|
4.6 Computer Centres
Description
There is a tendency nowadays towards centralisation of business-critical hardware used for productive purposes in both the public and private sectors. This is due on the one hand to enhanced availability requirements, but is also the result of demands to standardise administration as much as possible, generally under pressure to make additional manpower savings. The capability required of these systems and the network environment has especially risen in applications where time-critical access to central databases has to be implemented. To obtain the higher performance that is needed and in addition to hold appropriate reserves in the medium term, medium-sized companies which up to now have relied on a distributed client/server concept, have supplemented or partially replaced their IT environment with computer centres.
A computer centre comprises the facilities (computers, storage and print facilities, robot systems etc.) and premises (computer room, archives, stores, recreation area etc.) necessary to operate a large data processing system installed centrally for a number of offices. A computer centre is either manned continuously (with staff working shifts) or else at times when it is not manned there is an on-call service (with or without the possibility of remote administration). Generally a company's data processing does not rely exclusively on the central IT equipment in a computer centre, but on a multitude of local IT systems that are connected to it. However, the concentration of IT equipment and data in a computer centre means that the amount of potential damage that could occur is much greater than where data processing is decentralised. Wherever a large computer system is used, the "Computer Centres" module must be applied.
This module is primarily aimed at the most commonly found types of computer centre, of average quality. The security requirements lie between those of a server room or "server park" and those of high-security computer centres, such as, for example, are found in the banking industry. In addition to the standard security measures listed here which have proved themselves in practice, in most cases additional, tailored IT security measures which take into account the specific requirements and environment concerned are also necessary. Threats due to terrorism or force majeure are only touched on in the standard security measures that are described here.
The module is directed on the one hand at readers who operate a computer centre and wish as part of an audit to check whether they have implemented suitable standard security measures. On the other hand, the "Computer Centres" module can also be used to gain a preliminary view of the IT security measures which need to be implemented when IT assets are centralised in a medium-sized computer centre if this is to be operated securely. To make the module easier to understand, technical details and design variables have deliberately been omitted. Even large IT departments should not consider building a new computer centre without the help of an experienced planning team and/or an experienced planning and consultancy firm. Where computer centre services are to be outsourced, this module can be used to check the services offered with regard to their security level.
In contrast to the protection requirement of a server room (see "Server Room"), many IT security measures are not simply optional for a computer centre but mandatory. These include, for example, an appropriate alarm system and an alternative power supply. For such secure IT operations devices for the early detection of fires through monitoring of the hardware use and the raised floor is effective and economical. Automatic indoor fire extinguishing systems are primarily directed at the building itself.
Threat Scenario
The following typical threats are assumed to be relevant to the IT baseline protection of a computer centre:
Force Majeure
Organisational Shortcomings
Technical Failures
Deliberate Acts
Recommended Countermeasures
To implement IT baseline protection, selection of the required packages of safeguards ("modules") is recommended, as described in Sections 2.3 and 2.4.
The safeguard package for the area "Computer Centres" is set out below:
Infrastructure
Planning
Power supply
Fire Protection
Building Protection
Organisation
Contingency Planning
© Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: July 2001 |