Net Access Blog

Key Questions to Ask When Evaluating a Data Center's Security Policies

Posted by Rob Stevenson on Jun 11, 2015 11:25:58 AM

Find me on:

Data-Center-SecurityAs I mentioned in my last blog post, today’s data center has become a key strategic asset for most companies, but it seems that often times physical security takes a back seat to IT security when companies are selecting a facility. When evaluating data center solutions, asking the right questions is of paramount importance for the future proofing of your investment. When touring a prospective data center, here are some key physical security questions that you should ask:

 

EXTERIOR SECURITY:

  • What kind of perimeter protection does the facility provide, and are there any natural or structural physical barriers incorporated into the design?
  • Is there a perimeter fence and/or access control gates restricting vehicle and pedestrian traffic?
    • Are these items K-rated? “K” indicates the DOS certified barrier speed rating’s maximum vehicle impact speed achieved when a vehicle traveling at a nominal speed is successfully arrested by the barrier from a perpendicular direction.
      • K12 = 50 mph (80 kph)
      • K8 = 40 mph (65 kph)
      • K4 = 30 mph (48 kph)
  • Is there sufficient exterior security camera coverage?
  • Is there adequate exterior lighting at night?

FACILITY ACCESS:

  • How many points of entry/exit are there for customers and visitors? When customers and visitors enter and exit through a single point it significantly reduces the chance of a security breach.
  • Are the building entry points single factor or multi-factor? Multi-factor authentication methods such as biometric fingerprint readers should be utilized for granting access to the building. Single factor methods like card swipe readers are easily defeated as keycards can be dropped in the parking lot (or other areas) and be picked up and used for entry by any individual.

INTERIOR SECURITY:

  • How is the interior of the building protected?
  • What types of security systems are being used to monitor video and entry access alarms?
  • Are security personnel onsite 24x7x365? If not, what are the hours that security personnel are present and are they providing in-house security or are they contracted out from a 3rd party vendor?
  • Is there an adequate number of surveillance cameras monitoring the critical areas?
  • What type of alarms are being monitored (forced entry, door held open, etc)?
  • Do you have the ability to request video footage and/or an investigation of an event?

SECURITY RECORD RETENTION/COMPLIANCE:

  • What is the retention period for video footage and keycard swipe records? I would strongly recommend having access to these items for a minimum of 30 days as you will most likely need to use them at some point.
  • What types of data center compliance measures are in place to ensure that the industries best practices and standards are being met?  Some of the common compliance audits include the Payment Card Industry (PCI) Data Security Standard (DSS), the Statements on Standards for Attestation Engagements (SSAE 16) and the Health Insurance Portability and Accountability Act (HIPAA).

EMERGENCY EVENTS:

  • What measures are in place to respond to emergency events?
  • Do proper policies and procedures exist to mitigate any potential damage?
  • Is there a sufficient fire monitoring system in place?
  • What type of fire suppression system is being used and who is the monitoring company?
  • Are there any first-aid kits or automated external defibrillators (AED’s) onsite, and is the staff required to know how to use these items?
  • What kind of security related training or certifications exist?

 

Rob_Stevenson Rob Stevenson has been with Net Access for over 6 years and currently manages the Security department. He previously served 4 years in the U.S. Air Force as a Security Forces member.

Topics: security