IT Baseline Protection Manual - Chapter 4.6 Computer Centres

-->

4.6 Computer Centres

Description

There is a tendency nowadays towards centralisation of business-critical hardware used for productive purposes in both the public and private sectors. This is due on the one hand to enhanced availability requirements, but is also the result of demands to standardise administration as much as possible, generally under pressure to make additional manpower savings. The capability required of these systems and the network environment has especially risen in applications where time-critical access to central databases has to be implemented. To obtain the higher performance that is needed and in addition to hold appropriate reserves in the medium term, medium-sized companies which up to now have relied on a distributed client/server concept, have supplemented or partially replaced their IT environment with computer centres.

A computer centre comprises the facilities (computers, storage and print facilities, robot systems etc.) and premises (computer room, archives, stores, recreation area etc.) necessary to operate a large data processing system installed centrally for a number of offices. A computer centre is either manned continuously (with staff working shifts) or else at times when it is not manned there is an on-call service (with or without the possibility of remote administration). Generally a company's data processing does not rely exclusively on the central IT equipment in a computer centre, but on a multitude of local IT systems that are connected to it. However, the concentration of IT equipment and data in a computer centre means that the amount of potential damage that could occur is much greater than where data processing is decentralised. Wherever a large computer system is used, the "Computer Centres" module must be applied.

This module is primarily aimed at the most commonly found types of computer centre, of average quality. The security requirements lie between those of a server room or "server park" and those of high-security computer centres, such as, for example, are found in the banking industry. In addition to the standard security measures listed here which have proved themselves in practice, in most cases additional, tailored IT security measures which take into account the specific requirements and environment concerned are also necessary. Threats due to terrorism or force majeure are only touched on in the standard security measures that are described here.

The module is directed on the one hand at readers who operate a computer centre and wish as part of an audit to check whether they have implemented suitable standard security measures. On the other hand, the "Computer Centres" module can also be used to gain a preliminary view of the IT security measures which need to be implemented when IT assets are centralised in a medium-sized computer centre if this is to be operated securely. To make the module easier to understand, technical details and design variables have deliberately been omitted. Even large IT departments should not consider building a new computer centre without the help of an experienced planning team and/or an experienced planning and consultancy firm. Where computer centre services are to be outsourced, this module can be used to check the services offered with regard to their security level.

In contrast to the protection requirement of a server room (see "Server Room"), many IT security measures are not simply optional for a computer centre but mandatory. These include, for example, an appropriate alarm system and an alternative power supply. For such secure IT operations devices for the early detection of fires through monitoring of the hardware use and the raised floor is effective and economical. Automatic indoor fire extinguishing systems are primarily directed at the building itself.

Threat Scenario

The following typical threats are assumed to be relevant to the IT baseline protection of a computer centre:

Force Majeure

T 1.2 Failure of the IT system

T 1.3 Lightning

T 1.4 Fire

T 1.5 Water

T 1.6 Burning cables

T 1.7 Inadmissible temperature and humidity

T 1.8 Dust and dirt

T 1.11 The effects of catastrophes in the environment

T 1.12 Problems caused by big public events

T 1.13 Storms

Organisational Shortcomings

T 2.1 Lack of, or insufficient, rules

T 2.2 Insufficient knowledge of rules and procedures

T 2.4 Insufficient monitoring of IT security measures

T 2.6 Unauthorised admission to rooms requiring protection

T 2.11 Insufficient route dimensioning

T 2.12 Insufficient or unsuitable documentation

T 2.20 Inadequate or incorrect supply of consumables

Technical Failures

T 4.1 Disruption of power supply

T 4.2 Failure of internal supply networks

T 4.3 Failure of existing safety devices

Deliberate Acts

T 5.3 Unauthorised entry into a building

T 5.4 Theft

T 5.5 Vandalism

T 5.6 Attack

T 5.16 Threat posed by internal staff during maintenance or administration work

T 5.17 Threat posed by external staff during maintenance work

T 5.68 Unauthorised access to active network components

T 5.102 Sabotage

Recommended Countermeasures

To implement IT baseline protection, selection of the required packages of safeguards ("modules") is recommended, as described in Sections 2.3 and 2.4.

The safeguard package for the area "Computer Centres" is set out below:

Infrastructure

Planning

S 1.16 (3) Selection of a suitable site (optional, if and where alternatives exist)

S 1.49 (2) Technical and organisational requirements for the computer centre

Power supply

S 1.1 (2) Compliance with relevant DIN standards/VDE specifications

S 1.2 (1) Regulations governing access to distributors and rooms

S 1.3 (1) Adapted segmentation and protection of circuits

S 1.4 (1) Lightning protection devices

S 1.5 (1) Galvanic separation of external lines

S 1.25 (1) Overvoltage protection

S 1.56 (2) Secondary power supply

Fire Protection

S 1.6 (2) Adherence to fire protection regulations

S 1.7 (1) Hand-held fire extinguishers

S 1.8 (2) Room allocation, with due regard to fire loads

S 1.9 (1) Fire sealing of cable routes

S 1.10 (2) Use of safety doors and windows

S 1.26 (1) Emergency circuit-breakers

S 1.47 (1) Separate fire cut

S 1.48 (1) Fire alarm system

S 1.50 (1) Smoke protection

S 1.51 (2) Fire load reduction

S 1.54 (2) Early detection of fires / fire extinguishing technology (optional)

Building Protection

S 1.11 (2) Plans detailing the location of supply lines

S 1.12 (2) Avoidance of references to the location of building parts requiring protection

S 1.13 (3) Layout of building parts requiring protection

S 1.14 (2) Automatic drainage

S 1.15 (1) Closed windows and doors

S 1.17 (3) Entrance control service (optional)

S 1.18 (1) Alarm systems

S 1.19 (1) Protection against break-in

S 1.23 (1) Locked doors

S 1.24 (2) Avoidance of water pipes

S 1.27 (1) Air conditioning

S 1.52 (2) Redundancies in the technical infrastructure

S 1.53 (2) Video surveillance (optional)

S 1.55 (2) Perimeter protection (optional)

S 1.57 (2) Up-to-date infrastructure and building plans

Organisation

S 2.4 (2) Maintenance/repair regulations

S 2.14 (1) Key management / identity pass administration

S 2.15 (2) Fire safety inspections

S 2.16 (2) Supervising or escorting outside staff/visitors

S 2.17 (1) Entry regulations and controls

S 2.18 (3) Inspection rounds (optional)

S 2.21 (1) Ban on smoking

S 2.52 (3) Supply and monitoring of consumables

S 2.212 (2) Organisational requirements regarding cleaning contractors

S 2.213 (2) Maintenance of the technical infrastructure

Contingency Planning

S 6.16 (3) Taking out insurance (optional)

S 6.17 (1) Alert plan and fire drills

S 6.74 (2) Emergency archive (optional)

last update:
July 2001

home