How secure is your data center? In order to pass HIPAA and SSAE 16 Type II certifications, Green House Data has over sixty auditable security and compliance measures. Each compliant data center is audited once per year.
Some of the security measures are standard practice, while others had to be added to daily practices in some facilities in order to gain compliance. This list can help you get your data center up to speed – or see just how much effort goes into keeping server rooms monitored, secured, and fully auditable.
|Ref No.||Control Area||Control Specification|
|1.1||Policies and Procedures||
The policies define common security and availability requirements for all Green House Data personnel and systems that create, maintain, store, access, process, or transmit information.
|1.2||Policies and Procedures|
Green House Data requires employees to read and sign the employee handbook, which includes an acceptable use policy indicating their willingness to comply with company policies and procedures.
|1.3||Policies and Procedures|
Each employee is required to attend a security awareness training session that also addresses availability on an annual basis.
|1.4||Policies and Procedures|
Responsibility for security and availability has been assigned to the Security and Compliance Administrator.
|1.5||Policies and Procedures|
It is the Security and Compliance Administrator’s responsibility to ensure that information security and availability policies are reviewed, updated as necessary, and approved for distribution.
|1.6||Policies and Procedures|
The security and data center availability obligations of employees are communicated within the information security and availability policies and annual Security Awareness training.
|1.7||Policies and Procedures|
Issues of non-compliance with policies are dealt with immediately and could ultimately result in termination.
|1.8||Policies and Procedures|
Green House Data has created a security risk analysis which is updated periodically that outlines potential risks related to the data center services provided to clients.
|1.9||Policies and Procedures|
Green House Data information security and availability policies provide for the identification of applicable laws, defined commitments, and service-level agreements.
|1.10||Policies and Procedures|
Green House Data has provided internal and external users with information on how to report security and availability failures, incidents, concerns and other complaints.
Green House Data’s organizational structure is organized into three primary areas, namely Engineering, Client Service, and Administration, so that client services are handled in the most timely and efficient manner possible.
To increase the operational effectiveness of employees within this structure, every position has a job description so that individuals understand their responsibilities.
This collaborative approach involves a number of activities including frequent discussions between executivemanagement and employees and other incentives that all work to align each individuals’ job responsibilities with th organization’ directives.
Applicants for full-time Green House Data employment are required to complete a successful background check, which includes confirming work experience, prior employment, academic diplomas and degrees, and any required licensure.
New hires are required to review the Green House Data employee handbook and sign an agreement that states that they will abide by the company policies.
The data centers at Green House Data are protected through physically and logically secured card key systems and keypads or biometric locks 24/7/365.
Engineering at Green House Data monitors security surveillance cameras positioned at key locations within the facilities so that client assets are safeguarded.
Only authorized individuals who have access to the data centers can access the equipment within the cabinets.
Visitors to the data centers, including contractors, must sign the visitor log upon entry and must be accompanied at all times.
Engineering is notified when individuals no longer require access to the data centers. Upon notification, the security systems controlling the card keys, keypads, and biometrics are updated in order to revoke access rights to the data centers.
Access to each data center requires the specific approval of management responsible for the data center.
The results of the daily data center walkthroughs are documented in shift reports.
Access to Green House Data’s network and clients’ networks is controlled by Engineering and is restricted to authorized Green House Data employees.
A valid username and password is required to log into Green House Data’s network.
The network password policy configuration enforces an appropriate level of password complexity to help prevent unauthorized network access.
Both of these remote access methods utilize secure sockets layer (SSL) connections over a virtual private network (VPN) and require authorized users to authenticate with a username and password.
Network access requests must be approved by an appropriate member of management.
When an individual’s employment with Green House Data is terminated, a system administrator revokes the user’s access.
Administrator-level access privileges are restricted to only those individuals who require such access to perform their respective job functions.
By effectively utilizing VLANs, each client has their own dedicated virtual Internet Protocol (IP) network environment that is logically partitioned from all other client environments.
Client data and programs are on individual host and/or guest operating systems, which are configured to prevent access by other clients.
Each Washington data center client gets two Ethernet handoffs, and they are addressed only with their IP spaces.
Green House Data has a detailed Change Management Policy and Procedure in place that addresses changes to all data center equipment, including network hardware and telecommunications devices.
In Cheyenne, no hardware, software, furniture, shelving or other materials are removed or added to the data centers without prior approval from the change management committee.
At all Green House Data locations, all changes planned in the data centers are fully documented within a Green House Data Change Request Ticket and changes in Cheyenne data centers are approved at the change management committee meeting held twice a week, every Tuesday and Thursday afternoon at 2:00 pm.
If system changes impact clients or internal Green House Data employees, notification of the change is sent to the impacted parties in a timely manner.
Judge ROI, risk, and core competencies with tips from this white paper.
Proper temperature and humidity are maintained throughout the Cheyenne data centers using sensor controlle CRA an IDE units.
In the Washington data centers, there are CRAC units at all locations and the temperature is monitored by NOC personnel on an ongoin basis.
The Cheyenne data centers are equipped with air particle detection equipment that detects smoke, dust, moisture, or other particulates tha coul har equipment.
The original Cheyenne 01 data center is equipped with a Novec 1230 fire suppression system, and the Cheyenne 02 data center and the three Washingto dat center utiliz a pre action sprinkle system.
The data centers use a combination of UPS systems and diesel generators to supply sufficient power in the event of a power outage from the electric utility.
Environmental systems are monitored at all times within the NOC.
A Green House Data employee is on call at all times and receives a page or text when an incident occurs.
HVAC, UPS, diesel generator, and fire suppression equipment is maintained on a regular basis to keep the equipment in proper functioning order.
Green House Data’s Engineering staff utilize network monitoring tools to continuously monitor all aspects of the network for Internet connectivity problems or other irregularities that could disrupt the service provided t clients.
In Cheyenne, alerts are displayed on large panel monitors located within Engineering, and in all locations, alerts are sent via email to a defined distribution list, via text message and sent via page to the on-call employee.
For problems that cannot be addressed immediately, a ticket is opened and the appropriate engineer is assigned to correct the problem.
Problem tickets are continuously monitored by management to ensure problems are addressed in a timely manner, resolutions are documented, and the ticket is closed.
|9.1||Performance and Availability|
Formal procedures have been developed for the monitoring of system performance and availability, and the escalation of system-related problems.
|9.2||Performance and Availability|
Green House Data’s Engineering team monitors its systems 24/7/365 to maximize performance, preserve the integrity of the systems, and maintain systems availability.
|9.3||Performance and Availability|
Computer systems are monitored for CPU, memory, network, and disk utilization as well as network availability using active monitoring systems that alert Engineering upon reaching configured thresholds for certain metrics.
|9.4||Performance and Availability|
Green House Data’s systems are configured to notify Engineering via an alert in the event certain system performance and availability threshold metrics are met.
|9.5||Performance and Availability|
For alerts that need to be addressed, a ticket will be created and dealt with by Engineering in a timely manner.
The agreement detailing the terms and conditions of the services to be rendered is signed and returned by the client.
The technical specification documents contain detailed requirements information based on the client’s particular needs.
Based on the order requirements, an engineer sets up the services for the client using defined templates stored within the ticketing system to promote consistency and accuracy in the delivery of services.
Data center personnel will take a copy of photo identification for any client personnel that require access to the data center. Clients are also required to review, complete, and sign the necessary access forms to receive a card key, access codes, and cabinet key.
|11.1||Network Device Security|
The Green House Data network is built on multiple layers of routers, switches, and firewalls that are used in managing network traffic and are, therefore, critical in managing clients’ network and system security and availability.
|11.2||Network Device Security|
Access to all of the network devices on the Green House Data network is managed through the use of ACLs and rule sets that restrict device access to individuals accessing the devices from explicitly authorized IP addresses on the Green Hous Data network.
|11.3||Network Device Security|
In addition, access to configure network devices is restricted to authorized individuals only.
|11.4||Network Device Security|
An application runs each hour and performs a differential comparison of the configurations on all network devices and sends alerts to System Administrators when changes are made.
Phew! If you've made it this far and haven't found a security, monitoring, deployment, or compliance measure you need for your IT infrastructure, just reach out and we can make it happen. Custom deployments are standard at Green House Data. You can also read more about our security measures, compliance standards, and data centers to get more detailed information.