Data Centre Security. Presented by: M. Javed Wadood Managing Director (MEA)

Similar documents
Physical and Environmental Security Standards

Physical and Environmental Security Policy Document Number: OIL-IS-POL-PES

Centeris Data Centers - Security Procedure. Revision Date: 2/28/2018 Effective Date: 2/28/2018. Site Information

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Data Center Access Policies and Procedures

Communications Room Policy

: Course CDFOM : Certified Data Centre Facilities Operations Manager

Infrastructure Security Overview

Hosted Testing and Grading

Select Agents and Toxins Security Plan Template

PoP ROOM: INSIDE AND OUTSIDE PLANT RULES & REGULATIONS

Data Centers and Mission Critical Facilities Access and Physical Security Procedures

IXcellerate Moscow One Datacentre - Phase 1 & 2 Overview

Information Services IT Security Policies L. Network Management

Standard CIP-006-4c Cyber Security Physical Security

WHITE PAPER. Solutions OnDemand Hosting Overview

Dude Solutions Business Continuity Overview

IN A FAST MOVING WORLD YOU CAN RELY ON AC2000; A POWERFUL ACCESS CONTROL AND SECURITY MANAGEMENT SYSTEM AC2000

FACILITY USER GUIDE. Colocation in Key Info s Agoura Court Data Center

Standard CIP Cyber Security Physical Security

EXHIBIT A. - HIPAA Security Assessment Template -

Chemical Facility Anti-Terrorism Standards. T. Ted Cromwell Sr. Director, Security and

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Standard CIP-006-3c Cyber Security Physical Security

Physical Security Standard

Timico Data Centres: Access Policy

Data Center. Tai Po Data Center

Course Description. Audience. Prerequisites. : Course CTDC : Certified TIA-942 Design Consultant. Course Outline :: CTDC ::

n+2 DATA CENTER CONTROL POLICY

How AlienVault ICS SIEM Supports Compliance with CFATS

peace of mind kit FAQ s Q: Is AccuPay bonded?

ENABLING DATA-DRIVEN PHILIPPINE ENTERPRISES VITRO DATA CENTER MAKATI A NEXCENTER-CERTIFIED FACILITY

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

National Museums & Galleries of Wales Standard Facilities Report

Data Security at Smart Assessor

What can the OnBase Cloud do for you? lbmctech.com

TB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored

Twin Core Data Center Munich

Airport Security & Safety Thales, Your Trusted Hub Partner

Privacy Policy 1.0 OUR CORE BELIEFS REGARDING USER PRIVACY AND DATA PROTECTION

Engineering and Manufacturing Excellence in Data Centre Infrastructure

DATA CENTRE & COLOCATION

Workbench Software Customer Portal Security. By Workbench Software, LLC. Creation Date: January 2011 Last Updated: May 2011 Version: 2.

It's hosting, safe and secure.

Dazelidis Thanos - Product Manager Rittal Greece 1

RFP Annex A Terms of Reference UNHCR HQ Data Centre Colocation Service

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

Ulster University Policy Cover Sheet

Fighting Hunger Worldwide. WFP Field Security Keeping you safe & secure

Facility Security Policy

Security Guideline for the Electricity Sub-sector: Physical Security Response

SECTION 15 KEY AND ACCESS CONTROLS

Awareness Technologies Systems Security. PHONE: (888)

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

ASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER

The Common Controls Framework BY ADOBE

RFP Questions Guideline For Data Center Buyers

INFORMATION ASSURANCE DIRECTORATE

Standard: Data Center Security

Welcome to a world where technology flows through the heart of your business environment. Welcome to CDC

Fact sheet VIENNA DATA CENTRE CAMPUS. Connect, transact and grow

San Francisco Chapter. What an auditor needs to know

RÉPUBLIQUE D HAÏTI Liberté Egalité - Fraternité

Dooblo SurveyToGo: Security Overview

Live Webinar: Best Practices in Substation Security November 17, 2014

POWERING A CONNECTED ASIA. Pacnet Hong Kong DataSpace1 Technical Specifications. Advanced Data Center Facility for Multi-Site Enterprises

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

Watson Developer Cloud Security Overview

PRODUCTS & SERVICES. colocation services

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 5 Host, Application, and Data Security

Building Automation & Control System Vulnerabilities

YOUR CONDUIT TO THE CLOUD

L18: Integrate Control Disciplines to Increase Control and Save Money

OUTSOURCED FACILITIES MANAGEMENT SERVICES CAPE TOWN

MECHANICAL CONTRACTORS ASSOCIATION OF AMERICA, INC. CLEANROOM PIPING AND PROCEDURES BASIC CONSIDERATIONS

Data center relocation needs physical infrastructure availability evaluation and standardization. Martin Puš, SYSTEMING Prague, 4th October 2016

IT Service Delivery And Support Week Eight - Data Center

PHYSICAL AND ENVIRONMENTAL SECURITY

Sabey Data Center Properties CONSOLIDATED WORK RULES

Standard CIP Cyber Security Physical Security

Infrastructure Checklist

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

IS-906: Workplace Security Awareness. Visual 1 IS-906: Workplace Security Awareness

Colocation Checklist Not all data centers are created equal.

Data Center Checklist

TELEPLAN JOURNEY TOWARDS ACHIEVING ISO Presented by Anthony Abraham & Tejpal Singh Date : 2 nd April 2013.

Gallagher Critical Infrastructure Solutions

Open Access. Definitions

Access UK Ltd. Data centre Security. Data Centre Summary v.2.0 _ December Date: 12 th January Version: 1.1. Parkinson / Daniel Gould

SECTION SPECIAL SYSTEMS. Website and Construction Cameras

Integrated Cloud Environment Security White Paper

DATACENTER COLOCATION. Flexible, Secure and Connected

Configuration and Operation Manual for the SALTO

A Safer World. A Secure Tomorrow. SECURITY AUDITS CONSULTANCY TRAINING.

Data Centre Stockholm II, Sweden Flexible, advanced and efficient by design.

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Red Solutions Oman Security As An Experience

SAND No C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department

Fact sheet FRANKFURT DATA CENTRE CAMPUS. Connect, transact and grow

Information Security Management Criteria for Our Business Partners

Transcription:

Data Centre Security Presented by: M. Javed Wadood Managing Director (MEA)

EPI history and global locations UK origin, 1987 Singapore office, 1999 9 EPI offices worldwide Global partner network spanning 60+ countries, 130+ cities

EPI is a Data Centre Expert company design evaluation and validation audits and certification professional training EPI offers and extensive range of expert data centre services We do evaluation and validation of data centre plans to make sure they are designed to meet the business requirements or industry standards We do data centre audits and certifications to the standards in the industry We design and write data centre training programs from our hands-on experience

Bringing Cyber Security to Data Centre Some of Our Customers They trust us, So can you!

Agenda The data centre Data centre standards addressing security Security set-up at the physical level Controls for securing the perimeter Controls for the facility Why security fails Process controls Monitor, review and improve Audit and control Training

What is a data centre According to Gartner: the data centre is the department in an enterprise that houses and maintains back-end information technology (IT) systems and data stores, its mainframes, servers and databases. The data centre is supported by a physical facility and a utility infrastructure such as power, cooling, water, physical network infrastructure, fire suppression systems, etc.

Data centre supporting areas Common supporting areas: Network Operations Center (NOC) Security room UPS (Uninterruptable Power Supply) room Battery room Gen Set area Staging area Holding area

Data centre standards Standards and guidelines supporting data centre s in implementing information security, with emphasis on physical security and access controls: ANSI/TIA-942 Specifies physical controls depending on Rated/Rating level required DCOS 2016 Specifies operational controls required for certification Maturity level based

Perimeter controls Fence / wall / moat Visible intrusion detection systems Visible signs Guard house Boom barrier Security guards Security dogs

Perimeter control CCTV cameras CCTV (Closed-Circuit Television) cameras installation to monitor the following: All entrances into and exits of the premises All entrances and exits of restricted facility areas Areas immediately surrounding the perimeter of the premises. Perimeter fences and/or walls of the premises Areas between perimeter fence and/or wall and buildings within the premises. Areas supporting the facility that may fall outside the perimeter.

Facility controls Cages Mantraps CCTV Cameras Door control Key lock Electronic lock Card reader Security code Biometrics Equipment control Computer racks Power Distribution Unit (PDU) Computer Room Air-Conditioner (CRAC)

Why security fails Possible causes of why security fails in data centres: Human error Lack of process environment. Lack of training Low awareness level Budget limitations

Process controls security patrol Security guards need to be appropriately dressed Should have tools / equipment which is in good working conditions such to be inspected before going on patrol: Radio (Walky-Talky) Proper channel setting Charged battery Torch light with full battery Arms (where allowed and required)

Process controls security patrol The facility should be inspected on a periodic basis, covering the following: All entrances and exits from the perimeter Areas immediately surrounding the perimeter of the premises. Perimeter fences and or wall of the premises Any used and unused side entrance of buildings All restricted areas outside and inside the building Areas supporting the facility that may fall outside the perimeter (where applicable and feasible). Lifts / Emergency paths

Process controls security patrol Patrol scheduling: Round the clock Different routes Different start times Focus more on the night patrol Use call home / heart beat principal Activate response procedure upon detection of a security breach. Follow pre-defined checklists

Process controls security patrol Checklist should include door number, location and items to be inspected: Time stamp and signature at every checkpoint Electronic clocking devices Camera in working condition Verify with security command room Physical testing of doors Door open test Taking photographs of any suspicious matters Inspection of equipment such as fire panel, water leak panel, cooling systems etc.

Process controls holding area Delivery and loading areas should be controlled and isolated from information processing facilities to avoid unauthorized access. The holding area should be designed like a buffer zone, allowing delivery staff to unload materials without gaining access to other areas of the building. During opening hours, the holding area should be manned with a security guard overseeing all activities. The holding area is supervised on a 24x7 basis, having CCTV cameras installed covering all angles of the area.

Process controls holding area The external door should be secured/closed when the internal door is open Incoming items should be accounted for Incoming items should be inspected for potential hazards before movement into the building Incoming items should be inspected for eaves dropping devices Incoming items should be registered

Process controls vehicle control All vehicles which are allowed inside the perimeter need to be pre-registered depending on the individual: Staff Vendor / contractor Public transport / visitors / customers Vehicle registration should include at the minimum: Owner and driver name Type of vehicle Make and model Color Registration / license plate Any special marks

Process controls vehicle control Security personnel need to verify registered details before allowing entry inside the perimeter. All compartments of the vehicle must be opened. Scan under the vehicle For highly secure facilities additional equipment might be utilized such as explosive sniffers, metal detectors etc.

Process controls individual control Physical access control is based on two principals Personnel categories Security zones Personnel categories Internal staff External staff (same organization) Vendors / contractors Visitors Customers

Process controls individual control To control physical security in the data centre, different security zones may exist: Common (public) facility Areas/rooms used by all personnel and not subject to any internal security restrictions. Restricted areas Areas/rooms housing key equipment such as UPS systems, airconditioners and batteries. Highly secure area Areas such as the computer and media storage room

Process controls individual control All individuals should be authenticated / authorized on accessing the perimeter. All non-staff individuals should sign in and present a valid identification document. Security personnel performs countercheck Inspection of incoming items if applicable If clearance is given, a badge should be assigned (if applicable) based on the category of the visitor. Visitors to be escorted to designated supervised waiting area to be collected by internal staff.

Process controls individual control Internal staff verifies presence of badge and worn visibly by the visitor. Contractors on site for a predetermined period of time are restricted to only areas/rooms designated to accomplish authorized tasks. External staff working in restricted areas should be physically supervised. Inspection of incoming/outgoing items A log is maintained for all restricted areas A key management system is maintained for all restricted facility areas.

Process controls general rules It is recommended to impose restrictions for secure areas: Prohibition of smoking Prohibition of foods and drinks Conditions for the use of devices generating radio frequency, such as wireless devices and mobile phones, near sensitive equipment/copper network cabling Conditions for the use of storage and photo taking devices, such as cameras (including mobile phones), PDAs (Personal Digital Assistant), USB drives and other similar devices.

Monitor, review and improve Security policies and measures need continuous monitoring, review and improvement. Security incidents need to be reviewed and immediate action needs to be taken to ensure that in the future no similar incidents will occur. At least once a year a full review is required

Monitor, review and improve A security incident response process should exist to address security breaches and potential weaknesses: Detection of security incidents Reporting and logging of security incidents Logging the response and the corrective/preventive action taken. Periodic evaluation of all information security incidents Improvements to further reinforce the security infrastructure.

Monitor, review and improve Information that can be recorded during security incident response: Date and time of event By whom reported Location where the incident occurred Sensitivity level Affected areas Detailed description of the event Corrective action taken Details of loss, damage or destruction

Audit and control Audit and review needs to take place on a regular basis: Internal audits Readiness approach Maintenance of management system External audits Mandatory compliance with regulations and standards Voluntary conformance with standards

ANSI/TIA-942 - DCOS ANSI/TIA-942 Focus on design (validation) and build (certification) Covers all facility related matters of the data center Telecommunication Electrical Architectural Mechanical (includes; security, safety, fire suppression etc.) DCOS (Data Centre Operations Standard) Focus on operations (certification) Progressive standard covering 11 disciplines (security management included) Maturity level based

Audit Type of audit Certification (1 st year) Surveillance (2 nd and 3 rd year) Re-certification (4 th year) Potential audit results Conform (ANSI/TIA-942) / Maturity level (DCOS) AOI (Area Of Improvement) (ANSI/TIA-942) CAT 2 ( Category 2) (ANSI/TIA-942) CAT 1 (Category 1) (ANSI/TIA-942)

Training Continuous training of staff is recommended to maintain the corporate information security baseline EPI courses which amongst other topics addresses all layers of security: CDCP (Certified Data Centre Professional) CDCS (Certified Data Centre Specialist) CDFOM (Certified Data Centre Facilities Operations Manager) CITP (Certified Information Technology Professional) CITS (Certified Information Technology Specialist) CITE (Certified Information Technology Expert)

Questions?

M. Javed Wadood javed@epi-ap.com www.epi-ap.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback