Security Management

Security Management

Data centers contain business-critical customer data which, if lost or breached, can have an enormous impact on the organization, including the possible failure of the organization to survive. Certain information of the data center operator/owner is also required to be confidential and only to be used on a ‘need-to-know’ basis.

The data center must implement physical, organizational, and technical security measures (e.g., cybersecurity) to ensure the confidentiality, integrity, and availability of its own and its customers' information and information systems.

Therefore, proper security policies, procedures, work instructions, and controls should be defined and implemented with regular reviews to be undertaken, especially following major (regulatory) changes. Consideration should be given to well-established security-related standards such as ISO-27001, PCI-DSS, MCTS, etc., and data privacy regulations applicable for the territory where the data center operations are being situated.

Security Policies and Procedures

RackBank has clearly defined security policies and procedures. The security policies should be at least similar to or better than regulatory and industry-specific requirements. The policies and procedures should at least:

  • Be appropriate to the business nature and size of the data center/organization.

  • Identify the boundaries of what is within the scope of RackBank and what falls under the scope of the authorities (AHJ – Authority Having Jurisdiction).

  • Be approved, endorsed, and signed off by senior management.

  • Include a regular review (internal/external) and continuous improvement plan.

  • Be readily available to relevant individuals within RackBank, its customers, suppliers, and visitors.

  • Be communicated on a regular basis.

  • Be sensitive to and respect cultures, gender, etc.

  • Be reviewed and revised at regular planned intervals, when major changes occur, and immediately after a security incident.

Security Risk Assessment

RackBank regularly performs a security risk assessment. The security risk assessment should:

  • Be performed at agreed intervals not to exceed one year.

  • Maintain records detailing the risk assessment, its outcome, and follow-up actions as described in 20.7.4 Risk Management.

  • Take into account regulatory and industry regulations and standards (e.g., ISO 31000) as well as SLA – Service Level Agreement commitments.

RackBank considers performing random unannounced security risk assessments and/or internal audits to detect potential security lapses during normal operations.

RackBank and its (customer) assets may be exposed to; this should include the risk analysis, the risk evaluation, and recommendations for risk treatment for identified risks that exceed the level of risk acceptance.

Where feasible, RackBank should have a summary available on a need-to-know basis for customers and stakeholders.

Security Zones

RackBank has policies describing the various security zones and their restrictions (e.g., computer room: contractors must be supervised, contractors must be screened before contract award, etc.). Security Zone definitions should be linked to the security matrix detailing which job roles are allowed (least privilege principle) within a defined security zone, including definitions on whether they require supervision.

Controlled Items

RackBank policies are describing what controlled items are and how they should be treated from a security perspective. The policies should carefully balance security controls versus convenience. The list should include but not be limited to the following:

  • Portable devices (e.g., tablets, laptops, notebooks).

  • Mobile phones.

  • Cameras (including phones and other devices with camera capabilities).

  • Portable media (USB drives/thumb-drives, hard-disk, memory cards, etc.).

  • Audio recorders.

  • Devices with radio capabilities (e.g., Bluetooth, WiFi).

  • Wearables.Firearms.

Security Staff

RackBank appoints a security manager. The preference is for the security manager to be an employee of the company. Sufficient backup resources should be available to ensure that the security manager’s function is available around the clock, either with physical presence and/or on a standby basis for out-of-office hours.

Other security staff and how they execute their tasks are of vital importance to maintaining proper levels of security.

Where outsourcing takes place, the SLA should include requirements for screening and background checks of security officers and job responsibilities for each.

Security staff should be trained on at least the following:

  • Security policies and procedures of RackBank.

  • Soft skills (communication, handling difficult situations, etc.).

  • Self-defense and weaponry (where applicable).

  • First Aid.

  • Evacuation coordination skills.

Security staff should undergo regular refresher training.Security staff should be rotated where possible to avoid job fatigue (tunnel vision) and risks associated with security staff becoming too familiar with individuals visiting/working at the data center.

Security Awareness

All individuals working at RackBank's datacenter should attend security awareness training/orientation at a level appropriate for their function within the organization. There should be regular refresher courses and updates relevant to the job role. Appropriate records of such training, including details of attendees, instructors, and signed attendance records, need to be maintained.

The security awareness program should include but not be limited to:

  • Overall security policies of RackBank.

  • Specific security requirements of the department/function of the individual.

  • Behavioral considerations (e.g., no company and customer information to be posted on social media).

  • Security incident reporting structure, including relevant details (e.g., contact numbers).

RackBank should continuously re-affirm its security policies by creating additional security awareness programs (e.g., posters, email campaigns).

Contractors/suppliers/vendors should be informed of any relevant security policies and procedures related to their scope of work. Evidence should be recorded of such training/induction having taken place, and the individuals having agreed to comply with the rules and regulations imposed by RackBank.

Physical Security

Entry Control of Individuals

RackBank implements policies and procedures to control the entry of individuals and controlled items to the data center premises and/or facility itself, as well as zones/areas/rooms within the data center facility. These policies and procedures should include possible scenarios and countermeasures for emergency and/or pandemic-related situations. A security matrix should be established with categorization of individuals to include but not be limited to the following categories:

  • RackBank employees.

  • Permanent contractors (e.g., cleaners, security).

  • Vendors, suppliers, and contractors.

  • Customers.

  • Visitors.

RackBank has created sub-categories to further refine access control based on security zones and restricted areas (e.g., Mechanical rooms, UPS rooms).

Where visitors enter the restricted facility, they should be at all times accompanied and/or monitored based on code, industry regulation, and company policy.

The policies describe, for each defined category within the security matrix, the levels or areas to which they have access. A formal system of access control of personnel to each security zone based on their security categorization should be established and enforced around the clock by either technical means and/or process.

Entry Control of Vehicles

Vehicles (e.g., delivery trucks, cars, motorbikes) entering the security perimeter or coming in close proximity to the data center facility pose a risk to the building structure, personnel, and information within the facility. Therefore, in addition to appropriate levels of physical protection, a process should be established to mitigate the associated risks.

Policies and procedures should govern the handling of each category. These policies and procedures should include but not be limited to:

  • Registration and pre-registration.

  • Inspections.

  • Allocated loading/unloading areas.

  • Allocated parking areas and type (e.g., personnel, vendors).

  • Required supervision.

Control of Incoming and Outgoing Goods

Goods brought into RackBank's data center facilities should be inspected for potential hazards as well as security risks. RackBank should consider the usage of different inspection strategies for different security zones and/or facility areas (e.g., the computer room might have higher levels of control versus the loading bay).

RackBank considers requirements for prior notification of incoming goods and how goods will be dealt with if there was no prior notification received.

RackBank has policies and procedures for inspections of outgoing goods in relation to the asset management process. Outgoing goods should be accompanied by written permission from the owner of the goods, detailing what is authorized to be removed.

Based on RackBank's security risk assessment, it should determine which inspections are compulsory, optional, and/or random. Where inspections are random, the procedures should avoid discrimination.

Badges

To facilitate monitoring and/or control of personnel movement within RackBank's data center, it is required to ensure that every individual wears a badge.

The badges should meet the following requirements:

  • Badges should be distinctly different for each category (e.g., color).

  • Each badge should uniquely identify a given person.

  • Badges should not indicate a hierarchical structure (e.g., a badge with a ‘D’ is for director level, ‘E’ for engineers).

  • Badges should not be easily duplicated or forged.

There should be policies and procedures governing the usage of the badges. These should include but not be limited to:

  • Each person should be responsible for the security and appropriate use of the given badge.

PreviousSafety and Crisis ManagementNextStandard Operating Procedure (SOP) VARUNA