M9, Physical Security of UBC Data Centres

Information Security Standard

1. Introduction

  • 1.1 Effective security measures require physical security controls. While electronic controls alone are important, they may become useless if the device is physically accessed or removed by an unauthorized party.
  • 1.2 This document defines standards for the physical security of UBC Data Centres. These data centres are intended to provide a secure location for operations, controlled access to equipment and data, protection against environmental threats and support for the availability requirements of UBC Electronic Information and Systems. University IT Support Staff are responsible for ensuring that the requirements of this document are complied with.
  • 1.3 The University has a responsibility to protect High and Very High Risk Information from unauthorized viewing and use. In particular, the BC Freedom of Information and Protection of Privacy Act (FIPPA)1 and Policy GA4, Records Management2 require public bodies to implement reasonable and appropriate security arrangements for the protection of Personal Information (in both electronic and paper format). Therefore, Servers containing significant quantities of High or Very High Risk Information must be hosted in UBC Data Centres or in third-party Servers that have an equivalent level of security to this standard. Where appropriate, Low and Medium Risk Information may also be hosted in UBC Data Centres.
  • 1.4 The Chief Information Officer has issued this standard under the authority of Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems. Questions about this standard may be referred to information.security@ubc.ca.

2. Physical Security Controls

  • 2.1 The table below outlines the minimum set of physical security controls required for UBC Data Centres, based upon the risk classification (see the Security Classification of UBC Electronic Information and Services standard).

    §Control AreaVery High RiskHigh RiskMedium RiskLow Risk
    2.1.1Rooms

    Data centre must be located in a fully enclosed room. Walls must meet the following criteria:

    • Must extend from floor to ceiling slab.
    • Should preferably be constructed from a solid, resistant material such as concrete or brick. If they are not solid (e.g. drywall), then they must be reinforced with wire mesh.
    		Equipment can be located in open areas if other protective measures are in place, e.g. locked cages.
    2.1.2Doors and Locks
    • Data centre doors must be locked when room is not in use.
    • Good practice is to install automatic closing mechanisms.
    • Security grade door fastening hardware must be used in conjunction with a metal door and frame.
    • Acceptable locking mechanisms include electronic proximity access cards/fobs, keypad type entry locks, and biometric locks.
    		Data centre doors must be locked when room is not in use. Either electronic or mechanical locks are acceptable.
    2.1.3GlazingAll exterior glass in doors and accessible windows must be reinforced. Consider installing high-grade security film (minimum standard should be Profilon AXA1-15Mil or equivalent) to resist forced entry.Windows must be able to securely lock from the inside.
    2.1.4Visibility of EquipmentWindow coverings (blinds/shades) or reflective/tinted film should be installed on glazed windows or doors in order to reduce direct sightlines to valuables inside the facility.
    2.1.5CablingPower and network cabling carrying data or supporting information services should be protected from interception or damage outside of the data centre.
    2.1.6Managing Access
    • The public must not have direct access to the data centre perimeter. An outer security perimeter should be established with access controls sufficient to prevent direct public access.
    • Use signage to clearly delineate publicly accessible space from Authorized Personnel-Only areas. Signage should not indicate the presence of UBC Electronic Systems.
    • Individual(s) must be assigned the authority to grant access to the data centre and someone must be appointed to formally manage the physical access process including revocation of access (fob/card, keypad access).
    • Individuals who are not authorized to access the data centre must be escorted at all times by an authorized individual.
    • Access must be logged electronically or in a logbook in the case of keypad entry doors that do not uniquely identify an individual.
    2.1.7Alarms and Remote MonitoringAlarms (monitored 24/7) must be installed that trigger on unauthorized access.Good practice is to install and monitor an alarm system to detect intruders.
    CCTV has been debated as an effective deterrent to crime, but if employed with adequate resolution and proper camera placement, its forensic effectiveness is undisputed. All CCTV installations must be approved by the Access and Privacy Manager.
    2.1.8Power Supply
    • Redundant power should be supplied to the data centre where possible.
    • Servers should all be connected through a UPS in order to remain running in the event of short power outages.
    		n/a
    2.1.9Environmental Controls
    • Sufficient Heating, Ventilation and Air Conditioning (HVAC) systems must be in place to effectively maintain all UBC Electronic systems within the manufacturers' required temperature and humidity operating ranges.
    • Measures must be in place to monitor and detect variation in temperature and humidity.
    • Where possible, water and drainage plumbing should not run across the ceiling of a data centre.
    • The floor of the data centre should be raised above the subfloor to reduce the risk of flood damage.
    		Comply with Building Code requirements.
    2.1.10Fire ProtectionFire detection and suppression devices, such as fire extinguishers and pre-action or dry pipe sprinkler systems, must be in place.Comply with Building Code requirements.
    2.1.11Data BackupsIf information is backed up onto electronic media, the same physical security requirements are to be applied to that media unless the information is encrypted (see the Encryption Requirements standard).

Related Documents and Resources

BC Freedom of Information and Protection of Privacy Act (FIPPA)

Policy GA4, Records Management

Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems

Security Classification of UBC Electronic Information and Services standard

Encryption Requirements standard

Standard Last Revised: 2021-01

1 FIPPA, section 30

2 Policy GA4, section 2.4

Page last updated on January 26, 2026

Office of the CIO

6356 Agricultural Road
Vancouver, BC Canada
V6T 1Z2
604 822 3634
E-mail ubc.cio@ubc.ca

Related Sites

Need Help?

Urgent Message An exclamation mark in a speech bubble. Bluesky The logo for the Bluesky social media service. Bookmark A bookmark in a book. Browser A web browser window. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Time A clock. Chats Two speech clouds. E-commerce Cart A shopping cart. Facebook The logo for the Facebook social media service. Help A question mark in a circle. Home A house in silhouette. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Locked A locked padlock. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Pencil A pencil indicating that this is editable. Telephone An antique telephone. Play A media play button. Plus A plus symbol indicating more or the ability to add. Print A printer pushing out a piece of paper. Search A magnifying glass. Settings A single gear. Arrow indicating share action A directional arrow. Speech Bubble A speech bubble. Star An outline of a star. Twitter / X The logo for the X (aka, Twitter) social media service. User A silhouette of a person. Vimeo The logo for the Vimeo video sharing service. Youtube The logo for the YouTube video sharing service.