Architect of the Capitol has weak physical access controls at data center
The Architect of the Capitol IT team needs to ensure that it has complete oversight over who is accessing its data centers.
This is the advice and directive of a recently published audit by the inspector general of the AOC — the agency under Congress responsible for the maintenance, operation, development and preservation of the buildings and land that make up Capitol Hill. The publicly released report details the IG’s work assessing how the Information Technology Division (ITD) controls the “physical integrity” of a data center located at a redacted location.
The IG concludes that while ITD has good policies and practices in place to deal with things like environmental control and system back-up, control over physical access to the data center was less clear.
For example, the IG found that of the 35 people who accessed the data center during the audit period, only 10 were approved by and assigned to ITD. The other 25, it turned out, were mechanics and U.S. Capitol Police officers and others. The IG found “no identified concerns” about these people.
Still, the IG argues, ITD should know who these additional people are, as it has formal responsibility for the data center. “The ITD should have a process in place for proper authorization and/or coordination with [the Capitol Police] and other AOC jurisdictions to control physical access to the Data Center,” the report states.
“Without proper physical access controls… ITD’s sensitive network computer equipment and technology may be at risk for unauthorized access, theft, or tampering.”
In response to the suggestions made by the IG, the Architect of the Capitol has implemented new coordination procedures for non-ITD staff who may need to access the data center facility. These procedures were implemented last month and, as a result, the IG considers both of its recommendations “closed.”