Professional Documents
Culture Documents
Teddy M. Danguilan
-Computer systems require uninterrupted, clean power to operate. Data centers
typically employ several different types of controls to maintain clean power. These
controls include.
1.Redundant power feeds that provide power from one power station.
When the power supplied by one feed is lost, the other often will remain live. As a
result, redundant power feeds can be used to maintain utility power continuity.
How
This control is not always present, but it is worth exploring with the data center facility
manager during interviews
2. Ground to earth to carry excess power away from systems during electrical
faults.
Ungrounded electrical power can cause computer equipment damage, fire, injury, or
death. These perils affect information systems, personnel, and the facility itself. Today,
buildings that do not have grounded electrical outlets most likely will be in violation of
building code.
How
Unlike redundant power feeds, the ground-to-earth control always should be present.
Ground to earth is a basic feature of all electrical installations.
It consists of a green wire that connects all electrical outlets to a rod that is sunk into
the ground. When short circuits or electrical faults occur, excess voltage is passed
through the ground wire safely into the ground rather than short-circuiting electrical
equipment. This control should be present in any facility less than 30 years old or so,
but it is definitely worth verifying.
Older buildings that have not had electrical systems upgraded may not have an
electrical ground, however. This information can be obtained by interviewing the data
center facility manager or through observation.
3. Power conditioning system to convert potentially dirty power to clean power.
Clean power can be represented as a wave pattern with symmetric peaks and
valleys.
Dirty power often results from electrical noise generated by normal operation
of electrical equipment.
Spikes is the sudden extreme increase in voltage of an equipment.
Sag is a short term decrease in voltage levels that starve the machine from
power.
Power spikes and sags damage computer systems and destroy information. Power
conditioning systems mitigate this risk by buffering the spikes and sags.
How
Power conditioning systems smooth out the wave pattern to make it symmetric.
Through interviews and observation, the auditor should verify that power is being
conditioned by either a power conditioning system or a battery backup system
4.Battery back up system that provide immediate power typically for short periods
of time.
Power failures can cause data loss through abrupt system shutdowns. UPS battery
systems mitigate this risk by providing 20 to 30 minutes of power as well as power
conditioning during normal utility power condition.
How
The auditor should interview the data center facility manager and observe UPS battery
backup systems to verify that the data center UPS system is protecting all critical
computer systems and affords adequate run times.
5. Generators protect against prolonged power loss.
GENERATORS
--allow the data center to generate its own power in the event of a prolonged loss of
utility power.
Common Types of generators
1.Diesel generators
- most common but have a finite amount of fuel stored in their tanks.
-Diesel fuel is also a biohazard.
- If it is spilled, there could be significant cleanup expenses.
-Also, if the generator is in close proximity to the data center, there is a danger of a spill
that reaches into the data center itself, which would be disastrous. These risks can be
mitigated though fuel service contracts and spill barriers, however
2.Natural gas generators
-run cleaner and theoretically have an infinite supply of fuel as long as the gas lines are
intact.
-There is no danger of spills, but there is an increased danger of fire.
-Natural gas generators are employed rarely, however, because of the expense.
-Propane generators are also expensive but have a limited supply of fuel. Again, this can be mitigated with
service contracts
How
All types of generators require frequent maintenance and testing. As a result, the
auditor should review both maintenance and test logs during a data center audit.
Additionally, auditors should obtain the sustained and peak power loads from the
facility manager and compare them with current power generation capacity.
ALARM SYSTEM
Jenelyn Catalan
Wishel Dangarang
A. Definition:
It means any device or system that transmits a signal that indicates a hazard or occurrence requiring an
emergency response.
Any alarm-initiating device or assembly of equipment that automatically detects heat, smoke or other products
of combustion or need of other public safety or emergency response.
B. Advantages.
1. Protects valuables
2. Deters crime
3. For peace of mind -> the confidence of feeling safe with the knowledge that the
alarm will help you in the event that someone breaks your property.
4. Notifies problems
5. Lowers insurance premiums
Data centers normally have several different alarm systems that are designed to
monitor for unauthorized access to the facility, fire, water, and excessively high or low
humidity. These alarm systems typically feed into a console located in the data center
operations center.
14. Ensure that a burglar alarm is protecting the data center from physical
intrusion.
A burglar alarm failure would allow a physical intrusion to go undetected.
Burglar alarms mitigate this risk.
`an electronic device that triggers a loud noise or other alert when someone attempts
to make unauthorized entry. How does it works? The operation of a burglar alarm is the
same that of an electric circuit. In order to know about burglar alarms, one has to
compare them to a simple electric circuit or appliance. For example, one has to turn on
a switch to turn off the lights or any other appliance. This principle works in the same
way with burglar alarms. The only difference is that the movements of an intruder will
be detected by the switch. If an intruder breaks in a house through a door or window,
his movements will be detected by a switch which will trigger the burglar alarm.
How:
Burglar alarms are designed to detect physical intrusions. They do this
through a series of sensors that are placed in strategic locations such as
doors and hallways. Burglar alarm systems employ the following common
types of sensors:
Motion sensors that typically detect infrared motion
Contact sensors that are placed on windows and doors to detect when they are opened
Audio sensors to detect breaking glass or changes in normal ambient noise
When auditing a data center, the auditor should review sensor placement, verify that
critical areas of the data center are covered adequately, and review maintenance logs
to ensure that the system has been maintained and tested properly.
The following are the features of burglar alarms:
Video monitoring > this feature will allow you to view live feeds of whats happening.
You can record activity, too. In the case that a crime is committed, the footage captured
by your video surveillance will help nab the culprit.
Motion sensor --> when no one is supposed to be moving, this feature will help
anything out of place.
Sensors on doors and windows --> you shut your doors and windows for the night, and
you dont plan an opening them until the morning. In order to prevent a would-be
burglar from sneaking an unnoticed, these sensors will be set near any access point
and will trigger an alarm or a beep when open.
Sirens --> a wild enough siren can disorient a would-be burglar and send them packing.
They might even panic long enough for police to arrive and bring them to justice.
Intercom --> with an intercom system in place, you can communicate with other
members, even in a dangerous situations.
Connectivity --> when the alarm is tripped, someone who is monitoring alerts will
attempt to contact you. If you dont answer or you cant provide the proper code word
to turn off the system, the police will be on their way.
Fire and carbon monoxide detection --> it will protect you from other unwanted
dangers.
15. Verify that a fire alarm is protecting the data center from the risk of fire.
Because of all the electrical equipment, data centers are prone to fires. Fire alarms alert
data center personnel of a developing fire condition so that they can evacuate the
premise. A fire alarm failure would put human life at risk.
How:
Data centers should have fire alarms to detect electrical fires before they can threaten
human life. Data center fire alarm systems usually are multizone systems, which
reduces the risk of false alarms due to a single malfunctioning sensor or zone. In a
multizone system, sensors in two or more zones must detect the fire before an alarm
sounds. There are three types of sensors:
Heat sensors activate when temperature reaches a predetermined threshold or when
temperatures rise quickly.
Smoke sensors activate when they detect smoke.
Flame sensors activate when they sense the infrared energy or flickering of a flame.
Smoke actuated sensors and heat sensors are most common. When auditing a data
center, the auditor should review fire alarm sensor type, placement, maintenance
records, and testing procedures.
fire alarm system means a combination of approved compatible devices with the
necessary electrical interconnection and energy to produce an alarm signal in the event
of a fire or emergency medical situation or both, and when activated, emits a sound or
transmits a signal to indicate that an emergency situation exists.
16. Ensure that a water alarm system is configured to detect water in highrisk areas of the data center.
Water and electronic equipment do not mix well. As a result, data centers normally
employ water sensors in strategic locations such as near water sources or under raised
floors. Water sensors detect the presence of water and are designed to alert data
personnel prior to a major problem.
How:
When performing a data center audit, the auditor should identify potential water
sources such as drains, air-conditioning units, exterior doors, and water pipes to verify
that water sensors are placed in locations where they will mitigate the most risk. The
facility manager should be able to point out both water sources and sensors during a
tour of the facility. The auditor also should review maintenance records to ensure that
the alarm system is maintained periodically.
17. Ensure that a humidity alarm is configured to notify data center
personnel of either high or low-humidity conditions.
Humidity levels above 60 percent or below 40 percent can cause computer equipment
damage. High humidity can cause corrosion of computer components, and low humidity
can cause static electricity discharges that can short-circuit system boards. As a result,
data centers should be equipped with humidity alarm systems.
How
In a proper humidity alarm installation, humidity sensors are placed in all areas of the
data center where electronic equipment is present. When reviewing the humidity alarm
system, the auditor should ensure that sensors are placed in appropriate locations
either by reviewing architecture diagrams or by touring the facility. The auditor also
should review maintenance and testing documentation to verify that the system is in
good working order.
A water sensor is a device used in the detection of the water level for various
applications. Water sensors are of several types that include ultrasonic sensors,
bubblers, and float sensors.
Ultrasonic sensors operate by transmitting sound waves that reflect from the liquid
surface and are obtained by the sensor. The sensor measures the time interval between
the transmitted and received signals, which is then converted into distance
measurement with the help of electronic circuits with the sensor thereby measuring the
level of the liquid.
Float sensors work based on the change in resistance of a potentiometer within the
sensor by the turning of a pulley or a spring-loaded shaft.
Bubbler sensors measure water level by detecting the pressure of air-filled tubes with
an open, submerged bottom end. The static pressure at the end of the tubes is more
when the water level is high, and therefore more air pressure is required to fill the tube.
18. Review the alarm monitoring console(s) and alarm reports to verify that
alarms are monitored continually by data center personnel.
Alarm systems most often feed into a monitoring console that gives data center
personnel the opportunity to respond to an alarm condition before calling authorities,
evacuating the building, or shutting down equipment. The absence of a monitoring
console would introduce the risk of an alarm condition going unnoticed.
How
The data center should have an alarm-monitoring console, where alarm systems are
monitored by data center personnel. The auditor should review alarm reports and
observe the data center alarm-monitoring console to verify that burglar, fire, water,
humidity, and other alarm systems are monitored continually by data center personnel.
Occasionally, the burglar alarm is monitored by data center security staff. The main
objective here is to verify that alarms are being monitored.
FIRE - the light and heat and especially the flame produced by burning
SUPPRESS to end or stop something
SYSTEM a group of related parts that move or work together
Data centers are critical as the heart of many companies information
infrastructures. No company can accept the failure of its networks and servers because
no business can afford downtimes or the loss or irreplaceable data and market
presence. For some industries, even one or two hours of downtimes can be devastating.
Thats why its important to provide your data center with the highest level of safety.
Because of the large amount of electrical equipment, fire is a major threat to
data centers. Therefore, data centers normally are equipped with sophisticated firesuppression systems and should have a sufficient number of fire extinguishers or fire
prevention facilities.
8. Sinorix Silent Nozzle- is designed for quiet extinguishing in data centers and
server rooms- resulting in disturbance-free operation of hard disk drives during
the extinguishing process.
9. Extinguishing with sinorix 1230- recommended for small to-medium-sized
centers. It floods the room within 10 seconds and starts extinguishing before any
electronic equipment isseverely damaged.
10.Extinguishing with sinorix CDT- recommended for medium-to-large sized
data centers, Sinorix CDT technology discharger nitrogen and argoninto the
flooding zone at constant mass flow throughout the entire flooding time. This
eliminates the peak at the beginning of the discharge and thus lowers the
maximum noise level, in addition the size of the overpressure flaps can be
reduced by up to 70%.
11.Video Surveillance- monitors critical zones such as the entrance area, etc., to
record incidents before and after the event.
12.Access Control- provides safe and flexible access authorization, time recording,
and badge issuing.
13.Intrusion detection- detection of unauthorized access. For the protection
against flooding, a special flood detector enables the alarm system to detech
water leaks.
14.Extinguishing with Sinorix H2O Gas- In critical applications uninterrupted
power supply (UPS) systems ensure continuity in case of power cuts. For those
systems representing a thermal risk, Sinorix H2O Gas, based on nitrogen and
water, combines highly efficient nitrogen extinguishing with a cooling water mist.
15.Ex zone devices- to guarantee continuity in case of power failure, a data center
is always connected to an uninterruptible power supply (UPS). In some of these
explosion-hazard areas, such as battery rooms or gas generators, Ex devices
have to be used.
Karen Joyce Felix
Data Center Operations
-these refers to the workflow and processes that are performed within a data center.
It includes computing and non-computing processes that are specific to a data center
facility or data center environment.
Data Center operations include all automated and manual processes essential to keep
the data center operational.
For a data center to be effective, it requires strict adherence to its policies, procedure
and plans. These policies, procedures and plans are used for determining who is
granted the access to the data center, what access they are granted, determining
which/when facility-based systems are to be schedules for maintenance, and
determining which actions should be done during an emergency.
Areas to be covered by these policies:
24 Ensure that physical access control procedures are comprehensive and being
followed by security staff.
Physical access control procedures govern employee and guest access to the data
center facility. If physical access control procedures are incomplete or not enforced
consistently, data center physical access will be compromised.
How
When reviewing physical access control procedures, the auditor should do the
following:
Ensure that access authorization requirements are clearly defined for both employees
and guests.
Verify that guest access procedures include restrictions on taking pictures and outline
conduct requirements within the data center.
Review a sample of both guest access and employee ID authorization requests to
ensure that access control procedures are followed.
25 Review facility monitoring procedures to ensure that alarm conditions are addressed
promptly.
Facility monitoring procedures ensure that all critical alarm conditions are captured and
acted on promptly. They should include a description of the alarm systems that will be
monitored, as well as the steps that are to be taken in the event of all reasonably
foreseeable alarms, including fire, burglar, water, power outage, data circuit outage,
system, and system component alarm conditions. The lack of system monitoring
procedures could result in unnecessary risk to information systems and data center
facilities.
How
When auditing facility monitoring procedures, the auditor should do the following:
Ensure that all critical systems and facility alarms are defined as "monitored systems"
in the procedure.
Verify that alarm-condition response is clearly outlined for each type of alarm condition.
The auditor should be able to obtain the actual monitoring procedures as well as
monitoring logs from data center facility management.
27. Ensure that roles and responsibilities of data center personnel are clearly
defined.
Proper Data Center Staffing is Key to Reliable Operations because well defined
employees and responsibilities ensure that responsibility and accountability for data
center functions are clear.
The auditor should ensure that all job functions are covered and that responsibilities
associated with job functions are clearly defined in order for the Data Center Personnel
to know their JOB BOUNDARIES and for them to perform their assigned activities
efficiently that will result to high- quality of work. Data center facility management
should be able to provide job descriptions, including roles and responsibilities.
In order to be fully effective, a Data Center must have the proper number of personnel
that are organized correctly.
28. Verify that duties and job functions of data center personnel are
segregated appropriately.
Key to Data Security
When reviewing the data center's segregation of duties, the auditor should verify that
high-risk job functions, such as access authorization, are segregated across two or
more employees to reduce the risk of fraud or inadvertent errors and to minimize
unauthorized access.
Separation of duties restricts the amount of power or influence held by any individual. It
also ensures that people dont have conflicting responsibilities and are not responsible
for reporting on themselves or their superiors.
2 Primary Objectives
Prevention of conflict of interest, the appearance of conflict of interest, wrongful acts,
fraud, abuse and errors.
Detection of control failures that include security breaches, information theft and
circumvention of security controls.
NATURAL DISASTERS
3. Select auditors and conduct the audit to ensure objectivity and impartiality
during the audit process
4. Establish a procedure to ensure that deficiencies identified in an audit are
corrected within an agreed-upon time frame
5. Ensure that audits address internal and external organizations
6. Conduct an internal audit when there significant changes to critical IT servicers,
business continuity and/or disaster recovery requiremments
7. Have audit results documented and reported to senior management
BUILDING A DISASTER RECOVERY MAINTENANCE PLAN
1. Establish an ongoing plan maintenance schedule of activities
2. You can build your maintenance programs with something as simple as a
spreadsheet
3. Coordinate disaster recovery maintenance activities with existing IT activities
4. Document all maintenance actions, including when (date/time) maintenance was
performed, summary of maintenance activities and approvals as needed
5. Leverage existing internal resources to provide a secure repository for
maintenance activities
6. Generate periodic maintenance reports to management highlighting the status of
maintenance activities and issues that need to be sddressed
BUILDING A CONTINUOUS IMPROVEMENT CAPABILITY
Once the disaster recovery project is completed, launch an ongoing process of
continuous improvement
This process has ties to the kaizen philosophy of manufacturing , which
encompasses activities to continually improve all manufacturing function,
involving all workers and all processes
When applied to disaster recovery, continuous improvement ties together the
previously discussed disaster recovery audit and maintenance activities and
leverages the results of both to introduce improvements to the process on an
ongoing basis
As always, secure management authorization when organizing a continuous
improvement programme
How?
The auditor should verify that backup media can be retrieved within the time frames
set forth in the service-level agreement with the off-site storage vendor.
Disaster Recovery Planning
Alford Sery A. Cammayo
A documented process or set of procedures to recover and protect a business IT
infrastructure in the event of a disaster
It is a comprehensive statement of consistent actions to be taken before, after
and during a disaster.
The disaster could be natural, environmental or man-made.
Objectives:
1. To minimize downtime and data loss
2. To protect the organization in the event that all or part of its operations and/or
services are rendered unusable
3. To minimize the disruption of operations and ensure that some level of
organizational stability and an orderly recovery after a disaster will prevail
6 Ensure that a disaster recovery plan exists and is comprehensive and that
key employees are aware of their roles in the event of a disaster.
How
Auditing disaster recovery plans can be difficult because of the complexity of
successfully recovering data center operations. In auditing disaster recovery plans, the
auditor should do the following:
1. Ensure that a disaster recovery plan exits.
2. Verify that the disaster recovery plan covers all systems and operational areas.
3. Review the last data center threat assessment to verify that the disaster
recovery plan is still relevant and addresses the current risk to the data center.
4. Ensure that disaster recovery roles and responsibilities are clearly defined.
5. Verify that salvage, recovery, and reconstitution procedures are addressed.
6. Ensure that the emergency operations center has appropriate supplies,
computers, and telecommunications connectivity.
7. Ensure that emergency communications is addressed in the plan.
8. Review the findings of the last disaster recovery exercise.
7 Ensure that disaster recovery plans are updated and tested regularly.
How
When auditing disaster recovery plans, the auditor should review the update or version
history that usually is included in the front of the plan. Plans should be updated at least
annually. Likewise, the auditor should review disaster recovery test documentation to
verify that tests are performed at least annually. This information usually accompanies
the plan in either electronic or paper form.
8 Verify that parts inventories and vendor agreements are accurate and
current.
How
The auditor should review both parts inventories and vendor agreements to ensure that
both are current for existing systems. Vendor agreements should accompany the
disaster recovery plan. Part inventories can be obtained from asset management or
system personnel.