SOP Access Control and Security
Access Control and Security
SOP Number IT/017/R.1
SOP Title Access Control and Security
NAME
TITLE
DATE
Author
Sandeep R. Yadav
System Admin
09-07-2024
Reviewer
Ashutosh Awasthi
Senior Manager
09-07-2024
Authoriser
Mahaveer Devannavar
General Manager
09-07-2024
Effective Date:
09-07-2024
Review Date:
09-07-2024
1. PURPOSE
The purpose of this document is to provide guidelines to establish user authentication method so that all the information system assets owned by Somaiya shall be accessed by authorized users only
Also purpose of this document is to clarify the process by which employees, contractors, vendors, and other individuals are authorized for access, and the conditions for controlling that authorized access. Datacentre administrator must be able to guarantee that the physical environment is maintained and operated in a professional manner equivalent to what one would expect of a commercial facility
2. INTRODUCTION
Access Control and Security is used to safeguard the Data Centre security. Its intellectual property of respective organisation. Access Control and Security is safeguarding unauthorised access to Data Centre
3. SCOPE
This policy applies to all the information system assets such as Network devices, Storage, Servers
etc. owned by Somaiya. All employees of Somaiya IT team are subject to this policy and required to
abide by it
4. RESPONSIBILITIES
4.1 Data Centre Visitors: Data Centre Visitors are responsible for complying with this procedure
4.2 General Manager IT: The General Manager IT (or designee) enforces this procedure
4.3 Enterprise Operations and Monitoring: EOM staff and management are responsible for
implementing, monitoring, and enforcing this procedure
4.4 Somaiya Management: Somaiya management is responsible for maintaining a list of employees and contractors who is authorized and who also have work duties which require a physical presence in a Data Centre
4.5 Security Officers: Security Officers (contract security staff) are responsible for monitoring
access requests under the RFC process as detailed in this procedure
4.6 Supervisory Personnel: Managers and Supervisors are responsible for enforcing procedure
compliance by Data Centre Visitors under their supervisory control
5. SPECIFIC PROCEDURE
5.1 General procedures regardless of access level:
5.1.1 All persons, regardless of their method of entry, must enter the following information in the Somaiya Data Centre log book, their name, the reason for their entry, a Request for Change (RFC) number, the date and time of their entry, the date and time of their departure, must sufficiently describe the nature of the problem being worked on
5.1.2 All personnel must punch the Biometric device when entering the Data Centre, including when in a group, and even if Biometric is not authorized to grant access. The action will be automatically recorded in the access control system log files and can be compared to the sign-in book, if necessary
5.1.3 Personnel are expected to notify Facility Services, in advance, of any known electrical needs, physical server changes, or any other action involving the electrical power system or physical connection to the network. Personnel must not plug equipment into any connection or make any other physical changes without authorization from Facility Services personnel, as a circuit overload may result
5.1.4 All visitors without access privilege will be escorted by authorized personnel
5.1.5 Authorized staff members will be totally responsible and held accountable for an escorted individual’s or group’s actions at an Somaiya Data Centre
5.1.6 Occasionally (for example, weekends, if only one individual is on duty), the Data Centre may be unstaffed for short periods of time for breaks. During these ‘after hours’ times, the operators will carry a cell phone. The contact number is posted on the wall just above the ‘Sign-in Book’ inside the Data Centre
5.1.7 If Standard Operating Procedures (SOP) are not sufficient to resolve a given situation, then escalation will be initiated based upon the Duty Roster 1
5.2 Specific Guidelines and Procedures:
5.2.1 24/7 access (24-hour access 7 days per week) procedures
5.2.1.1 Permanent 24/7 access permission is reserved for Data Centre administrator, Security Officers, and personnel authorized by supervisors. All others are considered Data Centre Visitors
5.2.2 Daytime access (6 AM – 6 PM Monday through Friday, no holidays)
5.2.2.1 Management will select a limited list of staff members for Data Centre support between the hours of 6 AM to 6 PM, to keep the number of personnel down to a controllable level
5.2.2.2 All other personnel needing access to any Data Centre must be escorted by staff having an authorized Biometric access
5.2.3 Off-hours and emergency access (6 PM to 6 AM Monday through Friday, holidays, and weekends):
5.2.3.1 Off hours access to Data Centres are subject to the following,
5.2.3.1.1 Name must appear on a pre-approved 24/7 list such as the Somaiya DutyRoster
5.2.3.1.2 or, be escorted by staff on a pre-approved 24/7
5.2.3.1.3 or, reference an Somaiya Change Management Project Request for Change (RFC) number
5.2.3.1.4 Emergency access will be granted for a maximum of 24 hours. If access is required beyond that, the task must be transferred to an emergency RFC
5.2.4 Pre-Approval process (General):
5.2.4.1 Supervisor approval is required for specific job duties requiring physical presence in the Data Centre
5.2.4.2 Vendors, Contractors, outside Agency personnel and other visitors whose presence is regularly required to support Data Centres may be granted preapproved access
Depending on the frequency of the access requirement, the individual may be issued a permanent badge. Individuals who are not pre-approved will be accompanied and escorted by pre-approved personnel
6. APPLICABILITY
This Procedure applies to access to Somaiya Data Centres. This Procedure must be adhered to by all persons who may enter an Somaiya Data Centre, for any reason
6.1 System administrator
6.2 Network administrator
6.3 IT manager/General Manager
6.4 Datacentre administrator
7. DEFINATIONS
7.1 Authorizing Agent: An on-call responder, the on-call duty manager, or an IT manager who
can vouch, to Datacentre administrator staff, the reason why a specific individual needs Somaiya Data Centre access
7.2 Data Centre: A Datacentre administrator managed facility, providing optimal environmental, power, and security conditions for the operation of Somaiya critical information technology
hardware
7.3 Data Centre Visitor: A Data Centre visitor is any person who is not part of Datacentre team, Security, or an authorized employee, and therefore, does not have permanent 24/7 Data Centre access
7.4 Duty Roster: A list of support personnel and Datacentre administrator who are responsible for
addressing problems encountered with various Somaiya areas and systems when established
Standard Operating Procedures (SOP) are insufficient to resolve the situation
7.5 Datacentre administrator: A section of Somaiya representatives,
whose responsibilities include providing a secure, stable physical environment for servers, Storages
and Network equipment’s
8. FORMS/TEMPLATES TO BE USED
A standard templates is used to manage Data Centre, Department of Information Technology
9. CHANGE HISTORY
SOP No.
Effective
Significant Changes
Previous
Date
SOP no.
IT/017/R.1
09-07-2024
First version
N.A.