After reading a similar question on Reddit, I wanted to hear from the serverfault community on the practice of letting maintenance staff in to server rooms without supervision.
There are obvious dangers such as:
Do maintenance staff generally have access to server rooms?
I have never encountered a scenario where mission-critical server hardware was not under lock and key. Access should always be restricted to qualified IT personnel. If you are on the hook for whatever happens in that room, then you get very stingy with access very quickly.
Don't let your maintenance personnel in the server room. Sweep (don't vacuum) it and keep it clean yourself.
Not to be a contrarian, and I'm not advocating that non-IT staff should have access to your server room, but I'd like to posit the following questions and points as an illustration of what I believe is wrong thinking related to IT infrastructure, server rooms and data centers:
You're worried that someone may steal equipment or data. Is it not possible for them to steal equipment or data from any other location other than the server room? Do you have the same concerns regarding the maintenence staff in relation to their access to other areas of the building? Could they not steal data by simply sitting down at someone's workstation, laptop or terminal? Surely if they're savvy enough and skilled enough to steal data due to their having physical access to the server room then they're savvy enough and skilled enough to do it from any workstation, laptop or terminal anywhere in the building, no?
Is the server room the only place that the maintenence staff can inadvertently or purposely/purposefully trip the power, or activate the fire supression system, or flood the building or cause any one of a number of other "disasters"?
Is it the fact that they're maintenance staff that stokes your concern about them being in the server room? That seems like a bit of intellectual bias to me. They're smart enough to push a broom or repair the HVAC system but not smart enough not to break something in the server room? They're trustworthy enough to empty the CEO's wastebasket but not trustworthy enough to have access to the server room?
What's lacking in your controls that would give them the ability to steal equipment or data? What's lacking that would allow them to trip the power or introduce water?
I regularly work in a data center that is PCI-DSS compliant and SAS 70 Type II certified that allows their maintenence staff access to the data center "floor" to perform tasks related to their jobs as maintenence personell. The maintenence staff is vetted the same as any other employee, visitor, customer or vendor.
Should they have access to the server room? Maybe not, but not for the reasons you postulated in your question.
I think you understand the risks. The answer is absolutely not. First of all only trusted personnel should be in your server rooms with specific access. We also ensure every entry into the room is logged.
Just by keeping it simple by cleaning up after oneself, and ensuring that everyone is educated with this, the room will be neat and tidy.
With best practices put into place, you should not need to have janitorial crew go through your server room. Similar to cable management, if you do things right the first time you won't have to bother revisiting what you've done.
What counts as maintenance staff? The above answers seem to imply that only janitors would fall into this category but staff electricians, HVAC engineers, etc are often part of the maintenance crew in lots of shops.
Lots of larger enterprise DC's I've had contact with have actually specifically excluded the majority of IT staff - to include senior systems and network engineers, etc. The idea is that a very specific set of DC facilities/operations people should be sufficient to physically operate the infrastructure without particular non-facilities domain experts being allowed into a space that they're often not qualified to be in anyhow.
It's actually only in the smaller facilities that I've seen sysadmins typically involved in standard rack-and-stack / cabling. Some network organizations keep their hands in longer, but even they end up splitting off day-to-day cabling (and even a lot of the layout/design) to dedicated facilities people. I've generally just chalked this up to the greater need for specialization.
BTW - Dedicated DC facilities orgs will often have their own specially trained cleaning staff. There -is- need to keep these areas clean over time, albeit through different means than standard office space.
