Physical Security
28. Physical Security (Server Rooms)
Are all servers under your control in a secure datacenter?
Secure datacenters are:
Why is this Essential?
While electronic controls are important, they may become ineffective if the device is physically accessed or removed by an unauthorized party. UBC's and UBC approved datacenters (including third party datacenters) are intended to provide a secure location for operations, , controlled access to equipment and data, protection against environmental threats and support for the availability requirements.
Further, UBC as a public body, we are obligated by the "BC Freedom of Information and Protection of Privacy Act (FIPPA)" and "Policy GA4, Records Management" to implement reasonable and appropriate security arrangements for the protection of Personal Information (in both electronic and paper format). Therefore, servers containing significant quantities of High or Very High Risk Information must be hosted in UBC Datacenters or in third party servers that have an equivalent level of security as prescribed in Information Security Standard M9.
Reference Links
Physical Security of UBC DatacentersSecurity Classification of UBC Electronic Information standard
Instructions
Please use the checklist (link below) of must have controls for UBC datacenters to evaluate if the departmentally managed Datacenters meet essential physical security requirements.
Physical Datacenter Controls(must have) Checklist
What is Acceptable?
All servers are in a secure datacenter.
What is a secure datacenters:
> UBC datacenter and UBC approved datacenters e.g. EduCloud, Compute Canada HPC
> or other third-party Datacenters approved by the CISO.
> Departmentally managed datacenters which meet the essential physical security requirements