IT Physical Access Procedure

IT Physical Access Procedure Page 1 of 11 Confidential

1. Document Control

Document Information
File Name ISMS IT Physical Access Procedure MSTD 100 NTL.doc
Doc ID ISMS-MSTD100
Classification Internal Use only
Author Operations Manager [OM]
Owner Delivery Head
Online Ref. Not applicable
Status
Created on 03.01.2017
Released on
Valid from
Next revalidation date
Printed on

Revision
Version Date Name Description of changes Status
100 03.01.2017 Varsha Patil Initial draft created
03.03.2017 Removed “To be
101 Varsha Patil completed by IT
Operations Staff Only”

Approval
Version Date Name Function Signature
Joint Commissioner,
100
MSTD
Operations Manager,
NTL

Release, Revalidation
Version Date Name Function Signature
100 Delivery Head, NTL

Distribution List
Role Name
Joint Commissioner, MSTD Harshal Nikam
IT Security & Compliance, NTL Varsha Patil
Senior Operations Manager

IT Physical Access Procedure Page 2 of 11 Confidential

Reference Document

Document ID Document Title/Remarks

ISMS-MSTD101 Access Request Form
ISMS-MSTD102 MSTD access form for issue of Photo-ID Card
ISMS-MSTD103 Lost Reporting form
ISMS-MSTD104 Visitors Register template
ISMS-MSTD105 Register – ID Card Surrender Template
ISMS-MSTD106 Access Control List- DC
ISMS-MSTD107 Access Control List- DRC
ISMS-MSTD108 List of Authorized Person to MSTD DC
ISMS-MSTD109 NOC Floor Diagram
ISMS-MSTD110 DC Floor Diagram
ISMS-MSTD111 DRC Floor Diagram
ISMS-MSTD112 NDR Floor Diagram

IT Physical Access Procedure Page 3 of 11 Confidential

 Table of Contents

1. Document Control...................................................................................................................2
2. Purpose....................................................................................................................................5
3. Scope........................................................................................................................................5
4. Responsibility...........................................................................................................................5
5. Definition.................................................................................................................................5
6. Access Procedure At Primary Data Centre (DC).......................................................................5
6.1. Visitors Gate Pass for Restricted Zone.....................................................................................5
6.2. Visitors Gate Pass for Secure Zone..........................................................................................6
6.3. NTL/ Vendor support team for issue of Permanent Access Card.............................................6
6.4. NTL / Vendor support team deactivation of Permanent Access Card.....................................6
6.5. Lost Card Reporting.................................................................................................................6
7. Access Procedure at Disaster Recovery Centre (DRC).............................................................6
8. Access Procedure at Near Data Centre (NDR).........................................................................7
9. Working in Secure Zone...........................................................................................................7
9.1. General....................................................................................................................................7
9.2. Security conscious employees.................................................................................................8
9.3. 'Tailgating' Through Controlled Doors.....................................................................................8
9.4. Employees Awareness and training........................................................................................8
10. Approving Authority................................................................................................................9
10.1. For Access Request Form:................................................................................................9
10.2. For Permanent Access Card Form:...................................................................................9
10.3. For Work Permit approval:..............................................................................................9
11. Access Control List Review.......................................................................................................9
12. Document Review....................................................................................................................9
13. Annexure 1 - Forms................................................................................................................10
14. Annexure 3 - Approving Authority.........................................................................................10
15. Glossary of Abbreviations......................................................................................................10

IT Physical Access Procedure Page 4 of 11 Confidential

2. Purpose
The objective of this document is to provide the detailed procedures implemented for physical access
protection and provide controlled authorized access to the IT assets located at the Primary Data Centre
(PDC), Near Data Centre (NDR) and Disaster Recovery Centre (DRC).

3. Scope
The scope of this document applies to Primary Data Centre (BSNL Fort), MSTD Mazgaon NOC Sitting
Space, NDR (Near Data Centre, Mantralaya) and Disaster Recovery Centre (Faridabad).
Presently Primary Data Centre is located at BSNL Fort, Mumbai, Near Data Centre is located at
Mantralaya and Disaster Recovery Centre is located at Faridabad.

4. Responsibility
Senior Manager – Datacentre is responsible for correct issuance, maintenance and distribution of the
Physical Access Security procedures in coordination with Operations Manager and MSTD Team.

5. Definition
Perimeter zones are identified and classified as below based on the criticality of the working area:
Internal Zone – NTL DC Team members’ administrative office are identified as Internal Zone. Security
requirement is defined low in this area as this area is not connected to the Data Centre network either
physically or logically.
Restricted Zone –Workplace for DC team members is identified as restricted area where the IT assets
exist through which operational activities are performed in Data Centre. Security requirement is
defined medium as this area enables logical access to the critical IT assets having controlled authorised
access.
Secure Zone – Server Halls where the servers are physically located placed in locked Racks or locked
Cage is identified as secure zone. Security requirement is defined high as this area enables physical and
logical access to the critical IT assets having controlled authorised access.

6. Access Procedure At Primary Data Centre (DC)

Access procedure for Physical Access Request (Grant/Revoke) to Data Centre Restricted Zone (MSTD
NOC) and Secure Zone (BSNL Fort).

6.1. Visitors Gate Pass for Restricted Zone

 Any visitor visiting MSTD NOC needs to inform NTL NOC In charge well in advance for their
intended visit with purpose.
 MSTD NOC Authorized Team verifies the requirement of the visitor to visit the Restricted Zone.
 MSTD NOC Authorized Team fills visitor details and send the request to NxtGen & MSTD Joint
Commissioner for further approval well in advance.
 Visitor fills the MSTD NOC Access Register at the reception of an entrance area of NOC.

IT Physical Access Procedure Page 5 of 11 Confidential

  MSTD NOC employee is called by the visitor to escort to the restricted zone.

6.2. Visitors Gate Pass for Secure Zone

 MSTD NOC Authorized Team verifies the requirement of the visitor to visit the secure zone.
 MSTD NOC Authorized Team fills visitor details and send the request to NxtGen team for further
approval well in advance.
 At security check they verifies our mail approval, company ID, physical assets/toolkit (if any) and
makes an entry in the register.
 Once security check completes successfully we receives a temporary card (without access),
visitors are accompanied by NxtGen team inside the secure zone.

6.3. NTL/ Vendor support team for issue of Access Card/Biometric Access
 NTL employee / vendor onsite support team member joining as part of MSTD NOC fills the
Access Request Form and further send for approval to the Operations Manager.
 Once approval receives from the Operations Manager, ID card form is sent to MSTD
Mahavikas Joint Commissioner for necessary approval.
 Once approval receives an ID card gets ready and duly signed & stamped by Mahavikas Joint
Commissioner.
 Biometric access needs to be renew after every six months.

6.4. NTL / Vendor support team deactivation of Access Card/Biometric Access

 NTL employee / vendor onsite team member once separated from NOC operations team
(not only company) returns the ID card to NOC team.
 Operations manager sends an authorization mail to NOC team for deactivation of the card.
 NOC team member returns the card to Mahavikas Joint Commissioner.
6.5. Lost Card Reporting
 Lost cards will be reported immediately to the Operations Manager by mail filling the Lost
Reporting Form.
 Operations Manager sends an e-mail to NOC authorized team for new MSTD access card
process.
 Employee / vendor has to fill new access card form.
 Employee / vendor gets ID card from MSTD Mahavikas Joint Commissioner.

IT Physical Access Procedure Page 6 of 11 Confidential

7. Access Procedure at Disaster Recovery Centre (DRC)
 Requestor requiring access to Disaster Recovery Centre premises, intimate the DRC-In charge
regarding the visit.
 DRC-In charge sends a mail to NxtGen authorized team to arrange access required to specific
areas.
 After approval gate pass is issued to the visitor.
 Visitor is accompanied by the NxtGen employee and makes Visitor Register & material entry at
building entrance if any.
 If there is a requirement to visit Server Hall, NxtGen employee accompanies the visitor to the
server hall.

8. Access Procedure at Near Data Centre (NDR)

 Requestor requiring access to Near Data Centre premises, intimate NOC authorized team
regarding the visit.
 NOC authorized team fills visitor details & mail it to authorized MSTD Nodal Officer first. Then
Nodal officer forward mail to DIT (Department of IT) to arrange access required to specific
areas.
 DIT approved mail needs to forward to Maharashtra State Data Centre BMS Operations Team for
authorization at Security Gate.
 If the visiting hours are before 2:00 PM then the visitor needs an authorization letter from MSTD
authority.
 After the letter visitor need to go to the Police Department for the Mantralaya Entry Permit
letter.
 At the security gate they verifies DIT approved mail and the letter received from Police
Department.
 Visitor is accompanied by the security personnel to visit server hall and makes Visitor Register &
material entry at building entrance if any.

9. Working in Secure Zone

Activities performed in secure areas shall be under close supervision / monitoring and shall be known
only to the concerned employees. Access to secure area shall be restricted to authorized personnel.
9.1. General
 All work areas must be kept clean and free of debris/combustible materials. Upon
completion of any work in the room, staff performing the work should ensure they have left
the area as clean as it was before their work began.
 All rack enclosures should be kept neat and free of manuals, diskettes, cables, etc. Doors on
all racks should remain closed at all times except during performed work.
 Cables should never be strung outside of rack enclosures. Cabling between rack enclosures
of adjacent racks is accepted provided sufficient pass-through chassis are in place.
 Under no circumstances should any employee:
o Lift floor tiles without prior knowledge, consent, and oversight of the Operations
staff.
o Touch a Power Distribution Unit (PDU) within the Data Centre machine room.
 o Touch a Computer Room Air Conditioning Unit (CRAC) within the Data Centre
machine room.
o Open a Data Centre communications cabinet.
o Plug any device into another cabinet’s power supply.
 All food and beverages are banned within the Data Centre machine room. Under no
circumstances should food or beverage of any kind be brought into the room.
 Restricted use of camera phones. Unauthorized photography inside the facility premises is
not allowed.
 Third party contractor/worker shall be escorted all the time, and should not be left
unattended in the DC and DRC secure zone.
 All Third party contractors will be escorted and supervised during their activities all the time
as and when required.
 Perimeter of the Data Centre is under Video Surveillance.
 Windows are prohibited in the Server Hall.
 ‘Door open too long’ alarm systems are implemented on main doors of server hall.
 All doors of the Server Hall will remain closed unless somebody wants to get in or out.
 Transporter/vendor will deliver the hardware in the server hall accompanied by authorized
personnel.
 Fire Suppression System is implemented in Server Hall. Warnings are displayed at
appropriate locations with emergency exit guidelines.
 Exit signposts are displayed at appropriate locations.

9.2. Security conscious employees

 Employees shall challenge unescorted strangers and anyone not wearing visible
identification (i.e. identification badge).
 Employees shall report suspicious activities (like a stranger walking curiously around the
perimeter of a restricted zone).
 Administration shall ensure that vacant secure areas are physically locked or an appropriate
label displayed to prevent unauthorized use.

9.3. 'Tailgating' Through Controlled Doors

 Employees must use their own access card for an entry / exit from the building. Tailgating is
not permitted.
 Employees must not permit unknown or unauthorized persons to pass through doors
requiring swipe cards / proximity card, at the same time when they pass through these
entrances. To avoid piggybacking appropriate security awareness training shall be provided
to the Employee.

9.4. Employees Awareness and training

 Awareness training on fire- fighting is conducted by NxtGen Emergency Response Team on
yearly basis as required. Records are maintained with NxtGen.
 NTL provides security awareness training on regular basis through e-mail and also provide
mandatory training as per ISMS scope. Record of which is maintained by NTL HR.
10. Approving Authority
10.1. For Access Request Form:
 Operations Manager – For NOC
 DRC In Charge – For DRC
10.2. For Permanent Access Card Form:
 Operations Manager – For NOC
 MSTD Joint Commissioner – For MSTD NOC
 DRC-In Charge - For DRC
10.3. For Work Permit approval:
 Operations Manager/ Systems Team Lead/ Application Team Lead – For MSTD NOC
 MSTD Joint Commissioner – For MSTD NOC
 Operations Manager – DC
 DRC In Charge – DRC

Note: - These people will send mail communication to MSTD NOC Team at
Harshad.Shrimani@NIIT-Tech.com for visitor coming to DC / MSTD NOC. Only ID
Harshad.Shrimani@NIIT-Tech.com authorized to send the mail to NxtGen Team for Work
Permit with CC to Operations Manager and Systems Team Lead. This is applicable for MSTD
NOC and DC Mumbai.

11. Access Control List Review

 NTL DC Operations structure Manager reviews the Access to Primary Data Centre, Near
Data Centre and Disaster Recovery Centre on quarterly basis or as and when there is a
major change.
 Access Control list is modified, looking at the business requirement and the roles and
responsibility assigned to DC/DRC team, and sent to NTL Management for necessary
approval.
 On approval, access list is kept for further reference.

12. Document Review

Document will be reviewed for effectiveness once in a year or at the time of a major change in Data
Centre physical access procedure to ensure that it remains appropriate as per the Policy defined to
prevent unauthorized access.
13. Annexure 1 - Forms
Document ID Forms Description Document Name
ISMS-MSTD101 Form 1 Access Request Form ISMS Access Request
Form MSTD 101 NTL.doc
ISMS-MSTD102 Form 2 MSTD access form for issue of Photo- ISMS NOC access form
ID Card for issue of Photo-ID
Card MSTD 102 NTL.doc
ISMS-MSTD103 Form 3 Lost Reporting form ISMS Lost Reporting
Form MSTD 103 NTL.doc
ISMS-MSTD104 Form 4 Visitors Register template ISMS Visitors Register
template MSTD 105
NTL.xls (Maintained as
Physical Register)
ISMS-MSTD105 Form 5 Register – ID Card Surrender Template ISMS Register ID Card
Surrender Template
MSTD 106 NTL.xls
(Maintained as Physical
Register)

14. Annexure 3 - Approving Authority

Document ID Communication Description Document Name

ISMS-MSTD106 Comm. 1 List of Authorized Person ISMS Access List PDC
from DC NTL MSTD 106 NTL
ISMS-MSTD107 Comm. 2 List of Authorized Person ISMS Access List DRC
from DRC NTL MSTD 107 NTL
ISMS-MSTD108 Comm. 3 List of Authorized Person ISMS List of Authorized
to MSTD DC Person to MSTD DC 108
NTL

15. Glossary of Abbreviations

Sr. No Abbreviations Descriptions

1 PDC Primary Data Centre at BSNL, Mumbai
2 DRC Disaster Recovery Centre at Faridabad
3 NDR Near Data Centre at Fort, Mumbai
4 NTL NIIT Technologies ltd
5 MSTD Maharashtra Sales Tax Department
6 NOC Network Operating Centre
7 NxtGen NxtGen (DataCentre Provider at DC-Mumbai)
8 DIT Department Of Information Technology
9 CCTV Closed Circuit Television
10 CRAC Computer Room Air Conditioning
11 PDU Power Distribution Unit
12 ISMS Information Security Management System
13 NTL HR Human Resource Department of NIIT Technologies ltd.