INFRASTRUCTURE AS A SERVICE BUYER S CHECKLIST

Similar documents
CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

Interoute Virtual Data Centre. Hands on cloud control.

CAPABILITY STATEMENT

Payment Card Industry Data Security Standards.

How To Comply With The Pci Ds.S.A.S

Our Cloud Offers You a Brighter Future

Service description RFL Virtual Data Centre

PCI COMPLIANCE GUIDE For Merchants and Service Members

The Power of BMC Remedy, the Simplicity of SaaS WHITE PAPER

Client Security Risk Assessment Questionnaire

How To Protect Your Business From A Hacker Attack

A white paper from Fordway on CLOUD COMPUTING. Why private cloud should be your first step on the cloud computing journey - and how to get there

On Premise Vs Cloud: Selection Approach & Implementation Strategies

Fujitsu Private Cloud Customer Service Description

Colocation, Cloud and Managed Services

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

Conquering PCI DSS Compliance

EARTHLINK BUSINESS. Simplify the Complex

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Document control for sensitive company information and large complex projects.

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

An Evaluation Framework for Selecting an Enterprise Cloud Provider

Achieving Compliance with the PCI Data Security Standard

FTP-Stream Data Sheet

The Push and Pull of the Cloud. TPI Cloud Computing Overview. April 5 th 2011

IT Enterprise Services

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

Injazat s Managed Services Portfolio

Guardian365. Managed IT Support Services Suite

Private vs. Public Cloud Solutions

Cloud Terminology Handbook

Tips For Buying Cloud Infrastructure

Virtual Data Centre Public Cloud Simplicity Private Cloud Security

custom hosting for how you do business

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Leveraging the Private Cloud for Competitive Advantage

An article on PCI Compliance for the Not-For-Profit Sector

Managing Cloud Computing Risk

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

How To Protect Visa Account Information

Disaster Recovery for Business-Critical Applications. Your business. Back in business. Real-time DR solutions you can rely upon when all else fails

CLOUD COMPUTING READINESS CHECKLIST

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Payment Card Industry Data Security Standard

IT Services. We re the IT in OrganIsaTion. Large Organisations

Firewall Administration and Management

Disaster recovery strategic planning: How achievable will it be?

PCI Requirements Coverage Summary Table

Lot 1 Service Specification MANAGED SECURITY SERVICES

itg CloudBase is a suite of fully managed Hybrid & Private Cloud Services ready to support your business onwards and upwards into the future.

Security from a customer s perspective. Halogen s approach to security

PCI DSS COMPLIANCE DATA

PCI Requirements Coverage Summary Table

"Service Lifecycle Management strategies for CIOs"

Enterprise Cloud Services HOSTED PRIVATE CLOUD

FMCS SECURE HOSTING GUIDE

Maximize potential with services Efficient managed reconciliation service

How To Achieve Pca Compliance With Redhat Enterprise Linux

Best Practices for PCI DSS V3.0 Network Security Compliance

BSNL IDC Hosted Firewall Service. Total Network Security

How To Secure Your Store Data With Fortinet

REDCENTRIC INFRASTRUCTURE AS A SERVICE SERVICE DEFINITION

Cohesion Managed Services

Cloud Services Overview

Open Source Sales Force Automation (SFA) in the Cloud SaaS

Customer Relationship Management Software Package G-Cloud Service Definition

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

What You Need to Know About Cloud Backup: Your Guide to Cost, Security, and Flexibility

Simplified Private Cloud Management

University of Pittsburgh Security Assessment Questionnaire (v1.5)

security in the cloud White Paper Series

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Transcription:

INFRASTRUCTURE AS A SERVICE BUYER S CHECKLIST

2 CONTENTS SERVICE LEVELS 3 SERVICE AND SUPPORT 4 CERTIFICATIONS 4 MANAGED HOSTING 7 BILLING 8 SERVICE MANAGEMENT 8 TECHNOLOGY 9 GLOBAL, REGIONAL, LOCAL 10 THE DATA CENTRE 10 MAKE OR BUY 11

3 CHAPTER 1: SERVICE LEVELS Does the provider offer your required SLA/SLG? Example: 99.9%, 99.95%,100% (for example on HA solution). Does the SLA/SLG cover 24x365? Is the required SLG level included in the solution price? Are the conditions for rebate payments acceptable? Example: No rebate for SLG violations, one day for every hour SLG breach. Are all solution elements covered by the SLG? Example: Individual service element or entire solution uptime. Is the maximum rebate payment limit acceptable for you? Example: One month of service charge. Does the notification period for planned outages match your needs? Example: Not specified or five business days. Are all critical elements covered by the SLG? Example: Server uptime, solution uptime, special SLGs such as network and storage performance (IOPS). Are the disaster recovery SLGs state of the art Example: 5 minutes RPO and 30 minutes RTO. Does the vendor provide a RACI matrix for managed hosting? RACI = Responsibility, Accountable, Consulted, Informed. How complex are the SLGs? Do you understand them? Example: Complicated definitions of uptime percentage, availability and exclusions.

4 CHAPTER 2: SERVICE AND SUPPORT Does the vendor provide direct access to the technical support team? Example: What are the support times and support channels (email, phone)? Are support cases handled by engineers directly? Is engineer support available 24x7? Does the vendor provide access to technical consultants in the presales phase? Example: Support for individual solution design and scoping. Are there customer service managers assigned to each individual account? Example: Who is your contact in day-to-day business? Does the company provide regular business reviews? Example: Utilisation reports, face-to-face meetings to discuss potential optimisation or recent issues, QA improvement, customer feedback. Does the vendor assign a dedicated project manager to complex orders? Example: Who assists the customer during the provisioning process to make sure that the outcome is as expected, tailored to the customer requirements, and on time? Does the vendor start billing the customer only after successful user acceptance tests? Do you require "Smart Hands"? Example: Engineers that perform tasks on behalf of your IT staff in the data centre to avoid travel and improve effectiveness. CHAPTER 3: CERTIFICATIONS Is the vendor Information Technology Infastructure Library (ITIL) certified? Is the vendor ISO27001 certified? Do you require a PCI compliant solution? If yes, is infrastructure outside your customer environment PCI certified (gateway to customer environment)? Does the vendor fulfil Australian Government standards (ASIO T4, DSD)?

5 CHAPTER 3: CERTIFICATIONS COMMONLY REQUIRED CERTIFICATIONS ITIL The Information Technology Infrastructure Library (ITIL) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ISO27001/2 Is an information security management system (ISMS) standard that contains 11 domains: Security policy. Organisation of information security. Asset management. Human resources security. Physical and environmental security. Communications and operations management. Access control. Information systems. Acquisition, development and maintenance. Information security incident management. Business continuity management. Compliance. ASIO T4 PROTECTIVE SECURITY (ASIO-T4) Protective security is a combination of procedural, physical, personnel, and information security measures designed to provide government information, functions, resources, employees and clients with protection against security threats. ASD Australian Signals Directorate gateway certification. PCI DSS Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

6 CHAPTER 3: CERTIFICATIONS CONTROL OBJECTIVES PCI DSS REQUIREMENTS Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware. 6. Develop and maintain secure systems and applications. Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Maintain an Information Security Policy 12. Maintain a policy that addresses information security.

7 CHAPTER 4: MANAGED HOSTING Example of tasks/ areas that should be considered: Configure operating system Operational capabilities Configure monitoring Configure backup Provide test plans Platform testing Customer acceptance testing License purchase/lease Operating system ownership Validate specification against requirements Installation (rack mount, system power) Configuration of networks Resilience configuration Security patching and service packs System re-install Version upgrades Security policy management System reboot

8 CHAPTER 5: BILLING Is there a monitoring portal that allows measuring of service consumption in near real-time? Does the portal allow the customer to set thresholds for notifications? Is the bill structured in a format that fulfils internal accounting needs? Example: Grouped by business unit, export formats. Are the commercial terms fixed or negotiable? Do you require billing by the hour? Example: Individually designed customer solutions that include dedicated service components (non shared firewalls, load balancers and compute resources) do not allow billing by the hour due to the complexity setting up the environment. Billing by the hour is mostly only available if the solution is built entirely on shared infrastructure. How predictable is the bill (bill-shock)? Example: Is the services consumption predictable? Do you have a dedicated contact person for billing enquiries? CHAPTER 6: SERVICE MANAGEMENT Does the portal allow the setup of different accounts with individual user access policies? Example: One user to configure the firewall, one user to view the bill. Are all portals available to you in order to manage your infrastructure? Example: Compute, network, storage, firewall, load balancer etc. Can you order new elements online? Do provisioning times for new elements or change requests meet your business needs? Do you get a monitoring portal that suits your needs?

9 CHAPTER 7: TECHNOLOGY Are critical services built on dedicated technology? Example: Full featured dedicated Fortinet firewall or shared firewall. Do you need IaaS that uses a specific hypervisor and does the vendor support your hypervisor? Example: Some workload mobility solutions do not support multiple types (vendors) of hypervisors. Are you running a hybrid infrastructure (colocation, private cloud, public cloud, dedicated managed servers, on-premise servers) and does the vendor support this? Example: Hybrid solutions require scalable interconnectivity solutions. Do you prefer to get everything out of one hand and limit the number of vendors? Do you control the contention of your compute resources? Example: Public clouds do not reserve 100% of the compute resources for each client. Compute resources are assigned on demand between customers which adds latency times and could lead to noisy neighbour problems. Is the technology powerful enough? Example: What specs do you need to serve your required workload? It is not always easy to compare apples with apples due to different performance specifications. Does the vendor provide all the value added services you need? Example: Backup, patch management, multiple storage tiers, load balancers, global server load balancer. Does the vendor provide the storage options you need? Example: Storage for archives, normal server load, databases or ultra high workloads. Do the disaster recovery (DR) solutions suit your needs? Example: Price, DR location, ease of DR implementation, monitoring, maturity of DR solution. Does the vendor offer disaster avoidance solutions that suit your needs? Example: Performance of data centre interconnects, storage replication, stretch storage (same LUN in two locations).

10 CHAPTER 8: GLOBAL, REGIONAL, LOCAL Does your solution require hosting in Australia? Example: Required by law or any other legislation, personally preferred because of Homeland Security, PRISM, Patriot Act etc. Do you prefer to do business with a local partner? Example: You are looking for a local trusted business partner. Do you require multi availability zones for your disaster recovery or disaster avoidance solution? Example: High availability solutions could be hosted in different data centres for higher fault tolerance. Do you prefer a contact centre located in Australia? Do you prefer the engineers to be located in Australia? Can the vendor offer a network connection to its services with low latency? CHAPTER 9: THE DATA CENTRE Does the data centre fulfil all required certifications? Is the data centre highly reliable and available? Example: A Tier III data centre (Uptime Institute) can maintain all elements without causing any outage to any services at any time. Does the vendor provide enough transparency? Example: Tours and direct contact to the facility managers to ask questions. How do the vendors rank in their outage history? Example: Is the vendor transparent with its outage history? What were the reasons for the outages? What technology was affected? How does the vendor rank in terms of efficiency? Example: Ask for the power usage effectiveness (PUE). The PUE is the ratio of the total facility energy consumption to the IT equipment energy consumption. Does the data centre support your rack size? Does the data centre support your energy consumption per rack? Do you have the choice when it comes to Internet connectivity? Example: Available external Internet connections. Has the data centre enough capacity? Example: Are you likely to get more rack space when you need it in the future?

11 CHAPTER 10: MAKE OR BUY BUY (PRO) Solution maturity high. Solution available today. Portfolio of value added services. Solution variety (different storage tiers). Hybrid infrastructure out of one hand. Import/export capabilities (low locking risk). High support expertise. High solution design expertise. 24x7 monitoring and support. Sophisticated management portals. Comprehensive monitoring solutions. Grow as you go. Low Capex. Affordable turnkey disaster recovery solution (if offered). BUY (CON) T echnology lock-in (on some vendors). Uncertainty about vendor capabilities. Hidden costs and bill-shock risk. Support quality on entry level support offerings. Limited to vendor s solution portfolio. Limited transparency (reporting) with some vendors. MAKE (PRO) Growing in-house expertise. Full control over staffing. Self selected backend technology. Full control over vendors and partner selection. Full access to backend technology if required. MAKE (CON) Long term lock-in into internal solution because of long term Capex investments. High Capex. Solution will mature over time. IT staff has to cover infrastructure and application level support. Expensive 24x7 support and management. Limited technical solution portfolio (inflexible short and long term strategy). Slow uptake of new technologies. Limited benefits of cloud services benefits internal solutions use virtualisation but not cloud technologies (service layer on top of virtualisation). Service disruption and brain-drain issues due to fluctuating staff. High costs for consulting and engineering for solution design (especially DR).

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information