P.O.

Box 1047 Addis Ababa Ethiopia

tel.: +251 (0) 115 5157 00
www.ethiotelecom.et

Data Centre Access Management Policy

Policy Owner: Power and Environment Division

Approved by: CEO

Version: 2

Issued Date: April, 2021

Ref.: PED/DCAMP_02/2021
Document Review History

Version Name Title Date Modifications

V0.1 Claude Serre Apr 25, 2011 Reviewed

V 0.2 Eric Frachon May 22, Modification of Reference

2011 Document
V 0.3 Col. Gudeta Olana CPSO Jul 29, 2011 Dedicated areas for lawful
enforcement
V0.4 Eric Frachon Aug 22, Annexes 3, 4, 5 removal,
2011 List of sites, validation list,
miscellaneous
V0.5 Michel Levet Sept 01, Annex 2 : Ref to corporate
2011 procedure for on duty
Staff, miscellaneous
V1.1 Tilahun Ayehue Policy & Process 06/18/2019 Update the document as
Specialist per the new template, font
size and font type
V1.2 Micheal Tekei Policy & Process 08/10/2020 Revised the articles as per
Specialist the current ethio telecom
structure.
V1.3 Micheal Tekei Policy & Process 19/12/2020 Updated the document as
Specialist per the comment from
Power and Environment
and Information System
divisions
V1.4 Zewdu Gurmu Policy and 14/1/2021 Reviewed, discussed, and
Michael Tekei Process updated the content:
Management Merged the content,
Manager updated the articles, and
Policy & Process aligned the document as
Specialist per the template
V1.5 Garedew Derara Policy and 27/3/2021 Reviewed and provided
Process comments on document
Management structure, introduction,
Director objectives, and articles.
V1.6 Zewdu Gurmu Technical Policy 13/4/2021 Updated the document as
and Process per Policy and Process
Management Management Director
Manager Comments.

ii
Deputy Policy Owner Validation /Responsible(s)

Name Title & Entity Signature Date Version

Eric Frachon ET CIO Signed 01/09/2011 V1

Chief Infrastructure
Tariku Demissie V2
Officer-P&E

Customer Experience and Quality Management Division Validation

Name Title & Entity Signature Date Version

Garedew Policy and Process Management V2

Derara
Director

Solomon A/Chief Customer Experience and V2

Abera Quality Management Officer

Domain Policy Owner Validation (Accountable)

Signature
Name Title & Entity Date Version

Jean-Michel Latute ET CEO Signed 01/09/2011 V1

Frehiwot Tamru CEO

V2

iii
 Table of Contents

ACRONYMS ..................................................................................................................................................... 1

1 INTRODUCTION ..................................................................................................................................... 2

2 DEFINITION ............................................................................................................................................ 2

3 OBJECTIVE ............................................................................................................................................. 3

4 SCOPE .................................................................................................................................................... 3

5 POLICY STATEMENT ............................................................................................................................. 3

6 POLICY ELEMENTS ............................................................................................................................... 5

6.1. EMPLOYEE ACCESS ................................................................................................................................. 5

6.2. VENDOR ACCESS .................................................................................................................................... 6
6.3. VISITOR ACCESS ..................................................................................................................................... 6
6.4. DATA CENTER ACCESS ............................................................................................................................ 7
6.5. MONITORING AND AUDIT .......................................................................................................................... 7
6.6. PHYSICAL AND ENVIRONMENT CONTROL................................................................................................... 8
6.7. CAGE/CABINET AND CABLING REQUIREMENTS .......................................................................................... 9
6.8. SITE PERIMETER .................................................................................................................................... 11
6.9. SURVEILLANCE ...................................................................................................................................... 12
6.10. ACCESS POINTS .................................................................................................................................. 12
6.11. CLEANING ........................................................................................................................................... 12
6.11. DATA CENTRE EQUIPMENT DELIVERIES/PICK-UP .................................................................................. 13

7 REPEALS AND NON-APPLICABILITY ................................................................................................. 14

8 AMENDMENT OF THE POLICY ........................................................................................................... 14

9 EFFECTIVE DATE ................................................................................................................................ 14

iv
Acronyms

Acronym Definition
CEO Chief Executive Office
CIO Chief Information Officer
P&E Power and Environment
CxQM Customer Experience and Quality Management
CCTV Close Circuit Television

1
1 Introduction
Data Center is extremely important to the ongoing operations of companies. Ethio telecom
maintains data centers at various places. This policy document is meant to provide
guidance for users and visitors to any of these Data Centers. It is meant not only to ensure
the safety and security of the users/visitors but also to protect and secure the company’s
IT and other assets located within each of these data canters to ensure the security and
reliability of systems residing in the Data Center.

The articles described in this policy document have been developed to maintain a secure
data center environment and must be followed by people working in the Data Center. It is
important that any department contemplating the installation of their servers in the Data
Center fully understand and agree to these Policy.Access Controls are designed to protect
member of the organization and the organization’s reputation through the preservation of

2 Definition

A. Data Centre Employee: Ethio telecom employees who work at the Data Centre.
B. Authorized Staff: Ethio employees who are authorized to gain access to the Data
Centre but who do not work at the Data Centre.
C. Authorized Vendor: All non ethio employees who, through contractual
arrangement and appropriate approvals, have access to the Data Centre
D. Visitors: All other personnel who may occasionally visit the Data Centre but are
not authorized to be in the Data Centre without escort.
E. Escort: is closely following and monitoring to people with infrequent access.
F. Escorted Access: is closely monitored access given to people who have a
legitimate business need for infrequent access to the Data Centre.
G. Unescorted Access: is granted to a person who does not qualify for Controlling
Access but has a legitimate business reason for unsupervised access to the Data
Centre.
H. Fire alarm: is a sensor that notifies when fire is initiate,
I. Confidentiality – knowing that access card data and information can be
accessed only by those authorized to do so.

2
 J. Integrity - knowing that access card data and information is accurate and up-to-
date and has not been deliberately or inadvertently modified from a previously
approved version, and
K. Availability – knowing that the access card data and information can always be
accessed.

3 Objective

The objective of this policy is:

• To have secured data center environment.
• To have cleaned data center environment.
• To regulate unauthorized movement in a secure facility to minimize exposure to
data breach risks and activities that causes various systems related outages.
• To facilitate compliance with best practices/standards which require to
implement IT controls and demonstrate the controls are working.
• To protect institutional Data and the Data Center from unauthorized use or a
malicious attack

4 Scope

The policy applies:

• By all employees and concerned external actors.
• To all Data Centers.
• To all ethio telecom Data Center infrastructure, solutions, services, and
products.

5 Policy Statement

5.1 All visitors and employees to the Data Center should wear appropriate
footwear and attire.
5.2 The Data Center shall be physically secured by a card-reader door lock and
monitored 24 hours a day/ 7 days a week by physical security personnel.
5.3 Recorded video surveillance shall be conducted through the security
cameras placed within and outside of the Data Center. Card-reader access

3
 shall be available to the Data Center on 24 hours a day/7 day a week basis
for authorized employees.
5.4 Unless otherwise expressly permitted by Data Centre in writing by
authorized body, storage of combustible materials (e.g., wood, cardboard
and corrugated paper, plastic, or foam packing materials, flammable liquids,
or solvents) are prohibited within the Data Center.
5.5 All stakeholders are expected to be familiar with and adhere to all standards
associated with work in a computer room environment upon activation of a
smoke detector or emergency alarm, they must be prepared to evacuate the
building and to receive further instructions from the Data Centre staff.
5.6 Sharing Data Centre Proprietary information, without the express written
permission of Data Centre with authorized body, is strictly prohibited.
5.7 All hand-carry containers, boxes, bags, laptops, purses, backpacks, or
equipment carried into or out of the Data Center are subject to inspection by
physical Security.
5.8 All actors must cooperate and obey all reasonable requests of Data Center
personnel while within the Data Center, including immediately addressing
any violations of rules when brought to Visitor’s attention.
5.9 All stakeholders shall conduct themselves in a courteous professional
manner while visiting or working in the Data Center.
5.10 Visitors may not tamper with, or in any manner adversely affect, security,
infrastructure monitoring, and/or safety systems within the Data Center.
5.11 Alcohol, controlled substances, firearms, and explosives are not permitted
on Data Centre property.
5.12 Smoking, drinking, and eating are strictly prohibited within the Data Center
raised floor space. Smoking is expressly prohibited in all Data Centre
buildings.
5.13 Persons under 18 years of age or requiring adult supervision are not
permitted within the Data Center without the express written permission of
Data Centre.
5.14 Cell phones can be used inside the Data Center. Two-way radios are not
permitted in the Data Center. Cell phones with camera capabilities may not
be used for picture or video capture.

4
 5.15 Skateboards, skates, scooters, bicycles, or other types of vehicles are
prohibited in the Data Center.
5.16 Data Centre does not accept Mail/Post on behalf of visitors at the Data
Center.
5.17 All personnel who access the Data Center must have proper authorization.
Individuals without proper authorization will be considered a Visitors to the
Data Center must adhere to the visitors’ policy.
5.18 Authorizations will be verified on a quarterly basis.
5.19 All personnel must always wear a valid Ethio telecom or vendor
identification badge.
5.20 All personnel must sign in when entering the Data Center to document the
time and purpose of their visit. They also must sign out when leaving.
5.21 Authorized staff will have access to the Data Center at any time.
5.22 Systems housed within the Data Center that contain data will be monitored
by Data Center employees through live video cameras.
5.23 There should be level of access to the data center.
5.24 There should be Power Protection and Backup within the data center.
5.25 A Regular Data Centre test Should be carried out every three months to test
the smooth operations of fire alarm, power - (UPS, Generator), and other
equipment.

6 Policy Elements

6.1. Employee Access

6.1.1 Employees shall be authorized for access based on job related needs. The
need for authorization will be reviewed & validated by Chief Physical
Security Officer.
6.1.2 Employees must always wear their identification badge.
6.1.3 Entry into the Data Center by ‘tailgating’ other employee is strictly forbidden.
6.1.4 Physical Security personnel must report all security or health and safety
incidents regarding the Data Center to Chief Physical Security Office
immediately.

5
 6.1.5 Two sets of physical keys exist to override the card-reader and open the
doors in the event of a failure. These sets of keys are stamped ‘Do Not
Duplicate’.
6.1.6 Physical Security personnel will accompany visitors in Data Center or at all
times.
6.1.7 Physical Security personnel is expected to challenge any unescorted
visitors within the Data Center.

6.2. Vendor Access

6.2.1 Vendors included in the Approved Vendor Access List shall be authorized
for access based on job related need. The Approved Vendor Access List is
maintained by Physical Security and will be reviewed quarterly.
6.2.2 Vendors must wear their identification badge at all times when onsite.
6.2.3 Vendors with approved access to the Data Center are required to identify
themselves to the Physical Security and sign in/out of the Data Center using
the Data Center Access Log.
6.2.4 Vendor entry into the Data Center by ‘tailgating’ others is strictly forbidden.
6.2.5 Vendors are expected to report all security or health and safety incidents
regarding the Data Center Physical Security personnel immediately.

6.3. Visitor Access

6.3.1 Casual visits or tours of the Data Center shall not be allowed. However,
approval of a tour or casual visit may be granted. Requests for a visit or tour
of these secured facilities should be directed to Chief Physical Security
Office.
6.3.2 Visitors are required to identify themselves to the Physical Security staffs
and sign in/out of the server room using the Site Access Log.
6.3.3 Visitors must be escorted at all times while onsite.
6.3.4 Visitors will be made aware of this policy. It is the responsibility of the staff
member accompanying the visitor to ensure the visitor’s conduct conforms
to this policy.

6
6.4. Data Center Access
6.4.1 To maintain a safe and secure environment, it is mandatory for all persons
working within and visiting the Data Center to adhere to the following rules:
6.4.2 Cameras are not permitted and taking photographs is strictly forbidden.
6.4.3 The use of mobile phones, pagers or other equipment that emit radio waves
within the server room is forbidden unless approved by Chief Physical
Security Office.
6.4.4 No food or drink is allowed within the Data Center.
6.4.5 No Hazardous materials are allowed within the Data Center.
6.4.6 No cleaning supplies are allowed within the Data Center without prior
approval.
6.4.7 No cutting, grinding, or whittling of any material (pipes, floor tiles, etc.) can
be performed inside the Data Center unless special arrangements have
been made.
6.4.8 Only authorized staff shall access the sub-floor or remove floor tile.
6.4.9 All packing material (cardboard, paper, plastic, wood, styrene, etc.) must be
removed from equipment in the staging area before being moved into the
Data Center.
6.4.10 Staff and visitors must wear identification badge at all times.
6.4.11 All persons are expected to report all security or health and safety incidents
regarding the Data Center to Physical Security staffs immediately.
6.4.12 No person shall connect any equipment, network, wireless devices, or
monitoring tools without permission or written authorization of Chief Physical
Security Office.

6.5. Monitoring and Audit

6.5.1 Data Center access shall be controlled and monitored by various sub-
systems (reader door lock system, video surveillance cameras, etc.) which
produce access records.
6.5.2 Access records will be monitored by the Data Center Department or VSS
Department.
6.5.3 Unauthorized access and access which is inconsistent with staff schedules
will be investigated and appropriate action will be taken.

7
 6.5.4 Access records produced by the reader door lock system will be maintained
and reviewed by Data Center Department or VSS Department.
6.5.5 Video records will be maintained and reviewed by Data Center Department
or VSS Department.
6.5.6 The Approved Vendor List and the Data Center Access List are maintained
and periodically reviewed by the physical security division.
6.5.7 Appropriate action will be taken for any breaches of this policy which may
include disciplinary action, including suspension or termination of
employment.
6.5.8 Any exception to the policy must be approved by the CEO in advance
6.5.9 Power and Environment division should manage and control the
implementation of the policy and notify all actors for any change.
6.5.10 Power and Environment divisions shall conduct annual review the data
center access management policy ones a year.
6.5.11 Power and Environment should receive any event of a security incidence
(breech) from Data Center and conduct the right investigation and decision.

6.6. Physical and Environment Control

6.6.1 Access to the data center and other areas of the facility are restricted to
those persons with authorization.
6.6.2 Security controls include 24 x 7 security officer presence, sign-in procedures
for all ingress and egress, managed key and access card plans, managed
access permissions and access request methods.
6.6.3 Closed-circuit television (CCTV) cameras must monitor all areas of the
facility including data center floor space, admin areas for safety.
6.6.4 All CCTV cameras are monitored, and images are retained. Violations noted
by camera will be addressed promptly by physical security division.
6.6.5 Data Centre attempts to provide off street parking, where feasible, with
adequate lighting.
6.6.6 Tampering with, or in any manner adversely affecting, security and/or safety
systems within the Data Center is strictly prohibited.
6.6.7 Exterior Data Center doors may not be propped open. These access doors
are monitored and alarmed.

8
 6.6.8 Physical Security Departments has the right to access any part of the Data
Center at any time for safety and security reasons.
6.6.9 Surrender their security badge, access cards, keys, Data Site owned tools
or phones prior to exiting the facility.
6.6.10 All doors to the Data Centre must always remain locked.
6.6.11 Individuals should not share, loan, or copy the access card.
6.6.12 The Data Centre Access Control Log must always be properly maintained
by Physical security division.
6.6.13 Physical Security Division shall periodically review and termination /
revocation of access.
6.6.14 Physical Security division should check the security guard criminal
background before recruitment.
6.6.15 Physical Security guard should be trained to follow and enforce physical
security policy strictly (for example ensuring that everyone in the facility is
wearing a badge) by physical security division.
6.6.16 Physical Security should monitor properly the sign-in procedures for all
ingress and egress, managed key and access card plans, managed access
permissions and access request methods.

6.7. Cage/Cabinet and Cabling Requirements

6.7.1 Cage and cabinet doors must always be secured when a visitor is not
physically present.
6.7.2 Materials must be placed in designated disposal receptacles.
6.7.3 Cage or cabinet shall, at all times, be clean, neat, and orderly.
6.7.4 Space shall not pose any danger or hazard to visitors or employees
(including subcontractors) that may be requested or required to enter the
cage to perform a service or to any other visitors of the Data Center.
6.7.5 Visitors must take all necessary precautions to ensure the physical security
of property contained within their location(s).
6.7.6 Refuse materials (which include, but are not limited to boxes, crates,
corrugated paper, plastic, foam packing materials, and any other materials
which are non-essential to the operation of visitors’ equipment) in the

9
 Customer Area from the Customer and Common Areas must be removed
within eight (8) hours.
6.7.7 The creation of “office space” within the Customer Area on the Data Center
Floor is prohibited.
6.7.8 All spare equipment shall be stored in a cabinet or must be kept in approved
plastic or metal containers. Containers must be sealed, stacked neatly, and
cannot impede ingress/egress or cooling.
6.7.9 “Un-racked”, operating equipment outside of cabinets or racks, is strictly
prohibited.
6.7.10 No combustible material, i.e., cardboard, foam, or paper may be stored in
Customer cabinet or cage.
6.7.11 The tops of the cabinets or ladder rack may not be used for physical
storage.
6.7.12 To ensure maximum ventilation Blanking Panels must be utilized on all open
rack spaces within and between racks at all time.
6.7.13 Unsecured cabling across aisles or on the floor is strictly prohibited. All
devices must be installed in racks or cabinets. Ladder racking must support
all cabling between rows.
6.7.14 Cable wrapping, wire management, zip ties must be used to organize
cabling in a rack or cabinet. Should Customer need assistance with cable
management, Customer may open a trouble ticket with Data Centre.
6.7.15 Cabling must not obstruct airflow/ventilation/AC (perforated tiles) or access
to power strips.
6.7.16 Data Centre reserves the right to decline implementation of a Change Order
if Data Centre determines the Customer cage, cabinet or cabling is not in
compliance.
6.7.17 Visitors in violation will be notified by Data Centre in writing and Customer
must remedy the situation immediately. SLAs do not apply until the cage,
cabinet or cabling complies with the requirements.
6.7.18 All devices and cabling must be clearly labelled in a unique naming fashion.
In order to reduce confusion, there should never be two devices or cables
with the same name. Data Centre recommends that Customer should not
use its name as a naming convention to protect Customer privacy and

10
 confidentiality. For additional security purposes, external I.P. addresses
should not be visible from outside of the customer’s space.
6.7.19 Customer may not climb onto cabinet and or scale cage walls. Customer
must request Data Center Staff assistance when needing to access cabinet
/ rack tops.
6.7.20 Customer may not make physical alternations or modifications to the space,
without prior written permission from Data Centre.
6.7.21 Cabinet doors may be removed while Customer is working within the cage
and must be replaced before Customer exits the Data Center.
6.7.22 If Customer cabinets are equipped with doors, the doors must be closed
when Customer is finished working on devices.
6.7.23 Should the locks or doors not function properly, Customer should contact
the onsite
6.7.24 Data Center Management staff for assistance. Do not pry, bend, or force the
doors open.
6.7.25 Customer shall be responsible for any repair charges associated with any
damage to doors caused by Customer.
6.7.26 Cage doors should be closed and locked to prevent unauthorized access.

6.8. Site Perimeter

6.8.1 There should be a fence around the facility at least 20 feet from the building
on all sides where possible.
6.8.2 There should be a guard kiosk at each perimeter access point. There should
be an automatic authentication method for data center employees.
6.8.3 The area surrounding the facility must be well lit and should be free of
obstructions that would block surveillance via CCTV cameras and patrols.
Where possible, parking spaces should be a minimum of 25 feet from the
building to minimize damage from car bombs.
6.8.4 There should not be a sign advertising that the building is in fact a data
center or what company owns it.

11
6.9. Surveillance

6.9.1 There should be CCTV cameras outside the building monitoring parking lots
and neighbouring property.
6.9.2 There should be guards patrolling the perimeter of the property. Vehicles
belonging to data center employees, contractors, guards, and cleaning crew
should have parking permits. Service engineers and visitor vehicles should
be parked in visitor parking areas. Vehicles not fitting either of these
classifications should be towed.

6.10. Access Points

6.10.1 Loading docks and all doors on the outside of the building should have
some automatic authentication method (such as a badge reader).
6.10.2 Each entrance should have a mantrap (except for the loading dock), a
security kiosk, physical barriers (concrete barricades), and CCTV cameras
to ensure each person entering the facility is identified.
6.10.3 Vendors and Cleaning Crew requiring badges to enter the building must be
required to produce picture ID in exchange for the badge allowing access.
6.10.4 A log of equipment being placed in and removed from the facility must be
kept at each guard desk listing what equipment was removed, when and by
whom.
6.10.5 Visitors must be escorted by the person whom they are always visiting.
6.10.6 Visitors must not be allowed access to a computer room without written
approval from data center management.
6.10.7 All stakeholders should ensure all passwords assigned to them are kept
confidential at all times and not shared with others including their co-
workers or third parties for the confidentiality of information stored.
6.10.8 All employees should report to their immediate supervisor or section
manager for any misuse and breaches of this policy

6.11. Cleaning

6.11.1 The data centers should be clean at all time and cleaning should be done by
professionals.
6.11.2 Cleaning crews should work in groups of at least two.
12
 6.11.3 Cleaning crew should be restricted to offices and the control rooms. If
cleaning staff must access a Computer Room for any reason, they must be
escorted.
6.11.4 All individuals in the Data Centre are expected to clean up after themselves.
6.11.5 Boxes and trash need to be disposed of properly.
6.11.6 Tools must be replaced to their rightful place.
6.11.7 Food and drink are not allowed in the Data Centre.

6.12. Data Centre Equipment Deliveries/Pick-Up

6.12.1 A log is maintained by Data Center Management that identifies and verifies
all equipment that is brought into or removed from the Data Centre.
6.12.2 Data Center Management will be responsible for logging all equipment that
is scheduled to arrive or be picked up from the Data Centre.
6.12.3 Any department that is planning to have equipment delivered to or picked up
from the Data Centre should contact Data Center Management /or Security
Guard on site will have two copies of delivery/pick-up form and provide
details to Data Center Management in advance of delivery/pick-up.
6.12.4 At least the following information should be fulfilled or logged to deliver or
pick-up the equipment from/to data centre.
For the delivery of equipment:
• Expected day of delivery
• P.O. number for the equipment (if known)
• Vendor name and description of the equipment
• Person to be contacted when the equipment arrives
For the pick-up of equipment:
• Expected day the equipment will be picked up
• Vendor name and the description and location of the equipment to be
picked up
• Name of person to be notified once equipment is picked up

13
7 Repeals and Non-applicability

Any provision in this policy that contravenes the laws, regulations or directives from
appropriate government organs shall be overridden. As such, the specific provision in
this manual shall be amended to be consistent with the national relevant laws,
regulations, or directives.

8 Amendment of the Policy

This Policy document will be reviewed at least in two years to ensure alignment of
organizational structure, business practices and proper management of spare parts.

9 Effective Date

This policy is effective starting from the validation of authorized body.

14