Maine State Government

Dept. of Administrative & Financial Services

Office of Information Technology (OIT)

OIT Data Center Access Control Procedure

1.0 Purpose

The purpose of this document is to clarify the process by which employees, contractors,
vendors, and other individuals are authorized for access to OIT Data Centers, and the conditions
for controlling that authorized access. Enterprise Operations and Monitoring (EOM) must
maintain and operate the OIT Data Centers physical environment in a professional manner,
equivalent to what one would expect of a commercial facility.

2.0 Definitions

2.1 Authorizing Agent: An on-call responder, the on-call duty manager, or an OIT manager who
can vouch, to EOM staff, the reason why a specific individual needs OIT Data Center access.

2.2 Data Center: An EOM managed facility, providing optimal environmental, power, and
security conditions for the operation of State of Maine critical information technology
hardware.

2.3 Data Center Visitor: A Data Center visitor is any person who is not part of EOM, Security, or
an authorized employee, and therefore, does not have permanent 24/7 Data Center access.

2.4 Duty Roster: A list of support personnel and Duty Manager who are responsible for
addressing problems encountered with various OIT areas and systems when established
Standard Operating Procedures (SOP) are insufficient to resolve the situation.

2.5 Enterprise Operations and Monitoring (EOM): A section of OIT Client Technologies,
whose responsibilities include providing a secure, stable physical environment for servers
and mainframes.

3.0 Applicability

This Procedure applies to access to OIT Data Centers. This Procedure must be adhered to by all
persons who may enter an OIT Data Center, for any reason.

4.0 Responsibilities

4.1 Data Center Visitors: Data Center Visitors are responsible for complying with this procedure.

4.2 Chief Information Security Officer: The Chief Information Security Officer (or designee)
enforces this Procedure.

4.3 Enterprise Operations and Monitoring: EOM staff and management are responsible for
implementing, monitoring, and enforcing this Procedure.

Page 1 of 5
 OIT Data Center Access Control Procedure

4.4 OIT Management: OIT management is responsible for maintaining a list of employees and
contractors who have passed the Maine State Police Background check and who also have
work duties which require a physical presence in a Data Center.

4.5 Security Officers: Security Officers (contract security staff) are responsible for monitoring
access requests under the RFC process as detailed in this Procedure.

4.6 Supervisory Personnel: Managers and Supervisors are responsible for enforcing Procedure
compliance by Data Center Visitors under their supervisory control.

5.0 Directives

5.1 General procedures regardless of access level:

5.1.1 All persons, regardless of their method of entry, must enter the following information
in the OIT Data Center log book:
5.1.1.1 their name
5.1.1.2 the reason for their entry, a Request for Change (RFC) number, EOM Project
Footprints Ticket number, or Customer Support Project Footprints Ticket
number
5.1.1.3 the date and time of their entry
5.1.1.4 the date and time of their departure

5.1.2 Handwriting must be legible and narratives must sufficiently describe the nature of
the problem being worked on. Log entries such as “Server”, “GIS”, “Network”, or
“Service” are not acceptable and will be reported to management as a violation.

5.1.3 ALL personnel must use their access card at the card reader outside the Data Center
when entering the Data Center, including when in a group, and even if their card is
not authorized to grant access. The action will be automatically recorded in the
access control system log files and can be compared to the sign-in book, if necessary.

5.1.4 Personnel are expected to notify Facility Services, in advance, of any known electrical
needs, physical server changes, or any other action involving the electrical power
system or physical connection to the network, through a Footprints Ticket under the
OIT Facilities project (Work Order), or the OIT Change Management Project (RFC), as
appropriate. Personnel must not plug equipment into any connection or make any
other physical changes without authorization from Facility Services personnel, as
recorded in these tickets, as a circuit overload may result.

5.1.5 All visitors without access privilege will be escorted by authorized personnel.

5.1.6 Authorized staff members will be totally responsible and held accountable for an
escorted individual’s or group’s actions at an OIT Data Center.

5.1.7 Occasionally (for example, weekends, if only one individual is on duty), the Data
Center may be unstaffed for short periods of time for breaks. During these ‘after
hours’ times, the operators will carry a cell phone. The contact number(s) is posted
on the wall just above the ‘Sign-in Book’ inside the Data Center.

Page 2 of 5
 OIT Data Center Access Control Procedure

5.1.8 Anyone responding to an automated contact by WEBNM or some other form of ‘call
home’ system must follow Procedures as outlined in this document.

5.1.9 If Standard Operating Procedures (SOP) are not sufficient to resolve a given situation,
then escalation will be initiated based upon the Duty Roster1.

5.2 Specific Guidelines and Procedures

5.2.1 24/7 Access (24-hour access 7 days per week) Procedures:

5.2.1.1 Permanent 24/7 access permission is reserved for EOM, Security Officers, and
personnel authorized by supervisors. All others are considered Data Center
Visitors.

5.2.2 Daytime access (6 AM – 6 PM Monday through Friday, No Holidays):

5.2.2.1 Management will select a limited list of staff members for Data Center support
between the hours of 6 AM to 6 PM, to keep the number of personnel down to a
controllable level.

5.2.2.2 All other personnel needing access to any Data Center must be escorted by staff
having an authorized entry card.

5.2.3 Off-Hours and Emergency Access (6 PM to 6 AM Monday through Friday,

Holidays, and weekends):
5.2.3.1 Off hours access to Data Centers are subject to the following:
5.2.3.1.1 Name must appear on a pre-approved 24/7 list such as the OIT Duty
Roster or EOM Organizational Chart,
5.2.3.1.2 or, be escorted by staff on a pre-approved 24/7 list,
5.2.3.1.3 or, reference an OIT Change Management Project Request for Change
(RFC) number. (See Section 5.25)
5.2.3.1.4 or, have an Authorizing Agent notify EOM Duty Operator of access
approval to OIT Data Center (See Section 5.26)
5.2.3.1.5 Emergency access will be granted for a maximum of 24 hours. If access
is required beyond that, the task must be transferred to an emergency
RFC.

5.2.4 Pre-Approval process (General):

5.2.4.1 Individuals must pass a Maine State Police (MSP) background check as detailed
in the Physical Access Card Request Form for OIT Areas2 request form before
they may be granted approval for badge access to OIT Data Centers.

5.2.4.2 Supervisor approval is required for specific job duties requiring physical
presence in the Data Center.

5.2.4.3 Vendors, Contractors, outside Agency personnel and other visitors whose
presence is regularly required to support Data Centers may be granted pre-
approved access (see Physical Access Card Request Form for OIT Areas).
Depending on the frequency of the access requirement, the individual may be

1 http://csn.state.me.us/login.php
2 https://footprints.state.me.us/footprints/security.html

Page 3 of 5
 OIT Data Center Access Control Procedure

issued a permanent badge. Individuals who are not pre-approved will be

accompanied and escorted by pre-approved personnel.

5.2.5 Pre-Approval process (OIT Change Management RFC) – Security Staff

Procedure:
5.2.5.1 RFC must include the beginning and ending dates and times of access as well as
names of those requiring access.

5.2.5.2 To enter or modify dates and names, the appropriate Data Center must be
selected.

5.2.5.3 If the access start and end times are the same, or if the end time is before the
start time, access cannot be granted.

5.2.5.4 Security staff will routinely monitor RFCs that are assigned to the OIT-Building-
Access group. They will:
5.2.5.4.1 Compare the names listed in the RFC against a list of individuals who
have passed a MSP background check.
5.2.5.4.2 Submit a request to Building Control Center (BCC) through their E-
Logger system to apply the appropriate access level to the named
individuals and the Start and End date/time of the access.
5.2.5.4.3 Update the RFC indicating the E-Logger log number.

5.2.5.5 BCC staff will update the access for the requested individuals prior to the start
time, and revoke the access after the requested end date/time.

5.2.6 Pre-Approval process (Emergency Access Customer Support Ticket) -

Enterprise Operations and Monitoring Emergency Access Procedure:
5.2.6.1 EOM staff may approve OIT staff for Data Center access under the following
conditions:
5.2.6.1.1 When an SOP requires the call-in of support staff to respond to an
incident.
5.2.6.1.2 When contacted by an Authorizing Agent who will approve support
staff for emergency off hours Data Center access to respond to an
incident.

5.2.6.2 EOM Staff will create a Customer Support ticket or update an existing Customer
Support ticket documenting the incident.
5.2.6.2.1 New tickets should be filled out as normal documenting the incident.
5.2.6.2.2 EOM Access Authorization section of the ticket must be completed on
new and existing tickets (see SOP for authorizing access).

5.2.6.3 EOM staff will submit an E-Logger request to building control to add appropriate
access level(s) to the requestor(s) card(s) (see SOP for submitting E-Logger).

5.2.6.4 EOM staff will submit an E-Logger request to remove added access level(s) from
card(s), upon notification of ticket closure, or after 24 hours, whichever is less.

6.0 Document Information

Page 4 of 5
 OIT Data Center Access Control Procedure

Initial Issue Date: April 2, 2012

Latest Revision Date: April 4, 2019 – To update Document Information.

Point of Contact: Security Compliance and Policy Manager, [email protected]

Approved By: Chief Information Officer, OIT

Legal Citation: Title 5, Chapter 163: Office of Information Technology3

Waiver Process: See the Waiver Policy4.

3 http://legislature.maine.gov/statutes/5/title5ch163sec0.html
4 http://maine.gov/oit/policies/waiver.pdf

Page 5 of 5