Week 5 part 1 Flashcards
fact
power use per square foot per year computer center is 2,100 kwh
Why use standards?
people do not mess up on the basis, more efficient in business practices, wifi is an exampleof standards we use or the metrics
-standards provide a framwork for ensuring quality, security, efficiency, in IT operations
-they organizaton comply with legal and reuglatory required reducing risks with non compliance
-standards facilatitate communication and interoperability between different systems and orgsanization
-they promote best practices and contnous improvment within organization
-adopting standards can enhacne an organization repuatation and stakeholder trust
different types of standards
ISO 270001 standard for security managment
Quality managment- ISO9001 standard for qulaity managment
environmental managment-ISO 140001 standard for environmental managment systems
occupational health and safety managment-OHSAS 18001 the assessment spcifciation for occupational health and safety mangment system
business continuity managment-ISO 22301 business coninty managment standrd
energy managment ISO150001 adressing energy perfomce including energy efficiency use and consumption
Infrastrure solutions-MS gold partner
payment card security-PCI Data securirt standard
-environmental standards and awards
-corporate social responsiblity - FTSE4Good ani corpution, anti birbery, anti slavery/human traffiking
data center and server room standards
can come from different levels
organization
-vendor
-idnsutry-professional organization
-interantail
ANSI/TIA-942
orginally developed by TIA but then ansi adopted it so it ansi/tia not write another one to replicate but reuse it
- a psecification references private and bulic domain data center rquirments for application and procedures
such as
-network
-environmental contro
-power magmentent
– Network architecture
– Electrical design
– File storage, backup and archiving
– System redundancy
– Network access control and security
– Database management
– Web hosting
– Application hosting
– Content distribution
– Environmental control
– Protection against physical hazards (fire, flood, windstorm)
– Power management
ANSI/TIA-942 Rating/Tier* Level
Tier 1 bais site ifrasture- at homes, 1 motem/router, 1 network connect, 1 power source, might have some reduanncy on the compute sight but other that no redunancy. one line of internet coming in. A data center which has single capcity compenets and a singe, non reducnant distribution path srving the computer equpment, it has limited protection againt physical events.
Rated-2/Tier 2 Redudant capacity compneonet site infrasture, A data center which haas redudnacnt capacity compnents like 2 motem but a single non reduant distribution path serving the computer equipment. it has imrpoved protection againt phsycial events
Rated 3 Tier 3- reduntant compents and multiple paths
2 differnt places they had cables coming with power and multiple indpendent distirbuion path only using one at a time. protection againt most physical events
Rate 4 -tier 4
redunatn compenets inside but also has mulltpo;e distibution paths concurrently maintaible and one fault anywere does not result in any downtime it has protect agiant almost all physical events cisco data centers
uptime institue
the uptime institure ccetifies data center designs, builds and operation on a basis, relaible, reducnat operation cavility to oneof foru tier level, data center designers can certify plans constructed facilier earn tier certication after an audit , operatin ffaiclites can prove fault tolerance and sustaibale practices ccerticancation after and audit, operating facilities cn provef
tier stand standard:topology
tier standard:operation sutaiblaity
internation data center authoriy
another group that sets standards around data centers
ANSI (US)standard
ANSI/BICSI-002-2019 data center design and implentation best practices
best pracices design standard that will complent not replace TIA-942, recommended practices that exceed the requiment specified in TIA-942
BICSI 002 serves as reference meateiral for the data center design consult credential
ANSI/BICSI-002-2019 Data Center Design and
Implementation Best Practices
design methdoloy
-facilities cabiling, network, services application
site slection and space planning
-site services and hazards
strucutral and architectual
electrical system
-DC power
-Standby and backup power systems
mechanic systems
security and fire
-designing for fire safety physical safety
faciltiy and building system
telecomunication infrastrue
-cabiling media and connectivey
-cabinet airflow and cabling capacity
network infrstrature
data center comissioning and maientance
energy efficieny
multi site data center architer
colocation planning moving an entire data center
europenan standard
standards to deal w building, power, environemtn, telecommunication cabilin infrasure, security, maamgnet and operation info
GB 50174 2008
(china) the national standard code for design and election information system room in china
includes three tiers from most strigent to least a, b, c these tiers rank the desing and renovation of IT and communiction equipment rooms
JDCC. the japand data center council
covers vuilding serurit electical cooling equipment, communication equipment and maintenace, inclduing seismic considerations, in its outline of faciltiy standard matrix
ISO
the internatioanl organization for standaradization an overaching internation conlomration of stadnards bodies
-iso is working on data center standards, several of which aply to facilies and power usage
other iso standard
-ISO9001 quality manamgnet capblite
-IS0270001 certifies and opeation securit practices regarding physical data securirty as well as business protection continuty efforts
-other iso stadads tha data center may use environmental practice such as iso 14001 and nergy mangment 1SO150001
ISO/IEC 24764
international standard for data center telectiommuniation cabling infratrure
-Based on CENELEC EN 50173-5 euproeand data center telecome cabling standard
LOL
ISO/IEC 19395:2015 Information technology – Sustainability for and by information
technology – Smart data centre resource monitoring and control
* ISO/IEC TR 30132-1:2016 Information technology — Information technology sustainability —
Energy efficient computing models — Part 1: Guidelines for energy effectiveness evaluation
* ISO/IEC PDTR 30133 (Under development) Information technology – Data centres –
Guidelines for resource efficient data centres
* ISO/IEC 30134-1:2016 Information technology – Data centres – Key performance indicators –
Part 1: Overview and general requirements
* ISO/IEC 30134-2:2016 Information technology – Data centres – Key performance indicators –
Part 2: Power usage effectiveness (PUE)
* ISO/IEC 30134-3:2016 Information technology – Data centres – Key performance indicators –
Part 3: Renewable energy factor (REF)
* ISO/IEC 30134-4:2017 Information technology – Data centres – Key performance indicators –
Part 4: IT Equipment Energy Efficiency for servers (ITEEsv)
* ISO/IEC 30134-5:2017 Information technology – Data centres – Key performance indicators –
Part 5: IT Equipment Utilization for servers (ITEUsv)
* ISO/IEC CD 30134-6 [Under development] Information technology – Data centers – Key
performance indicators – Part 6: Energy Reuse Factor – ERF
ISO
ISO/IEC 19009:2014 information tech-virtulization mangment specifcation
ISO/IEC 19941:2017 ifnromation technology cloud computing interoperability and portbility big challnge for cloud is that every cloud has their own server
Green Grid Association
The iso standard on the preceding lside build on the work of the green grids assication metrics
-PUE metric, defined as powers usage or efficincy
pue devloped by green grid PUE measures how well dta centers use power by a rtio of total building power/power used by IT equpilent alone. THe close to 1 this ratio comes the more efficiently a data center is consuming power
-metrics for water(WUE) usage effectiveness
-carbon(CUE) usauge effectiveness hyperscalers putting out the 7-8times the carbon pullution then they say are
ASHRAE the amrican society of heating regeraitign and air condition engineers
have created guildine for themral coontrols, gasoues and particulte cantmiantion
Changes in ahrare recomendation algin with efficiency/green energy issues
NFPA: The national fire protection association
the national fire protection association publishes codes and stardards to to minimipize and avoid damage from hazards such as fire
NPFA standard for the fire protection inforamtion tehcnology equpment
requires that data center center install spoke detections syttems
NFPA 70 requeries emergency power buttion for the data center to protect emergncy responded
Environemntally Friednly Buildings
BREEAM: the BRE environemental assesment method environmental standard for building im the UK and nearby countries covering design, consturction, and operation
LEED: the leadership in energy and eviornmental design is an internalation certiciation for environmentally consious buildings and operations managed by the US green building council
five rating systems- building design, operaions, newighborhood development and other areas award a LEED level certfied silber gold platinum
the organziaton provides a data centr specifc project checklist as the leed standard includes adaptation for the unuqie requirment of data centers
LEED D+B data center checklist
location and transportation
suttainable sites
water efficiency
energy and atomosphere
mateirals and resources
indor enviornmental quality
innovation
regional proiority
Industry Groups
OCP the open compuge project standards google and some other have been involved
-designin new racks, ways of computing things
networking service design standar
OIX-the open IX association. OIX - The Open IX Association works to improve how data centers and networks connect to each other. It creates guidelines for Internet exchange points and data centers, focusing on safety, reliability, and managing traffic.
OIX - The Open IX Association focuses on Internet peering and interconnect
performance from data centers and network operators, along with the content
creators, distribution networks and consumers.
It publishes technical requirements for Internet exchange points and data
centers that support them. The requirements cover designed resiliency and
safety of the data center, as well as connectivity and congestion management.
IEE standards ASsn PRofessional society
the insitute of electical and elction engineres provides more than 1300 standards and projects for various technoglial field
-releveant standards inclue IEE 802 standards for local area networks such IEE802.11 wirelean LAN specifcation and ethernet net work cabling standard IEEE802.3ba
Cotrols-AICPA
SAS70
satement on auditing standard number 70 devleoped by the AICPA was an autit standat for mesuring a data center fiancial reporting and recordkeepign controls
SSAE 16-statment on standards for attestation engament
-AICIPA auding standarding for reporting on cotnrals at service organization includin gdata centers in the unites
goes beyon sas 70 by requireing the audiot to obtain a written asserion from managment ragarting the desing and operating effective of the control being reviewed.
also prvides better alignment with interantional audit stadanrd ISAE3402
SAS 70 (Replaced in June 2011)
- What it was: SAS 70 was an auditing standard created by the AICPA (American Institute of CPAs) to evaluate how well data centers managed their financial reporting and record-keeping.
SSAE 16
- What it is: SSAE 16 is an auditing standard for assessing controls at service organizations, including data centers, in the U.S. It replaced SAS 70 in May 2017 and was later succeeded by SSAE 18.
- Key differences from SAS 70: SSAE 16 requires auditors to get a written confirmation from management about how effective the controls are.
- International alignment: SSAE 16 is also designed to align more closely with the international standard ISAE 3402, which deals with assurance reports on controls at service organizations.
SSAE 16 SOC 1 reports
Sure! Here’s a simpler breakdown of SOC 1 reports under SSAE 16:
- Purpose: SOC 1 reports focus on controls that affect financial reporting.
- Who Can Use Them: These reports are for existing customers and their auditors, not for potential customers or the public.
-
Types of Reports:
- Type 1: This report gives an opinion on the description of the system and whether the controls are suitably designed at a specific date.
- Type 2: This includes everything in Type 1 and also checks how well the controls worked over a period (usually 6 to 12 months).
- No Certification: Just like SAS 70, there’s no official certification for SSAE 16 or SOC 1 reports.
In short, SOC 1 reports assess and verify controls related to financial reporting for the use of current clients and their auditors.
An audit that is conducted under SSAE 16 will result in a Service
Organization Control (SOC) 1 report. These reports are focused on
controls relevant to internal control over financial reporting. In essence, a
SOC 1 report will be the form of reporting for a completed SSAE 16 audit.
* As with SAS 70, SOC 1 reports are restricted use reports intended only for
existing customers and their auditors, not prospective customers or the
general public.
* SOC 1 reports will be available as Type 1 or Type 2 reports
– Type 1 reports present the auditors’ opinion regarding the accuracy
and completeness of management’s description of the system or
service as well as the suitability of the design of controls as of a
specific date.
– Type 2 SOC 1 reports include the Type 1 criteria AND audits the
operating effectiveness of the controls throughout a declared time
period, generally between six months and one year.
Like SAS 70, there is no official SSAE 16 or SOC 1 “certificatio
SSAE- SOC 2 reprots
SOC is looking at all isues regrding security aviality proccessing itegeity confideicny andprivary of a system and it s info based on predefined controls
service organization control SOC 2 reprts are indend to prive assuranve about controls realted to securirty availabity, preccesing itegreity, confidentially and privary of a system and its information
A SOC 2 rpeort is based on pre defined controls critera for evaluating the design and operating effectiveness of controls at a data center or other service organication(AICPA( trust services princples and critera)
SSAE 16 SOC 3 report
-– SOC 3 reports provide the same level of assurance about
controls as a SOC 2 repo
-can be for general viewing
-does not contain the detailed description of teting performed by the auditor
-provides a summary opinion reagrding the effectives of the controls in plate at the data center or service organization
once the auditor is aussred that the data center operator has achieved the turst sservices critera the comanpy can display the SOC 3 systrust for service organziation seal
INfroamtion security
HIPAA
The Health Insurance Portability and Accountability Act of 1996
privacy and security of helath informtion organization can get a hippa audit
PCI DSS
the payment card indsutry data security standard was created by the major credit card issues, adn applies to companies that accept store prcoess and transmit credit cardholder dta
PCI Data Security Standard
- instiall and mainatain securrt controls
- apply secure configurations to AI sytem compents
- protect sotred account data
- it msut by encrypted when its sent over w strong cryotgraphy
- protect from malicous software
- develop and mainatin secure systems and software
- restrict access to system compenent and cardholder data by business need to know
identifyusers - restic physcal acces to card dta
- log and monitor all acces to sytem compneents and cardholder data
- test securt stems regulary
- support information sercurt with organization policeis and programs
- build and matinain a secure network and sytems
- protect acc data
- maintian vunerbility magment proram
- implemtn strong access control measures
- regularly monitor and test networkds
- maintain information securirt policy
HOW to ccomply with PCI DSS
PCI DSS rquiements apply to the crdholder dta CDE which coprised of
ystem components, people, and processes that store, process, and transmit
cardholder data and/or sensitive authentication data, and,
– System components that may not store, process, or transmit CHD/SAD but
have unrestricted connectivity to system components that store, process, or
transmit CHD/SAD.
AND
System components, people, and processes that could impact the security of
the CDE.
* Each payment card brand has defined specific requirements for compliance
validation and reporting, such as provisions for performing self- assessments
and when to engage a Qualified Security Assessor (QSA).
* Depending on an entity’s classification or risk level (determined by the individual
payment card brands), processes for validating compliance and reporting to
acquiring financial institutions usually follow this sequenc
- confirm the scope of the PCI DSS assesment
- Pefrom the PCI DSS assessment of the enviorment
- complete the applicable reprot for the assessment accroding to the PCI DSS guidance and instrction
- Complete the Attestation of Compliance for Service Providers or
Merchants, as applicable, in its entirety. Official Attestations of
Compliance are only available on the PCI SSC website. - Submit the applicable PCI SSC documentation and the Attestation
of Compliance, along with any other requested documentation— such as ASV scan reports—to the requesting organization (those
that manage compliance programs such as payment brands and
acquirers (for merchants), or other requesters (for service
providers)). - If required, perform remediation to address requirements that are
not in place and provide an updated report.
National Institude of Stanards and Technology (US Department of Commerce)
NIST: THe natitonal institude of standards and technology overssees measurements in the US NIST is one of nations oldest physical science labortories
ISO
ISO/IEC 27001:2022 information security vybersecurity and prviary protection-ifnroamtion security managment systems requiements
ISO/IEC 27002:2022 information security, cybersectutiy and privacy proetiention
certfication
ISO 9001-quality
ISO IEC 27001-ifnroamtion securit
ISO 20000-service magnament
ISO 22301 -business conintiuity
ISO 27002 - Info Securiy Control
-information securirty policies
-access control
-asset mangment
-HR security
-cryptography
-physical and environemtnal security
-communiation security
-operation security
-compliance
Capability Assessment Manamgent
Wlecting an ovearching capability framwork and mapping other freameworks used in the orgnation to it
APQC process classication framewokr (PCF)
APQCs process classification framework is the most used process framework in the world it reates a common language for organizations to communicati and drine work processes comprehensivley without redunancies. organzitons are using it to support benchmarking, magnage content, and perform other important performance magnemnt actvities
the categories are
-develop and manage human capital
-manage it
-mange fiancial resources
-aquire contrutct and mng assets
-mage enterprise risk, compliance, remedtion, and reslity
-manage external realtionships
-develop and manage business capabilities
ISO 37000 Governance of organizatioon
This document gives guidance on the governanceof organizaton, it provides princooples andkey aspects of practices to guide governing bodies and governing group on how to meet their responsiblites so that the organiations they govern can fulfil their purpose. it is also intended for stakeholders involved inor impaced by theorgnzation and its governance
it is appliacle to all organizations regadless of type size lcoation sturuer or purpose
ISO IT-GOvernance of IT for the organization
triangle 2 arros business pressures and business needs
the triangle is corporote governance of it and under it is evalue evalue has to rros to direct and monitor
direct arrow goes to plans and policies which goes to ict projects
montior arrrow goes to ict operations and ict operations peformance confromance is mntired
business process propals are evaluated by coprorate governance of IT