Survey measures risks in server rooms

Server rooms support essential functions for the campus and, thus, these rooms are subject to the need for physical security safeguards. These safeguards include physical access, heating and cooling, fire detection, disaster recovery, water encroachment and power management. A proposal lined up for final approval this quarter will help to ensure that campus server rooms are uniformly reviewed for physical security needs.

The proposal creates a server-room survey of 80 questions that embody best practices on campus. Server-room managers would complete the survey for machines that provide a critical service, or use restricted data. They would disclose any serious risks they find, and report their plans for improvement as part of the yearly campuswide Cyber-safety survey.

The self-assessment survey looks at conditions in server rooms run by departments and units throughout campus, often in buildings that pre-date modern computing. Some of those locations are poorly secured, risk overheating, lack good backups, or fall short in other areas.

Those shortcomings expose the servers to damage, as well as to the theft of data or equipment. A fire in a poorly protected server room could damage the property of any unit that shares the building.

The campus Cyber-safety Steering Committee met in February and recommended a change to an exhibit of the campus Cyber-safety policy. The exhibit amendment integrates the server room physical security review into the campus Cyber-safety program. This recommendation has been forwarded to the Provost's office for review and adoption. After this policy exhibit amendment is adopted, the server room self-assessment survey will be included as part of the next Cyber-safety survey this fall.

Several groups have already vetted the idea, which emerged from an earlier p roposal to mandate campuswide standards. That original option was set aside as too inflexible.

The self-assessment approach lets departments balance deficiencies in their server rooms against other cyber-safety priorities they need to address, said Chip Mrizek, director of information technology for the Graduate School of Management. He presented a draft of the survey proposal to the Strategic Approach to Investments in Computing Facilities committee in November, on behalf of the Deans' Technology Council.

Server-room managers will decide if each question applies to them--such as, does the room containing their server have a window? Is it near a street? "And if it does, is there a risk associated with noncompliance? Those risks have to be reported," Mrizek said.

"So there is basically enforcement," he said, "not that you have to fix this, but that you have to assess and report plans for compliance."

"We wanted to balance the risk of the network rooms, of noncompliance to these standards, along with other areas of cyber-safety," Mrizek said. "Areas might have higher risks elsewhere."

The questions might seem to be "almost an exercise in minutiae," said Bob Ono, information technology security coordinator for the campus. But the scrutiny extracts telling details.

One question asks if a server room's windows are at least 40 inches from any door locks, to cut the chance that someone could disable the lock by reaching through the window. Another asks if the room has a temperature alert "and, if so, are the warnings logged to a recording device?" Servers throw off a lot of heat, and fail when they get too hot.

Units would report significant physical security risks to their dean, vice chancellor or vice provost as part of their annual Cyber-safety report, which asks people if they're meeting campus cyber-safety security standards.

In the past, server rooms have caught fire, had sprinklers posi tioned over racks of servers, or were backed up by power sources that failed in less than a minute. Other rooms might simply need to attend to a few details.

"I don't have a sense of the condition of rooms across campus," Mrizek said, "but would be very surprised if more than a small percentage met all the standards identified in the survey."