Secure infrastructure for IT systems. Trusted Site Infrastructure

Transcription

1 Secure infrastructure for IT systems Trusted Site Infrastructure

2 Contents 1 Introduction Hazard potential Physical security Targets 2 2 TSI 3 3 Overview of assessment criteria Environment Construction Fire protection, alarm & extinguishing Systems Security system and organization Power supply Cabling Air conditioning & ventilation Organization Documentation 13 4 TSI certification project Assessment level Workshop Assessment process Certificate and test mark Re-certification 19 5 Dual Site certification requirements 20 6 Further TSI services 22 7 Certification of data centers 24 8 Trusted Site certification family (abstract) 26 9 Changes from TSI V3.2 to V TSI criteria catalogue V About TÜViT Contact 44

3 1 Introduction Information and communication systems provide the basis for many corporate decisions and activities. Their availability is of fundamental significance for any modern company in fact, failures can quickly threaten the very existence of an enterprise. Time-critical access, just-in-time activities, intensive networking and a large volume of on-line business require a high level of system availability and resilience. These aspects, combined with the trend towards centralization of business-critical productive hardware, in turn increase the demands on system performance, data management, and the corresponding mission- critical infrastructure. In order to reduce the probability of systems failure and data losses in such highly-concentrated and complex environments, sophisticated security concepts and reliable security assessments are essential. Depending on the particular sector, evaluations are also useful in cases where a methodical risk assessment is intended to provide reliable information to third parties or where a basis is sought for business specific assessments, e.g. for insurance policies. 1.1 Hazard potential Hazard potential in the area of physical security is of a varied nature and its impacts are serious. The IT-Grundschutz Catalogues of the Federal Office for Information Security list the following four categories of threat: Force Majeure, e.g. lightning, fire or water. Organizational shortcomings, e.g. lack of or insufficient rules and guidelines, or unauthorized access to rooms requiring protection. Technical failures, e.g. disruption of power supply, failure of internal supply networks and of existing security devices. Deliberate acts, e.g. unauthorized entry, theft, vandalism, and attack. Trusted Site Infrastructure Page 1 44

4 1.2 Physical security The security of IT systems can only be optimized within an overall and integrated security concept. The security aspects in the area of missioncritical infrastructures (physical security) are just as important as organizational and IT security (IT systems and their applications). As regards the two latter security aspects, there are more and more procedures and solutions available, while the physical security has hardly been investigated systematically for a long time. This has changed with the publication of the EN standard. With this standard, a comprehensive guideline agreed on a European level is available for the first time. Since 2002, the criteria catalogue of TÜV Informationstechnik GmbH has helped to record, evaluate, and assess the physical structural conditions in a targeted and comprehensive way. The catalogue version TSI V4.0 covers the requirements of the EN standard and recommends itself as a standardized evaluation methodology for the compliance assessment in accordance with EN More and more procedures and solutions, such as for example ISO 27001, are available as regards the latter aspects. Physical security, however, with the exception of some approaches to the problem described in the IT Baseline Protection Manual or in the frequently referenced Tier Model of the Uptime Institute has hardly been subjected to systematic examination up to now. This is the starting point for TÜV Informationstechnik GmbH to introduce a criteria catalogue which helps to record, evaluate and assess infrastructure reliability, resilience and deficiencies and also operational capabilities in their totality and in a highly efficient and integrated way. 1.3 Targets Impartial identification of security risks in mission-critical infrastructures, and effective elimination and mitigation of these risks, are a matter of immediate concern for any IT and facility operator. The top priorities are to introduce preventive measures for the physical protection of IT and communication systems, and to ensure an infrastructure which meets the requirements and limits laid down by existing standards. The aim is to ensure maximum system and data availability, as well as functional reliability approaching 100 per cent. Trusted Site Infrastructure Page 2 44

5 2 TSI TÜV Informationstechnik GmbH (TÜViT) is a subsidiary of TÜV NORD, a competent international service partner for security, safety and quality in a variety of technical fields. A team of experts from TÜViT (IT security evaluation focus) and from TÜV NORD (facility assessment focus) have developed a standard procedure for the evaluation of secure infrastructures for IT systems. This procedure makes use of the expert measures which are acknowledged to be both appropriate and effective, and forms part of TÜViT s Trusted Site certification program entitled Trusted Site Infrastructure (TSI) The list of assessment criteria in the current version is based on the measures published in the IT-Grundschutz Catalogues of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik), and takes the applicable EN and DIN standards, particularly the EN 50600: Information technology Data center facilities and infrastructures, VDE regulations and VdS publications into consideration. It also makes full use of all knowledge gained from everyday working experience in the sense of "best practices". The mechanics of the program are suitable for performing assessments of mission critical infrastructures, no matter whether designed according to Uptime Institute s Tier Model, ANSI TIA-942 or BICSI guidelines. TSI was introduced in 2002 and is today fully accepted on the market as an assessment scheme for data centers. Constant further development of the program and the composition of the audit team with experts from different disciplines contributed to this. The basis for a comprehensible and transparent assessment of data center projects is the TSI criteria catalogue. The compact, easy-to-understand, and clearly structured criteria catalogue is now often cited as a binding requirement in data center tenders, and it serves as a benchmark for data centers in accordance with the state of the art. Trusted Site Infrastructure Page 3 44

6 TSI-certified data centers are to be found in many different sectors of industry and commerce, such as for example, banks, utility companies, co-location providers, the chemical and automotive industries, airports, medium-sized production companies etc. A current list of certified data centers can be found at Area of application The area of application for Trusted Site Infrastructure is not, however, restricted to IT and communication systems. Infrastructure measures are also needed in order to protect other valuable items in high-security storage facilities, to protect archives against unauthorized access, or to fulfil requirements with regard to the environment. The criteria which have to be considered in the course of a security assessment (see chapter 2) generally also apply to these areas. Certification demonstrates the availability and reliability of data centers towards third parties in accordance with widely accepted requirements. It therefore leads to corresponding trust and confidence, as the facilities have been verified by means of "Third Party Inspection". Risk assessment of the mission-critical infrastructure by an independent third party has several benefits: A well-balanced and structured framework for reference when placing an order for the planning of a new data center, if the requirement for certification is included in the tender. Proof of trustworthiness, leading to better market positioning, as possession of a certificate documents the special efforts made in the field of security measures. Quality assurance and quality improvement for internal projects which form the basis for internal decision-making processes. Trusted Site Infrastructure Page 4 44

7 Positive influence on the rating of a company and therefore possibly a better starting point when raising capital and negotiating conditions of insurance. Assurance of trustworthiness for supervisory bodies. Provision of proofs for internal audits If regular inspections are carried out, the assurance that the data center is state of the art. (TSI requirements are subject to ongoing development, in order to represent state of the art criteria). Basically, all data center operators and facility managers benefit from these advantages. However, certification is especially beneficial to those - like ASPs, ISPs or collocation providers - who, in their role as suppliers, are subject to extensive obligations as regards availability. Comply or explain The high level of expertise of our auditors allows for an approach in accordance with the principle comply or explain and it offers a significantly greater flexibility than mere checklists. This means that a data center will not always exactly provide a typical, generally recognized or requested solution, but that a provider is sometimes also equally well positioned with an alternative solution for a special data center or even finds a better solution for a special challenge. In this case, comply or explain means that also special solutions could be assessed positively if they were equally effective and reliable. Who are our customers? TSI-certified data centers are to be found in different industries, such as banks, utility companies, co-location providers, the chemical and automotive industry, airports, medium-sized production companies, etc. The area of application for Trusted Site Infrastructure (TSI) is, however, not restricted to IT and communication systems. Infrastructure measures are also needed to protect other valuable items in high-security storage facilities or archives or to meet requirements with regard to environmental conditions. The assessment criteria to be taken into consideration (see chapter Fehler! Verweisquelle konnte nicht gefunden werden.) usually also apply to the areas of application last mentioned. Trusted Site Infrastructure Page 5 44

8 What are the benefits of a certification? A certification demonstrates the safeguarding of the functioning under the requested protection targets toward third parties, and it creates trust on the basis of a third party inspection. This leads to advantages, such as: Security when an order for the planning of a new data center is placed if the requirement for certification is part of the tender. Proof of trustworthiness for a better market positioning, because the granting of a certificate documents the special efforts made with regard to security measures and a competitive edge can be emphasized. Quality assurance and also quality improvement for the internal project management and determination of a basis for internal decision-making processes. Assurance of trustworthiness for supervising bodies. Provision of proofs for internal audit. In case of regular inspections, the assurance that the data center is state of the art, as TSI requirements are subject to ongoing development. A detailed audit report will be prepared by our auditors for your data center. With this audit report you document towards third parties the quality of your installations and your reliability as an operator and service provider. Authorities, customers, and insurance companies can be convinced on the basis of the audit report that your data center is consistently oriented towards availability and security. A TSI audit report can drastically reduce the time expenditure for audits in connection with superordinate certifications (e.g. for your overall company). Basically, all data center operators benefit from these advantages. However, some criteria apply especially to ASPs, ISPs, co-location providers and industry sectors, which are subject to extensive obligations with regard to availability and security as service providers. Trusted Site Infrastructure Page 6 44

9 3 Overview of assessment criteria The security level which has been achieved by a particular missioncritical infrastructure is established by considering which minimum requirements are met. As could be expected, the requirements become progressively stricter and more extensive at the higher levels. Within this process, a series of assessment criteria are used during examination of the infrastructure to be certified (see Figure 1) ENV: Environment CON: Construction FIR: Fire Protection, Alarm & Extinguishing Systems SEC: Security System & Organization CAB: Cabling POW: Power Supply ACV: Air Conditioning & Ventilation ORG: Organization DOC: Documentation DDC: Dual Site Data Center Figure 1: Assessment criteria of TSI certification Trusted Site Infrastructure Page 7 44

10 A series of defined criteria exists for each of the aspects to be evaluated listed in Chapter 3. These determine the requirements for a Trusted Site Infrastructure. These requirements are gathered together in lists which can be found in Chapter 7, and are briefly explained in the following paragraphs. 3.1 Environment The building is like a cocoon, protecting the IT equipment. The location of the building plays a role with regard to the surrounding hazard potentials, as does the actual position of the security area within the building. If these factors are suitably taken into consideration, potential sources of hazard can be prevented from the very beginning. Environmental hazards originating from water, explosions, debris, vibration and shaking or harmful substances are avoided. In the same way, traffic routes with hazardous materials transportation are avoided, in order to prevent any direct and indirect impacts, such as blocked access. 3.2 Construction Walls, windows, and doors offer protection against unauthorized access (DIN V EN 1627), fire, and smoke (DIN 18095). In the same way, it is ensured that no sections of the building are under threat from water (VdS 2007), EM/RF interference fields (EN part 1) and dangerous production processes in adjacent premises. The building has an external protection against lightning (EN ), and at least the security area represents a separate fire protection zone (DIN 4102). The supply lines have been laid in protective structures. The functional integrity of the IT systems and data carriers is safeguarded in case of any fires in neighboring rooms (EN ). Trusted Site Infrastructure Page 8 44

11 3.3 Fire protection, alarm & extinguishing Systems The risk factors of fire and smoke gases can be controlled by means of fire alarm systems (DIN EN 54), early fire detection (DIN EN 54-20), fire protection flaps and gas extinguishing technology. The fire detection sensor technology (DIN EN 54) covers all security areas and be installed at the right places. A fire protection concept has been agreed with the local fire brigade. The fire alarm system ((DIN EN 54, VdS 2095, DIN 14675, DIN VDE 833-2) monitors the entire security area and is connected via a secure connection with a permanently occupied place. Neighboring rooms, suspended ceiling spaces, and air ducts have been included in the fire detection and alarm system. It is important that in addition to alarms, damage containment measures are activated, for example, by means of a gas extinguishing system in the security area (VdS 2380, VdS 2093) or by other suitable measures. 3.4 Security system and organization The security systems provide protection against intentional acts. Included therein are an access control system and an intrusion alarm system, in order to detect theft (hardware and data), sabotage and vandalism at an early stage, to discourage potential perpetrators and to initiate countermeasures in good time. An access control system, including corresponding access rules, is available both for the security area and also for all infrastructure components (e.g. distributors) (EN ). The intrusion and burglary protection is designed in such a way that it includes several stages and monitors all safety-critical areas by means of an intrusion alarm system (EN 50131). The systems are also supplied with emergency power and connected via a secure transmission path (EN und EN 50518) with a permanently occupied central security control room. Trusted Site Infrastructure Page 9 44

12 3.5 Power supply The power supply is essential for IT systems. It feeds all the different consumers and is always subject to fluctuations. The electrical installations must comply with effective standards and regulations. Protection of low voltage consumer installations against surges, even in the event of direct lightning strikes, must be ensured by means of arresters. Arrangements also have to be made for any possible future extensions to the system. The local utility company should feed power lines via a ring wiring system. The electrical installation must have a TN-S layout throughout the entire building. The power supply of IT equipment must be separate from that of other consumers. Equipotential bonding must be ensured and residual current monitoring must be provided in important segments. An uninterruptible power supply and a standby generator unit supporting telecommunication equipment, security and safety systems and air conditioning facilities are required. The electrical installation has been carried out on the basis of the relevant national standards and regulations (in particular, in Germany DIN VDE 0100) and is protected against overvoltage. Adjusted subdivisions and fuse protections of electric circuits are planned and arrangements for extensions have been made. The IT systems are supplied with an uninterrupted power supply (EN or EN ). All critical infrastructures (IT, telecommunications, security, and air-conditioning systems) are connected to an emergency power supply. There are alternatives with regard to the feeding, such as a ring connection. The electrical installation has been designed as a TN-S network; apart from this, special arrangements have to be made with regard to the electrical distribution. As a matter of principle, IT equipment is supplied separately from other consumers. The overvoltage protection has been carried out in at least two stages (VdS 2833), an equipotential bonding has been ensured (DIN EN 50310), and a residual current monitoring (DIN EN 62020) is provided in important segments. Trusted Site Infrastructure Page 10 44

13 3.6 Cabling The cabling is the connection from the data center to the outside world. Depending on the demands, the internal cabling is performed on simple routes up to redundant routes by using redundant active components. Communication and (copper-based) data cables are laid with the necessary distance to each other on separate cable routings in accordance with EN The cabling is done via main distributors, zone distributors, and local distributors and allows for an easy restructuring and expansion, without any interruption of operations. Any point-to-point cabling is avoided. Data cables are not laid in any hazardous areas or they are specially protected. WAN trays are crossing - free, and a connection to at least 2 providers is provided. 3.7 Air conditioning & ventilation IT systems, as well as archives, and components of the power supply (uninterrupted power supply (UPS), batteries), rely on certain environmental conditions. Air temperature, relative humidity, and dust content are maintained within pre-defined limits. Any contamination of the outdoor air is detected, and an automatic closure of the outdoor air is ensured. Air condition must be monitored by a second set of sensors. It is also essential that HVAC facilities are synchronized with the fire protection concept and that outside chillers or cooling towers are protected against lightning strikes. These installations must also have access control and mechanical protection. The limit value monitoring in IT rooms is realized redundantly. Outdoor installations are covered by the lightning protection concept and protected against any unauthorized access. A redundantly designed air-conditioning system increases the availability and allows for maintenance works to be carried out without any interruption of operations. The system components are included in the fire protection concept. The failure of the process measurement and control technology is of fault-tolerant design. Measures against leakages and for detecting leakages have been taken. Sections are protected against hazards. The systems are able to safely dissipate the heat emission of the IT equipment also in case of high outdoor temperatures. The operation of the systems is monitored via a building control system. Trusted Site Infrastructure Page 11 44

14 3.8 Organization Written procedures must be provided for operating the facilities and to govern testing of the electrical installation and air conditioning components. All infrastructure equipment must be subjected to regular function testing. The components are therefore subjected to checks with regard to their condition and properties at regular intervals, in order to be able to document the consistent effectiveness and availability of the infrastructure components in terms of the security requirements. Responsibilities are clearly defined. In the same way, regulations are required which define the access authorizations, initiate a review of the secondary effects in case of any extensions of infrastructure components, and which ensure a training of the employees. Also a regular backup and mirroring of the data to a second location is considered to be essential. An annual maintenance plan defines the type of maintenance to be performed and the maintenance intervals. Communications with the outside world must be guaranteed, even if one path fails. IT backup media must be stored so as to be protected against fire and unauthorized access. The location must be separate from the security area, and the media must be sufficiently protected in order to comply with the EN 1047 standard (temperature and humidity limits). All security facilities are subjected to regular functional tests. An annual maintenance plan defines the type and intervals of the maintenance of wear parts of the infrastructural components. Safeguarding the communication to the outside also in case of a failure of the telecommunication system is indispensable. The data backup media must be stored in such a way that they are protected against fire and any unauthorized access, and separately from the security area and be adequately protected in accordance with EN A life cycle management and a customer management (as far as the constellation applies) have been introduced. Important key indicators for a safe and sustainable, as well as energy-efficient operation of the data center are recorded, evaluated and used for improvement. Trusted Site Infrastructure Page 12 44

15 3.9 Documentation The measures implemented and the facilities installed will be assessed in a first step by reviewing a security concept and a risk analysis as well as plans and schemes. The type and scope of the preventive measures must result from the risk analysis. It serves to assess and clearly describe the hazard potential for the company. Ultimately, the infrastructure installation can only meet the demands with regard to its availability if rules of conduct are available in the event of damage, and if current plans and documentations can be consulted in order to ensure a quick, appropriate, and safe response. The documentation required for TSI certification is extensive, starting with a security concept, alarm plans, contingency plan and fire protection concept and ending with floor plans, surveillance schemes, security systems, power supply and HVAC schemes. In the security concept, weaknesses and hazards are identified, risks resulting therefrom are evaluated, compensation measures are derived therefrom, and their implementation described. Regulations are set forth in writing and are known to those concerned in the company. Trusted Site Infrastructure Page 13 44

16 4 TSI certification project 4.1 Assessment level The audit questionnaire makes it possible to assess the infrastructure and also offers conclusions regarding the availability of the IT installation. When the installed infrastructure components are accepted as compliant, the questionnaire also offers the operator the certainty that all the useful and necessary arrangements have been made, and that all the system components will work together to achieve the desired result. Four security levels can be certified, which build on one another: Level 1 to Level 4, or in other words: rock-solid to high-end: Level 1 Medium security requirement: The requirements correspond to those of the BSI (Federal Office for Information Security) for basic protection measures at the infrastructure level. The "office space", "home workplace", "mobile workplace" and "meeting, event and training rooms" modules are not taken into consideration here. In fact, the BSI regulations for data centers regarding fulfilment of the limit values of DIN EN and secondary power supply with a diesel generator are taken into consideration as from Level 2 of the TÜViT scheme. The minimum requirement here is an available connection for a mobile standby generator unit. The requirements of Level 1 correspond to those of the IT-Grundschutz Catalogues (IT Baseline Protection) of the Federal Office for Information Security (BSI) at the level of infrastructure with regard to the modules server room, building, electrotechnical wiring, data carrier archive and the room for technical infrastructure. Level 2 This security level defines supplementary requirements in connection with all evaluations aspects. In particular, the choice of location is evaluated and a detailed analysis is carried out on the basis of a security concept. There are increased requirements with regard to the effectiveness of the measures. Redundancies in power supply and safeguarding a secondary power supply are mandatory. Trusted Site Infrastructure Page 14 44

17 Enhanced security requirement: Level 2 defines additional requirements with regard to all aspects of the assessment. In particular, the choice of location is assessed and an in-depth analysis is undertaken based on a security concept. Requirements regarding the effectiveness of the measures are more stringent. Provision of a standby generator unit is obligatory. Level 3 High security requirement: This level is characterized by complete redundancy of critical supply systems No single point of failure, fulfilment of climate limit values in accordance with EN and increased security requirements as regards the location. The possibility of carrying out maintenance without any interruption of operations, mastering component errors, losses of routes and space in power supply are what distinguishes Level 3. In addition, there are supplementary requirements with regard to air-conditioning technology, increased requirements with regard to burglary inhibition, and additional access restrictions. Any possibly existing location risks are compensated. Level 4 A separate building used exclusively for the data center, complete path redundancies of the supply systems, and in addition an extensive access protection via perimeter protection, and single entry access control systems characterize Level 4. The neighbourhood must be free of hazards, and alarms must be followed by extremely rapid intervention. Enhanced If all requirements of an assessment criterion (ENV, CON, FIR, SEC, CAB, POW, ACV) are met on the next higher level, these criteria are identified in the certificate as enhanced. Trusted Site Infrastructure Page 15 44

18 4.2 Workshop If desired, the assessment aspects and criteria described in this document can be presented and discussed in detail within a workshop. This workshop can help those who are interested to decide if certification is in fact appropriate, and can also serve to prepare for certification. At the same time, initial assessment of plans or, in the case of existing installations, assessment of the suitability for certification and identification of obvious nonconformities can also be covered. One-day workshops include the following items: Description of inspection procedures and sequences, Detailed presentation and discussion of the assessment criteria, Consideration of the Level which is appropriate to the given requirements Notes on development of a security concept, Inspection tour of the data center and/or viewing of the plans in case of a new building or installation and Discussion of the further procedure to be followed. 4.3 Assessment process After the workshop, the potential certification client can decide if he wants to enter into the assessment process. If this is the case, a set of documentation regarding the infrastructure (DIM for Level1) or a security concept with the corresponding plans must be submitted for detailed examination. A site inspection, an evaluation of the present load condition, an assessment of capacity and capacity constraints, identification of critical deficiencies and potential downtime risks, an assessment of the concurrent maintenance abilities of the site and recommendations for improvements are also part of the evaluation process. With the help of the customer documentation, the scope and effect of the current measures are assessed, and a check is made to ensure that the measures do not counteract each other when applied. The customer is given the opportunity to review the documents and to rectify any weaknesses which have been identified. Trusted Site Infrastructure Page 16 44

19 When this review and the correction are complete, the documentation is used as a basis for the further assessment process. A site inspection is agreed with the client, which serves to check if the measures and components have been implemented or installed as described. Finally, TÜViT draws up a test report for the client and, if all criteria are fulfilled, a certificate is issued which authorizes use of a corresponding test mark. 4.4 Certificate and test mark On the basis of the evaluation for the Trusted Site Infrastructure, a certificate can be issued which entitles the certificate owner to use the "Trusted Site Infrastructure test mark (see cover sheet) if all the individual aspects for the security area which have been evaluated are fulfilled. An overview of the assessment aspects from Chapter 3 are provided in the appendix of the certificate. The certificate is valid for two years, and can then be renewed. The test mark may be used both on the operator's website and in advertising and publicity material. In the same way, the test mark and the certificate are published under provided that the operator gives permission. Trusted Site Infrastructure Page 17 44

20 Figure 2: Example of certificate The test mark may be used both for the operator s website and brochures and accordingly for advertising and publicity material. Furthermore, the certificate is provided there are no objections also published under Trusted Site Infrastructure Page 18 44

21 4.5 Re-certification The certificate is valid for two years and can be extended by a further two years by means of recertification. The audit and visit to the site is carried out around six months before expiry of the certificate, in order to give the operator the opportunity to correct any non-conformities before expiry. The following certificate begins with the expiry date of the first certificate. The prerequisite is that there are no nonconformities at the time when the certificate is changed over. This makes it possible to provide continuous, interruption-free proof of the quality of the data centers to third parties. The planning of the inspection periods is now easy for both the operator and inspectors. Annual surveillance audits as usually performed in connection with management audits can be waived, so that your expenditure is reduced. Trusted Site Infrastructure Page 19 44

22 5 Dual Site certification requirements Two trends can be recognised in the design of data centers: on the one hand there is the trend towards consolidation, which leads to abandonment of a large number of small server rooms in favour of fewer and larger installations. On the other hand, there is the consistent policy of spreading risk over at least two locations, whereby the costs for supply technology are balanced and adapted accordingly. TSI takes this trend fully into account with Dual Site Certification. Here, two data centers are assessed in combination. The certification level of the dual site certificate that is achieved depends on the level of each individual center. The following conditions apply for dual site certification: The IT space of the two data centers may only differ from each other by a maximum of 1/3. Successful TSI certification must have been performed for both data centers beforehand The two data centers are linked with one another by means of a redundant data network Hazards from the environment can never affect both data centers at the same time. The data centers must be in separate buildings and have separate supply infrastructures. Further requirements have to be fulfilled for a Dual Site Certificate, depending on the certification level: Dual Site Level 2 Both data centers are certified to Level1, with additional aspects in some areas of assessment (CON, SEC, ORG, DOC). In addition, one of data centers must be equipped with an emergency standby power system. Trusted Site Infrastructure Page 20 44

23 Dual Site Level 3 Both data centers are certified to Level2, with additional aspects in some areas of assessment (CON, SEC, DOC). Dual Site Level 4 Both data centers are certified to Level3, with additional aspects in some areas of assessment (SEC, DOC). In addition, the two data centers are separated by a distance of several kilometers. There is a permanently manned security control center at one of the locations. The Dual Site Certificate applies on condition that the IT components are present in both data centers (redundant system). Trusted Site Infrastructure Page 21 44

24 6 Further TSI services With the recognition of the TSI criteria list within the market, demand is growing for the TSI-related services of TÜVIT. Currently, the portfolio includes the following, in addition to the inspection and certification work: Design evaluation New data centers are often planned taking the TSI criteria into consideration and a certain certification level is often specified in data center tenders. If the planning has reached the draft design stage, it can be evaluated by TÜViT in order to establish its later certifiability and to provide the planning office and the building owner with planning reliability. Site assessments / Environmental risk analyses The TSI criteria catalogue contains, among other things, requirements regarding the location. The safety level that can be achieved ultimately also depends on the location and the control of possible environmental hazards. TÜViT therefore offers site evaluations in order to guarantee the best-possible starting point for the data center that is planned. Weakness/GAP-analysis In order to assess the availability characteristics of existing data centers and to identify any weaknesses, TÜViT offers a Gap Analysis, in which the deviations from the TSI requirements are identified and potentials for improvement are shown. These can then be developed and implemented by planning companies in order to ensure that the completed data center will be capable of certification. Trusted Site Infrastructure Page 22 44

25 Qualification as TSI Professional With the spread of TSI certification, knowledge with regard to the content of the TSI criteria list and the procedure to be followed during the certification process is often needed by those working within the sector. TÜViT has identified this need and is offering a training course leading to the qualification of TSI Professional. This course not only addresses planning companies and engineering consultants, but also operators of data centers who want to gain in-depth knowledge of the criteria list. Quality assurance during commissioning A qualified supported commissioning makes an additional important contribution to a later certification. What is crucial in connection with commissioning tests is that all scenarios to be assumed are taken into consideration, that the tests are carried out properly, and that the results are correctly documented and interpreted. This will be subject to an audit, and the results will be set forth in a meaningful evaluation report. TSI training With the spread of TSI certification, knowledge with regard to the contents of the TSI catalogue and the procedure to be followed during the certification process is requested more and more frequently. TÜViT has identified this need and is offering a training course of two days to that end. On the international level, this training is a prerequisite for obtaining a TSI Professional certificate as evidence of qualification. This training is not only meant for planning firms and engineering firms but also for operators of data centers, which want to deal intensively with the criteria catalogue. Trusted Site Infrastructure Page 23 44

26 7 Certification of data centers As already indicated above, a data center can only be considered as secure if appropriate physical, organizational and IT security measures have been taken. Apart from the test program for physical security, TÜVIT also covers the other aspects with further test programs. The modular TÜViT scheme makes it possible to present a comprehensive statement on the security and quality of the operation of a data center. Through Trusted Site ITSM, consideration of the system is extended to the processes of IT service management. Here, proof must be provided that the customer requirements as regards the IT service processes are taken appropriately into consideration. Trusted Site Security analyses the network security and the quality of the system hardening in order to cover the IT security aspects. The test programs complement each other because of their different focus. Their combination leads to an integrated examination of the entire system and furnishes universal proof of security and quality for the operator in the form of three certificates. Trusted Site Infrastructure Page 24 44

27 This documents that all aspects have been considered, and that security measures have been implemented on a consistently high level for all three cornerstones in both the security domain and the quality domain (see Figure 3). Figure 3: Certification of data centers Trusted Site Infrastructure Page 25 44

28 8 Trusted Site certification family (abstract) Under the "Trusted Site" logo, TÜViT awards test marks that confirm the fulfilment of security and quality features for IT systems. Trusted Site Security examines the IT security of (typically networked) IT installations and confirms the fulfilment of suitable security targets within the framework of a security-related validation procedure. Trusted Site ITSM examines the IT Service Management Processes of the ITIL Reference model concerning quality, integrity and level of implementation in reference to the requirements of ISO for the organisation. Trusted Site Privacy examines organizations, parts of organizations or the IT business processes in relation to the fulfilment of data protection requirements and their implementation within the IT installation. Trusted Site PK-DML examines the audit-proof archiving of document management solutions. The TÜViT test marks mentioned may also be awarded as combination test marks with congruent term and the same examination area in the company. Trusted Site Infrastructure Page 26 44

29 9 Changes from TSI V3.2 to V4.0 The requirements of EN Data center facilities and infrastructures were transferred into the TSI catalogue. The TSI criteria known and enhanced are either applied or with supplement of additional 18 criteria (see orange marking) a full audit with regard to compliance in accordance with EN Various requirements were specified more precisely in order to provide planners and operators of data centers with a high degree of planning reliability. The logic regarding the application of the requirement classes B and C has been improved. All basic requirements are now set forth as an explanation under the criterion; the description relating to a requirement class now only comprises the supplement. Some criteria have been transferred to other trades, in order to be more efficient during the audit. With structure of cabling a new chapter is integrated into the catalogue. Trusted Site Infrastructure Page 27 44

30 10 TSI criteria catalogue V4.0 Environment No. ENV01.01 ENV02.01 ENV03.01 ENV04.01 ENV05.01 ENV06.01 ENV07.01 ENV08.01 ENV09.01 ENV10.01 Criterion / Sub-criterion Avoidance of Flood Hazard Areas Avoidance of Production and Storage Sites or Pipes of explosive Substances Avoidance of plants or storage sites with pollutant emissions or pollutant release Avoidance of Sources of EMI (Electromagnetic Interference) Avoidance of Sources of Vibrations Avoidance of Traffic Routes with increased Level of the Transport of hazardous Goods Avoidance of Objects in the Vicinity prone to Attacks Avoidance of Locations for or Access Routes to Mass Events Outside of the Area of Debris from the Collapse of tall Structures Away from Run-offs of man-made Lakes and Avalanches Trusted Site Infrastructure Page 28 44

31 Construction No. CON01.01 CON01.02 CON01.03 CON01.04 CON01.05 CON01.06 CON01.07 CON01.08 CON01.09 CON01.10 EN50600 CON02.01 CON03.01 CON04.01 CON04.01 CON04.03 CON04.04 CON04.05 CON04.06 CON04.07 EN50600 CON05.01 CON05.02 CON05.03 CON05.04 CON06.01 Criterion / Sub-criterion Inconspicuous, not exposed Location within the Building Avoidance of Areas within the Building with potential Hazards Coherent Security Area Meaningful functional Floor Plan with Fire protective Separation Adequate dimensioning for area, height, statics, and routing Separate Access Routes for Technical (M+E) and IT Personnel Building with exclusive Use as Data Center Perimeter Security No parking near exterior walls of IT rooms Access ways and secured delivery Rental right and building utilization Exterior Lightning Protection Massive, especially solid Construction Protective construction by using appropriate building materials Securing the Technical Zone Avoidance of Windows in Security Area Safeguarding against Sabotage and Penetration of Ducts, Risers & Outer Openings Protection for interconnection points of supply networks and outdoor installations Implementation of a protected zone shell model Avoidance of flammable interior Construction Materials and Items of Furniture Protection of doors, windows, and dampers against fire and smoke in accordance with EN 1634 Proper Execution of Fire Stops Maintaining of Temperature and Humidity Ranges during Fires in adjacent Areas Constructive Protection against Water Trusted Site Infrastructure Page 29 44

32 No. CON06.02 CON07.01 CON08.01 CON09.01 CON10.01 Criterion / Sub-criterion Avoidance of Pipes in IT-Rooms containing Fluids Electronic Door Opener and Locks with Emergency Power Supply Emergency lighting and signposted escape routes Secure, redundant WAN tray using different pathways Orderly Installation of the Cable Trays Trusted Site Infrastructure Page 30 44

33 Fire Protection, Alarm and Extinguishing Systems No. FIR01.01 FIR01.02 FIR01.03 FIR01.04 FIR01.05 FIR01.06 FIR01.07 FIR02.01 FIR02.02 FIR02.03 FIR02.04 FIR03.01 Criterion / Sub-criterion Use of a suitable State-of-Art Fire Alarm System Monitoring of IT- and Technical Areas Monitoring of adjacent Rooms Sufficient Density of Detectors Room use-based Types of Sensors Usage of Very Early Smoke Detection Systems CO2 Hand-held Fire Extinguishers Automatic Suppression or Prevention System or alternate Solution Monitoring of the Clean Agent Tanks or the Prevention System Clean Agent Tanks or Prevention System in separate, Access controlled Room Fire Dampers controlled by Fire Alarm System Maintenance of Fire Alarm and Fire Suppression System Trusted Site Infrastructure Page 31 44

34 Security Systems and Organization No. SEC01.01 SEC01.02 SEC01.03 SEC01.04 SEC01.05 SEC01.06 SEC01.07 SEC01.08 SEC01.09 SEC01.10 SEC02.01 SEC02.02 SEC02.03 SEC02.04 SEC02.05 SEC02.06 EN50600 SEC03.01 SEC04.01 SEC05.01 SEC06.01 SEC06.02 SEC06.03 SEC06.04 Criterion / Sub-criterion EAC: Use of a suitable State-of-the-Art Access Control System EAC: Protection of the central Panel EAC: Installation and Monitoring of Cables protected against Sabotage EAC: components with emergency power supply EAC: Use of suitable Readers EAC: Security of the ID device (IDD) EAC: Tracking of Entries EAC: Identification of User by second Factor EAC: Implementation of Zoning Concepts EAC: Monitoring of Door Opening Time Intrusion alarm system: Use of an appropriate burglary alarm system according to the state of the art Intrusion Alarm System: Use of appropriate Sensors with increased Responsivity Intrusion Alarm System: Use of Motion Detectors in IT-Areas Intrusion Alarm System: Monitoring of Technical Equipment Rooms Intrusion alarm system: Monitoring of IT rooms Intrusion alarm system: Safe alarm transmission Video Surveillance System Surveillance of Perimeter or Exterior Areas Single Person Access Control ORG: Regular Maintenance and Inspection ORG: Securing the Workstation for the IDD Administration ORG: Security Subcontractor ORG: Security Personnel on Site Trusted Site Infrastructure Page 32 44

35 Cabling Nr. CAB01.01 CAB01.02 EN50600 CAB01.03 EN50600 CAB01.04 CAB01.05 CAB01.06 EN50600 CAB01.07 EN50600 CAB02.01 EN50600 CAB03.01 EN50600 Criterion / Sub-criterion Secured, separated and redundant WAN trays Structure of communication cabling Redundant, separated telecommunications cable routing Orderly laying of cables Rack feeding via a connection which is protected against any accidental loosening Implementation of intersection points Protection of data lines against sources of interference Design of cabinets and racks ORG: WAN supply via at least 2 providers Trusted Site Infrastructure Page 33 44

36 Energy Supply No. POW01.01 POW02.01 POW02.02 POW02.03 POW02.04 POW02.05 POW03.01 POW04.01 POW05.01 POW05.02 POW06.01 POW07.01 POW08.01 POW08.02 POW08.03 POW09.01 POW09.02 POW09.03 POW09.04 POW09.05 POW09.06 POW09.07 POW09.08 POW09.09 POW10.01 POW10.02 Criterion / Sub-criterion Electrical Network Form TN-S Utility Feed at least Ring Main Supply Routes protected against Manipulation and Fire PDUs of IT areas with own Feed without Branches IT distribution boards in security area exclusively for supply of IT Rack Supplies secured against accidental Pulling Preventive Fire Protection in Rooms with Switchgear A/B-supply for redundant Power Adaptors Surge Protection for the Electrical Supply Surge Protection for Telecommunication and Low Voltage Cabling Securing the Controls of Circuit Breakers Earthing of all metallic Components on shortest Way possible Monitoring of reasonable segments with regard to stray currents Avoidance of central RCDs Power Monitoring UPS: Central UPS UPS: External bypass UPS: 2 central UPSs in different Fire Zones UPS: Installation of UPS and batteries in separate rooms in terms of fire protection UPS: Ventilation and Air Conditioning of the Battery Room UPS: Secure Air Conditioning of UPS Room on Generator UPS: Batteries UPS: Configuration of a static UPS with Capacity Reserves UPS: Sizing of energy storage for complete shutdown of IT GEN: Generator GEN: Redundancies Trusted Site Infrastructure Page 34 44

37 No. POW10.03 POW10.04 POW10.05 POW10.06 POW10.07 POW10.08 POW11.01 POW11.02 POW11.03 POW11.04 POW11.05 Criterion / Sub-criterion GEN: Preparation and contractual Agreements for mobile Generator Units GEN: Configuration of the Generator with Capacity Reserves GEN: Fuel Storage for at least 48 Hours GEN: Tank system GEN: Regular functional Testing GEN: Securing of Transfer Switchgear ORG: Selectivity Calculation ORG: Monitoring of Operating Conditions ORG: Fault Messages to permanently occupied Station ORG: Regular Maintenance of Electrical Installations ORG: Test under Load during Commissioning of new Installations Trusted Site Infrastructure Page 35 44

38 Air Conditioning & Ventilation No. ACV01.01 ACV01.02 ACV02.01 ACV03.01 ACV04.01 ACV04.02 ACV04.03 ACV04.05 ACV05.01 ACV05.02 ACV05.03 ACV06.01 ACV07.01 ACV07.02 ACV08.01 ACV09.01 ACV09.02 ACV09.03 ACV10.01 ACV10.02 ACV10.03 EN50600 Criterion / Sub-criterion Observance of operationally reliable environmental conditions in data center areas Adequate ventilation of technical components and data center areas Safe and airflow-optimized Installation of Units Leakage Protection and Detection in IT and electrical Rooms Redundant design of active parts of the systems (on the generator s side, on the distributor s side) Execution of piping and passive components Configuration for Maintenance without Interruption in Operation Execution and redundancy of air-conditioning (on the consumer s side) Filtering of ambient air Infiltration of Smoke and Dust into IT-Rooms shall be prevented Monitoring of the fresh Air Intake Local Separation of Components of the central Cooling Unit Cooling Towers protected against Sabotage Proper Dimensioning and secured Installation of Cooling Towers Configuration conforming to Design and Installation with Ease to maintain Cooling Systems Secure electrical Supply of ACV Components Secure Water Supply of Cooling Towers with Water spraying Safe control and regulation Monitoring of Operation Independent Monitoring of Temperature and Humidity Qualification for energy efficiency Trusted Site Infrastructure Page 36 44