOM, HSP (High Speed Printing), and Security staff only.
· Those on the weekly ‘DUTY ROSTER’ (see http://csn.state.me.us/login.php ) will be classified 24/7 for the duration of their ‘on-call’ period.
· Those on the duty roster are empowered as ‘Authorizing Agents’ to approve entry for other individuals dispatched at other than regular working hours of 6 AM to 7 PM.
Daytime access (6 am – 7 pm Monday through Friday, No Holidays):
· Management will select a limited list of staff members for Data Center support between the hours of 6 AM to 7 PM, in order to keep the large number of personnel down to a controllable number.
· All other personnel needing access to any Data Center must:
· be ‘escorted’ by staff having an authorized entry card
· or, for the EDOC Data Center only, use the phone outside the EDOC Data Center to check in with the Duty Operator for identification and stating the nature of the entry. If approved, the Duty Operator will ‘buzz’ the person in.
Off-Hours Access (7 PM to 6 AM M-F, Holidays, and weekends):
Off hours access to Data Centers are subject to the following:
· Name must appear on a pre-approved 24/7 list such as the Duty Roster or EOM Organizational Chart,
· or, be escorted by staff on a pre-approved 24/7 list,
· or, reference a FOOTPRINTS problem ticket number (which may be created by EOM staff on call-in)
· or, reference an OIT Change Management project Request For Change (RFC) number.
· or, have an Authorizing Agent notify EOM Duty Operator of access approval to a specific Data Center. In turn EDOC Security will be notified of your dispatch. EDOC Security will activate the required access level for your OIT access badge for a 24-hour period for the purpose of problem resolution.
Pre-Approval processes:
· Vendors, Contractors, outside Agency personnel and other visitors whose presence is regularly required to support EDOC and/or CMCC Data Centers may be granted pre-approved access (see OIT Access request form at http://inet.state.me.us/OIT/EForms/Net/AccessRequest/Default.aspx ). Depending on frequency of access requirement, the individual may be issued a permanent badge, or may be required to sign in at the security office and issued a temporary access badge. Individuals who are not pre-approved will be issued an OIT non-access visitor’s badge, and must be accompanied and escorted by pre-approved personnel.
· The RFC mechanism will be used as a means of communicating to the security officers the names of employees and other individuals requiring access, the facilities they require access to, the date and time the access is to begin, and the duration of the access.
·
Anyone NOT adhering to the rules
will be reported to their Management and access authorization will be revoked.
These procedures apply to access to OIT managed data centers, most notably the data centers at EDOC (Edison Drive Operations Center) and at CMCC (Central Maine Commerce Center). These procedures must be adhered to by any and all persons who may have occasion to enter these data centers for any reason.
· Data Center Visitors: Data Center Visitors are responsible for complying with these procedures.
· Supervisory Personnel: Managers and Supervisors are responsible for enforcing procedure compliance by Data Center Visitors under their supervisory control.
· Enterprise Operations and Monitoring: EOM staff and management are responsible for implementing, monitoring, and enforcing these procedures.
· Security: EDOC Security Officers (contract security staff) are responsible for enabling and disabling access levels as detailed in these procedures or otherwise authorized by EOM Staff.
1. Authorizing Agent – An authorizing agent is an on-call responder, the on-call duty manager, or other OIT manager who can verify to EOM staff the work reason and dispatch of specific individuals to address incidents requiring those individuals to access OIT Data Centers.
2. Data Center – A room, managed by EOM for the purpose of providing optimal environmental, power, and security conditions for the operation of State of Maine critical information processing hardware.
3. Duty Roster – A list of on-call support personnel and Duty Manager who are responsible for addressing problems encountered with various OIT areas and systems when established Standard Operating Procedures (SOP) are insufficient to resolve the situation.
4. EOM – Enterprise Operations and Monitoring
1. OIT Access request form: http://inet.state.me.us/OIT/EForms/Net/AccessRequest/Default.aspx
2. On-Call Duty Roster http://csn.state.me.us/login.php (You must log in with your AD credentials to access this information).
1. Document Reference Number: 29
2. Category: Security and Privacy
3. Adoption Date: September 9, 2008
4. Effective Date: September 9, 2008
5. Review Date: September 1, 2009
6. Point of Contact: Robert J. Arbour, Systems Group Manager, Enterprise Operations and Monitoring, State House Station 145, Augusta, ME 04333-0145, (207) 624-9838 or, Robert L. Witham, Jr., Information Systems Security Analyst, State House Station 145, Augusta, ME 04333-0145, (207) 624-9439
7. Approved By: Greg McNeal, Chief Technology Officer, State House Station 145, Augusta, ME 04333-0145, (207) 624-9471
8. Position Title(s) or Agency Responsible for Enforcement: Robert J. Arbour, Systems Group Manager, Enterprise Operations and Monitoring, State House Station 145, Augusta, ME 04333-0145, (207) 624-9838
9. Legal Citation: 5 MRSA, Chapter 163, Section 1973, paragraphs B and D, read in part: [The Chief Information Officer shall] "Set policies and standards for the implementation and use of information and telecommunications technologies, including privacy and security standards…" and "Identify and implement information technology best business practices and project management"
10. Waiver Process: The CIO or his/her designee may authorize an exception on a case-by-case basis.
Apply for a waiver as follows:
Address an email to Richard B. Thompson and include as a CC: the Associate Chief Information Officer or the agency Agency Information Technology Officer. If you require assistance with determining the correct person, contact the CIO’s office at 624-8800.
Include the following in the email:
Document a compelling technical or business case that identifies the specific action and how it warrants exemption.
Include any supporting documentation you may have.
When a decision has been reached in granting or denying the waiver, the CIO will respond to the submitter, the AITD, and the following three designated people whose names are located on the policy/standard for which the waiver is being sought: Point of Contact, Approved By and Position Title(s) or Agency Responsible for Enforcement.