Standards: Protecting Data Centres Good Practice Guideline
This document was created to meet a set of requirements prepared in 2004 by the National Infrastructure Security Co-ordination Centre (NISCC). Working closely with the National Security Advice Centre (NSAC) and partners within both the private and public sectors this document represents a collaborative effort in delivering best practice advice for protecting Data Centres.
Protection
Data Centre Protection Regimes should:
- be focussed on the major and significant risks;
- be proportionate to the value of the Data Centre assets;
- be proportionate to the level of threat to these assets;
- ensure all risks are managed by a combination of physical, personnel, technical and other protection measures;
- be flexible to allow for Data Centre expansion (or contraction);
- be resilient to cope with unforeseeable emergencies as well as unexpected but planned-for major incidents;
- be adaptable to transfer their Protection Regimes to a Disaster Recovery site if necessary; and
- be kept under review.
1. Business Continuity Plan(s) (BCP) should address the availability of a Data Centre. The Data Centre will invariably provide a 24 by 7 service; and its customer organisations will often demand 99.9%p availability or better.
2. Potentially disruptive events are unavoidable and the purpose of BCP is to minimise the number of these events that achieve a damaging impact on business.
3. All Data Centres should establish extensive and resilient BCP that address the whole spectrum of unplanned events from the day-to-day events that initially seem innocuous in business terms to major emergencies affecting life, property and Data Centre assets. It is likely that a Data Centre’s BCP will be an integral part of the parent organisation’s BCP.
4. BCPs should address the following:
a) evaluation of business needs in an incident;
b) Business Impact Analysis;
c) flexible Standard Operating Procedures (SOPs) for both anticipated and unanticipated events;
d) lessons-learnt processes derived from events and incidents at a Data Centre;
e) information sharing to learn lessons from the experiences of other Data Centres;
f) close and detailed co-ordination of response with local emergency services and local authorities; liaison with the local police force Counter Terrorism Security Adviser (CTSA)r is highly recommended;
g) resilient communications for:
i. broadcasting information to people at risk on-site and nearby;
ii. summoning off-duty staff to assist;
iii. operational business management of an event involving senior managers as required;
iv. operational co-ordination with emergency services;
v. informing other parts of the organisation, stakeholders in the business, customers and others as appropriate;
vi. informing staff families if necessary;
vii. informing local and national media if required.
5. BCPs should include specific plans for the following:
a) safe and speedy evacuation of staff from buildings and site or alternative arrangements for accommodation with their buildings;
b) safety of the general public;
c) bomb and other threat warnings, for example, abduction of workers and, or their families;
d) searches for suspect devices;
e) policies to exclude certain items from a Data Centre site.
6. Data Centres’ BCPs should include detailed Disaster Recovery (DR) plans for the critical business functions.
7. Data Centres should rehearse their BCP. The best of plans will prove ineffective when an emergency occurs if they have not been exercised. Data Centres should create a medium term plan (2 – 3 years) for exercises so that resources can be allocated and disruption to normal business managed properly.
See Protecting Data Centres: Good Practice Guideline
