Server Room access - tenants 2285

  • One of our sister companies rents a floor within our building. they also have kit in the comms room and we give access to their IT guys.
    Who should be signing off access to the comms us or them…I have sent them a request for access for for them to fill out. When I cahsed them for the document I was told that their CIO has signed it off for their SOX compliance and so we have to give them access on this basis.
    My question is if they are tenants do they have the right to allow access to the comms room to who ever they want??

  • Hi - Yes, Good physical access controls are always needed. There should be at least a signature log maintained for guests, visitors, or even employees (esp. those who don’t normally visit the comm room). You might also look at card reader access as an even better control
    I see this as being more applicable under General IT and security controls. As this is with an affilicated company, I’m also not certain how this might tie into SOX. You might contact the SOX external auditors on whether you need to establish any special controls for SOX and their recommendations on the best way of controlling it.

  • If they pay for the facility (computer room) then they decide/approve and you implement. You are a provider here.
    However if its your facillity they request and you grant access. Who can have access to facilities housing your in-scope server/devices/equipment is your responsibility to decide and enforce. It can be approved by their CIO internally but final approval will come from your side.

Log in to reply