Week 5 part 1

Question 1

fact

Answer 1

power use per square foot per year computer center is 2,100 kwh

Question 2

Why use standards?

Answer 2

people do not mess up on the basis, more efficient in business practices, wifi is an exampleof standards we use or the metrics

-standards provide a framwork for ensuring quality, security, efficiency, in IT operations
-they organizaton comply with legal and reuglatory required reducing risks with non compliance
-standards facilatitate communication and interoperability between different systems and orgsanization
-they promote best practices and contnous improvment within organization
-adopting standards can enhacne an organization repuatation and stakeholder trust

Question 3

different types of standards

Answer 3

ISO 270001 standard for security managment
Quality managment- ISO9001 standard for qulaity managment
environmental managment-ISO 140001 standard for environmental managment systems
occupational health and safety managment-OHSAS 18001 the assessment spcifciation for occupational health and safety mangment system
business continuity managment-ISO 22301 business coninty managment standrd
energy managment ISO150001 adressing energy perfomce including energy efficiency use and consumption
Infrastrure solutions-MS gold partner
payment card security-PCI Data securirt standard
-environmental standards and awards
-corporate social responsiblity - FTSE4Good ani corpution, anti birbery, anti slavery/human traffiking

Question 4

data center and server room standards

Answer 4

can come from different levels
organization
-vendor
-idnsutry-professional organization
-interantail

Question 5

ANSI/TIA-942

Answer 5

orginally developed by TIA but then ansi adopted it so it ansi/tia not write another one to replicate but reuse it
- a psecification references private and bulic domain data center rquirments for application and procedures
such as
-network
-environmental contro
-power magmentent
– Network architecture
– Electrical design
– File storage, backup and archiving
– System redundancy
– Network access control and security
– Database management
– Web hosting
– Application hosting
– Content distribution
– Environmental control
– Protection against physical hazards (fire, flood, windstorm)
– Power management

Question 6

ANSI/TIA-942 Rating/Tier* Level

Answer 6

Tier 1 bais site ifrasture- at homes, 1 motem/router, 1 network connect, 1 power source, might have some reduanncy on the compute sight but other that no redunancy. one line of internet coming in. A data center which has single capcity compenets and a singe, non reducnant distribution path srving the computer equpment, it has limited protection againt physical events.

Rated-2/Tier 2 Redudant capacity compneonet site infrasture, A data center which haas redudnacnt capacity compnents like 2 motem but a single non reduant distribution path serving the computer equipment. it has imrpoved protection againt phsycial events

Rated 3 Tier 3- reduntant compents and multiple paths
2 differnt places they had cables coming with power and multiple indpendent distirbuion path only using one at a time. protection againt most physical events

Rate 4 -tier 4
redunatn compenets inside but also has mulltpo;e distibution paths concurrently maintaible and one fault anywere does not result in any downtime it has protect agiant almost all physical events cisco data centers

Question 7

uptime institue

Answer 7

the uptime institure ccetifies data center designs, builds and operation on a basis, relaible, reducnat operation cavility to oneof foru tier level, data center designers can certify plans constructed facilier earn tier certication after an audit , operatin ffaiclites can prove fault tolerance and sustaibale practices ccerticancation after and audit, operating facilities cn provef
tier stand standard:topology
tier standard:operation sutaiblaity

Question 8

internation data center authoriy

Answer 8

another group that sets standards around data centers

Question 9

ANSI (US)standard

Answer 9

ANSI/BICSI-002-2019 data center design and implentation best practices
best pracices design standard that will complent not replace TIA-942, recommended practices that exceed the requiment specified in TIA-942
BICSI 002 serves as reference meateiral for the data center design consult credential

Question 10

ANSI/BICSI-002-2019 Data Center Design and
Implementation Best Practices

Answer 10

design methdoloy
-facilities cabiling, network, services application
site slection and space planning
-site services and hazards
strucutral and architectual
electrical system
-DC power
-Standby and backup power systems
mechanic systems
security and fire
-designing for fire safety physical safety
faciltiy and building system
telecomunication infrastrue
-cabiling media and connectivey
-cabinet airflow and cabling capacity
network infrstrature
data center comissioning and maientance
energy efficieny
multi site data center architer
colocation planning moving an entire data center

Question 11

europenan standard

Answer 11

standards to deal w building, power, environemtn, telecommunication cabilin infrasure, security, maamgnet and operation info

Question 12

GB 50174 2008
(china) the national standard code for design and election information system room in china

Answer 12

includes three tiers from most strigent to least a, b, c these tiers rank the desing and renovation of IT and communiction equipment rooms

Question 13

JDCC. the japand data center council

Answer 13

covers vuilding serurit electical cooling equipment, communication equipment and maintenace, inclduing seismic considerations, in its outline of faciltiy standard matrix

Question 14

ISO

Answer 14

the internatioanl organization for standaradization an overaching internation conlomration of stadnards bodies
-iso is working on data center standards, several of which aply to facilies and power usage
other iso standard
-ISO9001 quality manamgnet capblite
-IS0270001 certifies and opeation securit practices regarding physical data securirty as well as business protection continuty efforts
-other iso stadads tha data center may use environmental practice such as iso 14001 and nergy mangment 1SO150001

Question 14

ISO/IEC 24764

Answer 14

international standard for data center telectiommuniation cabling infratrure
-Based on CENELEC EN 50173-5 euproeand data center telecome cabling standard

Question 15

LOL

Answer 15

ISO/IEC 19395:2015 Information technology – Sustainability for and by information
technology – Smart data centre resource monitoring and control
* ISO/IEC TR 30132-1:2016 Information technology — Information technology sustainability —
Energy efficient computing models — Part 1: Guidelines for energy effectiveness evaluation
* ISO/IEC PDTR 30133 (Under development) Information technology – Data centres –
Guidelines for resource efficient data centres
* ISO/IEC 30134-1:2016 Information technology – Data centres – Key performance indicators –
Part 1: Overview and general requirements
* ISO/IEC 30134-2:2016 Information technology – Data centres – Key performance indicators –
Part 2: Power usage effectiveness (PUE)
* ISO/IEC 30134-3:2016 Information technology – Data centres – Key performance indicators –
Part 3: Renewable energy factor (REF)
* ISO/IEC 30134-4:2017 Information technology – Data centres – Key performance indicators –
Part 4: IT Equipment Energy Efficiency for servers (ITEEsv)
* ISO/IEC 30134-5:2017 Information technology – Data centres – Key performance indicators –
Part 5: IT Equipment Utilization for servers (ITEUsv)
* ISO/IEC CD 30134-6 [Under development] Information technology – Data centers – Key
performance indicators – Part 6: Energy Reuse Factor – ERF

Question 16

ISO

Answer 16

ISO/IEC 19009:2014 information tech-virtulization mangment specifcation
ISO/IEC 19941:2017 ifnromation technology cloud computing interoperability and portbility big challnge for cloud is that every cloud has their own server

Question 17

Green Grid Association

Answer 17

The iso standard on the preceding lside build on the work of the green grids assication metrics
-PUE metric, defined as powers usage or efficincy

pue devloped by green grid PUE measures how well dta centers use power by a rtio of total building power/power used by IT equpilent alone. THe close to 1 this ratio comes the more efficiently a data center is consuming power

-metrics for water(WUE) usage effectiveness
-carbon(CUE) usauge effectiveness hyperscalers putting out the 7-8times the carbon pullution then they say are

Question 18

ASHRAE the amrican society of heating regeraitign and air condition engineers

Answer 18

have created guildine for themral coontrols, gasoues and particulte cantmiantion

Changes in ahrare recomendation algin with efficiency/green energy issues

Question 19

NFPA: The national fire protection association

Answer 19

the national fire protection association publishes codes and stardards to to minimipize and avoid damage from hazards such as fire
NPFA standard for the fire protection inforamtion tehcnology equpment
requires that data center center install spoke detections syttems
NFPA 70 requeries emergency power buttion for the data center to protect emergncy responded

Question 20

Environemntally Friednly Buildings

Answer 20

BREEAM: the BRE environemental assesment method environmental standard for building im the UK and nearby countries covering design, consturction, and operation

LEED: the leadership in energy and eviornmental design is an internalation certiciation for environmentally consious buildings and operations managed by the US green building council

five rating systems- building design, operaions, newighborhood development and other areas award a LEED level certfied silber gold platinum

the organziaton provides a data centr specifc project checklist as the leed standard includes adaptation for the unuqie requirment of data centers

Question 21

LEED D+B data center checklist

Answer 21

location and transportation
suttainable sites
water efficiency
energy and atomosphere
mateirals and resources
indor enviornmental quality
innovation
regional proiority

Question 22

Industry Groups

Answer 22

OCP the open compuge project standards google and some other have been involved
-designin new racks, ways of computing things
networking service design standar

OIX-the open IX association. OIX - The Open IX Association works to improve how data centers and networks connect to each other. It creates guidelines for Internet exchange points and data centers, focusing on safety, reliability, and managing traffic.

OIX - The Open IX Association focuses on Internet peering and interconnect
performance from data centers and network operators, along with the content
creators, distribution networks and consumers.
It publishes technical requirements for Internet exchange points and data
centers that support them. The requirements cover designed resiliency and
safety of the data center, as well as connectivity and congestion management.

Question 22

IEE standards ASsn PRofessional society

Answer 22

the insitute of electical and elction engineres provides more than 1300 standards and projects for various technoglial field
-releveant standards inclue IEE 802 standards for local area networks such IEE802.11 wirelean LAN specifcation and ethernet net work cabling standard IEEE802.3ba

Question 23

Cotrols-AICPA

Answer 23

SAS70
satement on auditing standard number 70 devleoped by the AICPA was an autit standat for mesuring a data center fiancial reporting and recordkeepign controls

SSAE 16-statment on standards for attestation engament
-AICIPA auding standarding for reporting on cotnrals at service organization includin gdata centers in the unites
goes beyon sas 70 by requireing the audiot to obtain a written asserion from managment ragarting the desing and operating effective of the control being reviewed.
also prvides better alignment with interantional audit stadanrd ISAE3402

SAS 70 (Replaced in June 2011)
- What it was: SAS 70 was an auditing standard created by the AICPA (American Institute of CPAs) to evaluate how well data centers managed their financial reporting and record-keeping.

SSAE 16
- What it is: SSAE 16 is an auditing standard for assessing controls at service organizations, including data centers, in the U.S. It replaced SAS 70 in May 2017 and was later succeeded by SSAE 18.
- Key differences from SAS 70: SSAE 16 requires auditors to get a written confirmation from management about how effective the controls are.
- International alignment: SSAE 16 is also designed to align more closely with the international standard ISAE 3402, which deals with assurance reports on controls at service organizations.

Question 24

SSAE 16 SOC 1 reports

Answer 24

Sure! Here’s a simpler breakdown of SOC 1 reports under SSAE 16:

1. Purpose: SOC 1 reports focus on controls that affect financial reporting.
2. Who Can Use Them: These reports are for existing customers and their auditors, not for potential customers or the public.
3. Types of Reports:
   
   • Type 1: This report gives an opinion on the description of the system and whether the controls are suitably designed at a specific date.
   • Type 2: This includes everything in Type 1 and also checks how well the controls worked over a period (usually 6 to 12 months).
4. No Certification: Just like SAS 70, there’s no official certification for SSAE 16 or SOC 1 reports.

In short, SOC 1 reports assess and verify controls related to financial reporting for the use of current clients and their auditors.

An audit that is conducted under SSAE 16 will result in a Service
Organization Control (SOC) 1 report. These reports are focused on
controls relevant to internal control over financial reporting. In essence, a
SOC 1 report will be the form of reporting for a completed SSAE 16 audit.
* As with SAS 70, SOC 1 reports are restricted use reports intended only for
existing customers and their auditors, not prospective customers or the
general public.
* SOC 1 reports will be available as Type 1 or Type 2 reports
– Type 1 reports present the auditors’ opinion regarding the accuracy
and completeness of management’s description of the system or
service as well as the suitability of the design of controls as of a
specific date.
– Type 2 SOC 1 reports include the Type 1 criteria AND audits the
operating effectiveness of the controls throughout a declared time
period, generally between six months and one year.
Like SAS 70, there is no official SSAE 16 or SOC 1 “certificatio

Question 25

SSAE- SOC 2 reprots

Answer 25

SOC is looking at all isues regrding security aviality proccessing itegeity confideicny andprivary of a system and it s info based on predefined controls

service organization control SOC 2 reprts are indend to prive assuranve about controls realted to securirty availabity, preccesing itegreity, confidentially and privary of a system and its information

A SOC 2 rpeort is based on pre defined controls critera for evaluating the design and operating effectiveness of controls at a data center or other service organication(AICPA( trust services princples and critera)

Question 26

SSAE 16 SOC 3 report

Answer 26

-– SOC 3 reports provide the same level of assurance about
controls as a SOC 2 repo
-can be for general viewing
-does not contain the detailed description of teting performed by the auditor
-provides a summary opinion reagrding the effectives of the controls in plate at the data center or service organization

once the auditor is aussred that the data center operator has achieved the turst sservices critera the comanpy can display the SOC 3 systrust for service organziation seal

Question 27

INfroamtion security

Answer 27

HIPAA
The Health Insurance Portability and Accountability Act of 1996
privacy and security of helath informtion organization can get a hippa audit

PCI DSS
the payment card indsutry data security standard was created by the major credit card issues, adn applies to companies that accept store prcoess and transmit credit cardholder dta

Question 28

PCI Data Security Standard

Answer 28

1. instiall and mainatain securrt controls
2. apply secure configurations to AI sytem compents
3. protect sotred account data
4. it msut by encrypted when its sent over w strong cryotgraphy
5. protect from malicous software
6. develop and mainatin secure systems and software
7. restrict access to system compenent and cardholder data by business need to know
   identifyusers
8. restic physcal acces to card dta
9. log and monitor all acces to sytem compneents and cardholder data
10. test securt stems regulary
11. support information sercurt with organization policeis and programs
12. build and matinain a secure network and sytems
13. protect acc data
14. maintian vunerbility magment proram
15. implemtn strong access control measures
16. regularly monitor and test networkds
17. maintain information securirt policy

Question 29

HOW to ccomply with PCI DSS

Answer 29

PCI DSS rquiements apply to the crdholder dta CDE which coprised of
ystem components, people, and processes that store, process, and transmit
cardholder data and/or sensitive authentication data, and,
– System components that may not store, process, or transmit CHD/SAD but
have unrestricted connectivity to system components that store, process, or
transmit CHD/SAD.
AND
System components, people, and processes that could impact the security of
the CDE.
* Each payment card brand has defined specific requirements for compliance
validation and reporting, such as provisions for performing self- assessments
and when to engage a Qualified Security Assessor (QSA).
* Depending on an entity’s classification or risk level (determined by the individual
payment card brands), processes for validating compliance and reporting to
acquiring financial institutions usually follow this sequenc

1. confirm the scope of the PCI DSS assesment
2. Pefrom the PCI DSS assessment of the enviorment
3. complete the applicable reprot for the assessment accroding to the PCI DSS guidance and instrction
4. Complete the Attestation of Compliance for Service Providers or
   Merchants, as applicable, in its entirety. Official Attestations of
   Compliance are only available on the PCI SSC website.
5. Submit the applicable PCI SSC documentation and the Attestation
   of Compliance, along with any other requested documentation— such as ASV scan reports—to the requesting organization (those
   that manage compliance programs such as payment brands and
   acquirers (for merchants), or other requesters (for service
   providers)).
6. If required, perform remediation to address requirements that are
   not in place and provide an updated report.

Question 30

National Institude of Stanards and Technology (US Department of Commerce)

Answer 30

NIST: THe natitonal institude of standards and technology overssees measurements in the US NIST is one of nations oldest physical science labortories

Question 31

ISO

Answer 31

ISO/IEC 27001:2022 information security vybersecurity and prviary protection-ifnroamtion security managment systems requiements

ISO/IEC 27002:2022 information security, cybersectutiy and privacy proetiention

Question 32

certfication

Answer 32

ISO 9001-quality
ISO IEC 27001-ifnroamtion securit
ISO 20000-service magnament
ISO 22301 -business conintiuity

Question 33

ISO 27002 - Info Securiy Control

Answer 33

-information securirty policies
-access control
-asset mangment
-HR security
-cryptography
-physical and environemtnal security
-communiation security
-operation security
-compliance

Question 34

Capability Assessment Manamgent

Answer 34

Wlecting an ovearching capability framwork and mapping other freameworks used in the orgnation to it

Question 35

APQC process classication framewokr (PCF)

Answer 35

APQCs process classification framework is the most used process framework in the world it reates a common language for organizations to communicati and drine work processes comprehensivley without redunancies. organzitons are using it to support benchmarking, magnage content, and perform other important performance magnemnt actvities

the categories are
-develop and manage human capital
-manage it
-mange fiancial resources
-aquire contrutct and mng assets
-mage enterprise risk, compliance, remedtion, and reslity
-manage external realtionships
-develop and manage business capabilities

Question 36

ISO 37000 Governance of organizatioon

Answer 36

This document gives guidance on the governanceof organizaton, it provides princooples andkey aspects of practices to guide governing bodies and governing group on how to meet their responsiblites so that the organiations they govern can fulfil their purpose. it is also intended for stakeholders involved inor impaced by theorgnzation and its governance
it is appliacle to all organizations regadless of type size lcoation sturuer or purpose

Question 37

ISO IT-GOvernance of IT for the organization

Answer 37

triangle 2 arros business pressures and business needs
the triangle is corporote governance of it and under it is evalue evalue has to rros to direct and monitor

direct arrow goes to plans and policies which goes to ict projects

montior arrrow goes to ict operations and ict operations peformance confromance is mntired

business process propals are evaluated by coprorate governance of IT