Datacenter Policy


Controls Satisfied



Purpose and Scope

  • The purpose of this policy is to define security procedures within the organization’s data centers and secure equipment areas.

  • This policy applies to any cloud hosted providers and facilities within the organization that are labeled as either a data center or a secure equipment area. Such facilities are explicitly called out within this document.

  • This policy applies to all management, employees and suppliers that conduct business operations within cloud host or data centers and secure equipment areas.


  • This policy defines the policies and rules governing data centers and secure equipment areas from both a physical and logical security perspective. The document lists all data centers and secure equipment areas in use by the organization, prescribes how access is controlled and enforced, and establishes procedures for any visitor or third party access. This policy also defines prohibited activities and requirements for periodic safety and security checks.


  1. The following locations are classified by the organization as secure areas and are governed by this policy:

    1. [list all data center locations and secure areas under the organization’s control]

  2. Each data center and secure area must have a manager assigned. The manager’s name must be documented in the organization’s records. In the case of any on-prem data centers, the manager’s name must also be posted in and near the secure area.

  3. Each secure area must be clearly marked. Access to the secure area must be controlled by at least a locked door. A visitor access log must be clearly marked and easily accessible just inside the door.

  4. Persons who are not employed by the organization are considered to be visitors. Visitors accessing secure areas shall:

    1. Obtain access to secure areas in accordance with reference a.

    2. Only enter and remain in secure areas when escorted by a designated employee. The employee must stay with the visitor during their entire stay inside the secure area.

    3. Log the precise time of entry and exit in the visitor access log.

  5. The following activities are prohibited inside secure areas:

    1. Photography, or video or audio recordings of any kind.

    2. Connection of any electrical device to a power supply, unless specifically authorized by the responsible person.

    3. Unauthorized usage of or tampering with any installed equipment.

    4. Connection of any device to the network, unless specifically authorized by the responsible person.

    5. Storage or archival of large amounts of paper materials.

    6. Storage of flammable materials or equipment.

    7. Use of portable heating devices.

    8. Smoking, eating, or drinking.

  6. Secure areas must be checked for compliance with security and safety requirements on at least a quarterly basis.