Wednesday, April 6, 2016

Data Center Security/Safety Review & Audit Checklist

Your data center hosts critical data and contains your core assets, including customer information, intellectual property and other business-critical data. And with emerging trends such as Big Data, bring-your-own-device (BYOD) mobility and global online collaboration sparking an explosion of data, the data center will only become more important to your organization and will continue to be the target of advanced malware and other cyber attacks.

Without wasting much time, let me provide you the checklist for data center safety review and audit.

  1. Server racks must be well strong enough to carry heavy weight hardwares.
  2. Server racks must be locked with keys.
  3. In order to maintain the cooling mechanism, check all fans are functional in the server racks.
  4. Physical security of server room is mandatory using physical locks.
  5. Access control must be implemented using biometric human verification along with strong password.
  6.  Except networking team and security vendors no other person should allowed entry in the data center.
  7. For trouble shooting purpose if security vendors are allowed to data center, there must be at least one person from the organization's networking team in order to keep a track record of vendor's activity.
  8. In case of electricity failure emergency lights & cooling mechanism must be implemented.
  9. Pest control mechanism must be implemented within the server room.
  10. Inventory for entry and exist must be maintained physically within the data center. A backup copy of that physical inventory must be created using spreadsheet in the computer.
  11. Along with entry and exist, access logs must be maintained properly. For an example, if network team needs to access the particular device/firewall/server, below entry must be logged phyiscally in the inventory.
    • Which physical device needs to be accessed by the person
    • Purpose of accessing physical device
    • Duration of accessing physical device
    • For critical operations -  Is permission granted by his/her superior to do such?
  12. Person accessing data center must be well checked before allowing him/her into data center in order to allow him/her to bring risky materials such as explosives, knife, cutter, transmitter, jammer etc.
  13.  Primary and Backup fire safety equipments must be present in/near the data center.
  14. The optimal temperature for the data center must be between 70 to 80 Fahrenheit.
  15. Data center must be covered with CCTV cameras.
  16. CCTV cameras must cover each and every area of data center.
  17. CCTV camera footage must be saved and managed properly for the later use.
  18. Data center must have smoke detectors which should cover whole area of the data center.
  19. Cabling must have proper naming tag and well managed.
  20.  Keep backup of battery power and generators at data center site with minimum of 24 hours of fuel.
  21. Data center employees subject to background check.
  22. All trash must be shredded on site before throwing. Dumpsters might retrieve sensitive information through it.
  23. Data center must have disaster recovery plans.

 Reference:
  1. https://www.fireeye.com/solutions/datacenter.html
  2. http://www.datacenterjournal.com/