Auditing a Data Centre But to What Standard? Barry Elliott, RCDD Capitoline LLP belliott@capitoline.co.uk www.capitoline.eu
Data Centre Auditing Capitoline has audited over 30 data centres in the UK, Ireland, Netherlands and the Middle East Capitoline is the audit partner for the Amsterdam Internet Exchange and Cisco EMEA No two customers have the same expectation ti from a data centre audit
What are the motives to obtain a DC audit? Their customers require it Need to understand d Tier rating Know they have problems but need an external consultant t to confirm that t to free up funding Have current and severe operational problems and need to start the overhaul/replacement process Need ISMS audits such as ISO 27000 Need to know their green/co 2 /PUE position Want compliance with H&S and other legislation
About 50 separate standards that could be applied to a data centre plus many national requirements
Tier Rating The UpTime Institutete = TIA 942 = BICSI 002
Tier Standards TUI is a design philosophyp Tier 1, basic requirements Tier 2, redundant components Tier 3, concurrently maintainable Tier 4, Autonomous fault tolerance TIA 942, a prescriptive design guide BICSI 002, some different ideas
ISMS Information Security Management standards
ISO 27000 Series
ISO 27002 Code of Practice Information technology Security techniques Code of practice for information security management 1. Introduction and scope 2. Terms & definitions 3. Structure of the Standard 4. Risk assessment and treatment 5. Security policy 6. Organisation of information security 7. Asset management 8. Human resources security 9. Physical and environmental security 10. Communications and operational management 11. Access control 12. Information systems, acquisition, development & maintenance 13. Information security incident management 14. Business continuity management 15. Compliance Big on questions but proposes no answers
Do you handle credit/debit card transactions or keep financial data?
U.S. Requirements Sarbanes-Oxley Act Health Insurance Portability and accountability Act Gramm-Leach Billey Act State level legislation Payment card industry standard International Traffic in Arms Regulations
Green Credentials 2001 European Directive on Energy performance in Buildings 2006 Building Regulations Part L 2006 EU Energy Services Directive 2007 Climate Change Bill Server and Data Center Energy Efficiency, Public Law 109-431, April 2007 Code of Conduct on Data Code of Conduct on Data Centres November 2008
Make Your Reputation by Inventing a Metric The Green Grid Environmental Protection Agency, EPA US Department e of Energy, DoE Silicon Valley Leadership Group Mckinsey The UpTime Institute Leader Environmental Design, LEED BREEAM Transaction Processing Performance Council, TPPC
Data Centre Metrics DCiE Data Centre infrastructure Efficiency DCiE = IT equipment Power Total facilities Power Power Usage Effectiveness, PUE = 1 DCiE Advantages Simple Disadvantages the servers, though taking most of the energy, may not actually be doing any useful work
Energy Usage Effectiveness EUE Energy Star is developing an improved metric* called Energy Usage Effectiveness (EUE) = Total Energy / UPS Energy EUE is based on energy, not power Total Energy includes all fuels (electricity, natural gas, diesel, etc.) EUE is based on source energy, not site energy Source Energy is the total amount of raw fuel required to operate the building
Build on existing ENERGY STAR platform with methodology similar to existing ratings (1-100 scale) Usable for both stand-alone data centers and data centers housed within office or other buildings Offer the ENERGY STAR label to data centers with a rating of 75 or higher
The UpTime Institute Data Center Energy Efficiency and productivity (DC-EEP) Index DC-EEP=(IT-PEW) x (SI-EER) IT-PEW=IT Productivity per embedded watt SI-EER=Site Infrastructure Energy Efficiency (same as PUE) TUI say average SI-EER is 2.5 or 40%
Data Centre Auditing What does the customer want to achieve? Use the right audit package to answer the customer s questions/requirements Select from the range of appropriate standards available. There is no one standard that fits all requirements An audit includes business processes not just physical attributestes
Thank you Barry Elliott, RCDD Capitoline LLP belliott@capitoline.co.uk www.capitoline.eu eu