Guide to create SOP _ for Data Center

https://community.spiceworks.com/topic/265384-sop-standard-operating-procedurefor-our-data-center

--001. SOP - Standard Operating Procedure for our Data

Center
https://community.spiceworks.com/topic/265384-sop-standard-operating-procedurefor-our-data-center

by mohsin_hanif_777 on Oct 8, 2012 at 9:53 BST

1st Post
|
Policies & Procedures
0
IN THIS DISCUSSION

Join the Community! Creating your account only takes a few minutes.
Join Now
i am on task to do the SOP - Standard Operating Procedure for our Data Center, please let me
know if you have such kind of manuals or procedures.
SOP should also include the
database
programming
paper
printing
consumables
maintenances
backup plan
thanks in advance

4 Replies

Datil
donges Oct 8, 2012 at 9:15 UTC

No offense, but the sharing of such seems to be a huge security problem. And redacting all
potential security-related details would be a huge undertaking and would probably not help you
out much at all.
So all I can say is, yes, I do have this kind of documentation.
This may help:
http://itknowledgeexchange.techtarget.com/IT-watch-blog/start-from-scratch-data-centersecurity-policy-template
2

Mace
George1421 Oct 8, 2012 at 9:37 UTC

SOPs are intended to describe how you run your business. The way I run my datacenter is
different than the way you run your datacenter. I probably have different compliance regulations
than you.
SOP documents should be created to support an existing security policy. SOPs should not be self
supporting, they should be the "how we do it" to one or more security policies.
A good SOP has several different sections.
1) Describe why this SOP is important. What are the impacts of executing it correctly and the
risks of not executing the SOP as outlined.
2) Describe what business systems are impacted by this SOP. (i.e. this policies covers all
windows server connected to the company's network infrastructure).
4) Describe the accountability matrix. Who is responsible for what. (i.e. datacenter staff changes
the tapes, datacenter manager audits tape change log to ensure the actions are carried out as
described, etc. )

5) A definition tale to non common terms used in the document. Don't assume that everyone
knows the difference between a SAN and a NAS.
6) Your working procedure (login to the console, run command X, select option Y, etc...)
7) Ensure you have a change log to the SOP possibly in an index, so your staff and auditors can
see the changes between each version of your document.
[Edit] Cool, at least based on donges link I'm fairly close on the policy requirements [/Edit]
1

Datil
donges Oct 8, 2012 at 9:50 UTC

George1421 wrote:
[Edit] Cool, at least based on donges link I'm fairly close on the policy requirements [/Edit]
heh.

Pimiento
NE.Sam Oct 12, 2012 at 7:37 UTC

George1421 wrote:
SOPs are intended to describe how you run your business. The way I run my datacenter is
different than the way you run your datacenter. I probably have different compliance regulations
than you.
SOP documents should be created to support an existing security policy. SOPs should not be self
supporting, they should be the "how we do it" to one or more security policies.
A good SOP has several different sections.
1) Describe why this SOP is important. What are the impacts of executing it correctly and the
risks of not executing the SOP as outlined.

2) Describe what business systems are impacted by this SOP. (i.e. this policies covers all
windows server connected to the company's network infrastructure).
4) Describe the accountability matrix. Who is responsible for what. (i.e. datacenter staff changes
the tapes, datacenter manager audits tape change log to ensure the actions are carried out as
described, etc. )
5) A definition tale to non common terms used in the document. Don't assume that everyone
knows the difference between a SAN and a NAS.
6) Your working procedure (login to the console, run command X, select option Y, etc...)
7) Ensure you have a change log to the SOP possibly in an index, so your staff and auditors can
see the changes between each version of your document.
[Edit] Cool, at least based on donges link I'm fairly close on the policy requirements [/Edit]
Hello George1421
Its really supportive what you have posted. I'm a Datacenter Shift Engineer given task to write &
create SOPs. Right now I'm working over "Physical Checklist" or "Physical Status" SOP and I'm
really lacking in appropriate formats & words. Can you please help me in this regard. I need
above mentioned SOP. I will then re-edit according to our Datacenter.

--002. Start from scratch: Data center security policy

template
http://itknowledgeexchange.techtarget.com/IT-watch-blog/start-from-scratch-datacenter-security-policy-template/
Nov 22 2010 6:21AM GMT

Kevin Beaver Profile: Kevin Beaver

Security policies are all too often made to be overly-complex and difficult to manage. Done
incorrectly, policies can hinder more than they help. If youre looking to pull together some
security policies for your data center or elsewhere inside your organization, heres a template you
can use to help clarify whats expected of everyone involved:

Introduction: A brief overview of the topic.

Purpose: The high-level strategy and goals of the policy.

Scope: The departments, employees and systems that are covered by the
policy.
Roles and responsibilities: Who is involved and what each person must do
to support the policy.
Policy statement: The actual policy outlining what can or cannot be done.
Exceptions: The departments, employees and systems that are not covered
by the policy.
Procedures: Specific steps on how the policy is being implemented and
enforced. Key word here is specific.
Compliance: Metrics and other methods used for measuring adherence
within the policy.
Sanctions: Consequences for policy violations.
Review and evaluation: Specifics on when the policy must be reviewed for
accuracy, applicability and compliance purposes (i.e. HIPAA/HITECH ACT, PCI
DSS, state breach notification laws, etc.).
References: Regulatory code sections and information security standards
that the policy quotes or references.
Related documents: Other policies, procedures and security standards that
relate to the policy.
Revisions: Ongoing changes made to the policy document.
Notes: Anything else that can help with future policy administration.

Kevin Beaver is an independent information security consultant, expert witness, author, and
professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch
Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on
Twitter at @kevinbeaver.
Comment

RSS Feed

--003. Data centers are fair game for policies, too

http://itknowledgeexchange.techtarget.com/IT-watch-blog/data-centers-are-fairgame-for-policies-too/
Nov 19 2010 6:23AM GMT

Kevin Beaver Profile: Kevin Beaver

When we think of security policies, visions of acceptable use and passwords often come to
mind. But policies are much more than that especially considering the complexities associated
with data centers. Policies outline this is how we do things around here regardless of the specific

topic. When it comes to information security and managing data center-related risks, there are
numerous policies that could apply:

Access controls

Audit logging

Authentication

Key management (you know, those old-fashioned physical keys you use to
lock and unlock stuff in your data center)

Media disposal

Mobile device encryption

Web security (for your CCTV management system, UPSs, KVMs, etc.)

Wireless networks

You dont necessarily need to create dedicated policies on these topics just for the data center.
Instead, simply include the data center and related systems within the scope of the appropriate
policy. This will keep your number of policies to a minimum and simplify policy management.
Given all the headaches, politics and technical complexities of managing a data center, the last
thing you need to do is create more stuff to keep up with. In a follow-up post, Ill outline a
security policy template that can work well in this situation.
Kevin Beaver is an independent information security consultant, expert witness, author, and
professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch
Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on
Twitter at @kevinbeaver.

--004. AS VMware moves into data centers, worlds collide

http://itknowledgeexchange.techtarget.com/IT-watch-blog/as-vmware-moves-intodata-centers-worlds-collide/
Nov 18 2010 3:20PM GMT

Michael Morisy Profile: Michael Morisy

I think data center manager is a mislabel, the IT manager tells me. Its a surprising statement,
since hes actually in charge of managing a data center. But he insists.
Its server management. The fact that they live in a data center Its just marketing stuff. He
wont let me use his name, but this IT manager well call him Frank has the credentials to
talk. He works at a big organization that produces a lot of data.
What two years ago was a one or two terabyte allocation request is now a 10 or 30 terabyte
allocation, he said. Storage may be cheap, but its not cheap in those quantities, and so hes now
forced to tell departments to re-run simulations and tests because its actually cheaper to spend
the thousand dollars to re-run the tests than to store than 10 to 30 terabytes forever.
That forever is the reason Im speaking to Frank in the first place. Weve been taking a look at
when written policy and actual practice dont line up, and he freely admits its a problem they
bump into regularly. It can mean regulatory and security problems, but it can also mean that data
that might need to be stored for weeks or months ends up being stored for years, an almost
imperceptible cost by itself but a huge drain on resources when aggregated by thousands of users
day after day, year after year.
Mix into all that one of the driving forces for all this growth, virtualization, which makes adding
on new applications and capacity much more effortless, and you add another potent poison: The
cloudiness of the new data center. Not cloud in the beloved buzzword sense, either, but cloudy
in the I-cant-tell-which-physical-server-is-borked sense, which suddenly becomes very
important when your sales force cant access their CRM database, and you know its machine
#134 but that machine could be in any server, or even multiple servers, somewhere in your room.
Literally keeping an eye on what physical server a virtual server is running on, its important to
know in a troubleshooting effort, Frank said. If a user calls and somethings misbehaving, they
know its hosted on this server name, but what server is that hosted on today?
And so we circle back to Franks central problem: Data centers arent building blocks like they
used to be, theyre now interconnecting physically and virtually in ways that demand as much
networking expertise as they do data center know-how.
We need technical staff thats good with servers, and technical staff thats good with networks,
he said. Its just a lot more integrated as a virtual environment than it was in a traditional
environment.
Have your own stories of career collisions? Think Frank is full of phooey? Get in touch below,
Id love to hear your take.
Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on
Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

--005. Who exactly is responsible for data center security?

http://itknowledgeexchange.techtarget.com/IT-watch-blog/who-exactly-isresponsible-for-data-center-security/
Nov 17 2010 8:36AM GMT

Kevin Beaver Profile: Kevin Beaver

Given our discussion of data centers this month, I reflected back on the data center environments
Ive seen over the past few years and have drawn some interesting conclusions regarding security
in/around the data center:
1. Sometimes the physical security team owns the responsibility of securing the data center, but
often a physical security manager or team doesnt exist.
2. When IT is put in charge of data center security, its quite commonplace that very little
physical security is present (it gets in the way).
3. When physical security does exist, the data center is typically fully locked down with
relatively stringent policies and processes regarding the who, how, and why related to people
coming and going to/from the premises.
4. When no one takes responsibility for locking down the data center, its often the compliance
manager or internal auditor who ends up mandating that things be secured.
Theres often no clear responsibility and little accountability related to data center security. But
when you think about it, thats not really any different than vulnerability patching, the software
development lifecycle, periodic and ongoing information security testing, proactive system
monitoring and so on, right? Thus the cycle of business risks and job security continues. The
key? Awareness, communication and striving for control over data center security.
Kevin Beaver is an independent information security consultant, expert witness, author, and
professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch
Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on
Twitter at @kevinbeaver.

--004.

--004.