Utiliware support today's ever-growing regulatory compliance landscape. Recent federal legislation, ranging from the Gramm-Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) and The Sarbanes Oxley Act of 2002 (SOX) requires our services to comply with a myriad amount of security and privacy issues. Our services are subject to adherents to a strong controls for best practices. These best practices, from time to time may be tested by an independent CPA firm for SAS 70 Type I or Type II audit compliance. The SAS 70 auditing standard, in place since 1992, has been and will continue to be one of the most effective and well-recognized compliance audits for testing and reporting on controls for the services we provide. Below are our policy and procedures.
| |
Data Center |
Description |
|
| |
Building Construction |
Facility utilizes inner/outer sanctum design. Separate interior and exterior perimeter walls, doors, and windows create two barrier physical access. Construction materials support Underwriters Laboratories Inc. (UL) rated ballistic protection. |
|
| |
Lobby/Entrance |
Receptionist protected by bullet resistant glass. |
|
| |
Facility Surroundings and Vegetation |
Flowers, plants, trees and other forms of vegetation are appropriately maintained for purposes of not allowing these elements to conceal or hide an intruder. |
|
| |
Security Systems and 24X7 Backup Power |
Security System monitors and record external and internal egress points at all times. System uses uninterrupted power supplies (UPS) for ensuring continuous operation. |
|
| |
Cage and Cabinet |
Both cage and cabinet is attached to cement floor ensuring structural rigidity and strength. Cage is access via key lock on gate. |
|
| |
Man Trap Access |
To ensure secure access, a Man Trap is used to access the interior of the facility. |
|
| |
Electronic Access Control Systems (ACS) |
All personnel are required to register with receptionist in lobby. An temporary facility badge is issued and require to be worn on clothing during visit. Personnel access is then granted via biometric scanner and physical key token. |
|
| |
Provisioning Process |
Any individual requesting access to the data center is required be enrolled in a the facility system. Proof of identify is required and documented for the provisioning process, ensuring the integrity of the person entering the facility. |
|
| |
Off-boarding Process |
Personnel working for the data center or clients utilizing the facility services are immediately removed from systems that have allowed access to the facility itself. This includes all electronic access control mechanism along with removal of all systems, databases, Web portals, or any other type of sign-in mechanism that requires authentication and authorization activities. |
|
| |
Visitors |
All visitors must be properly identified with a current, valid form of identification and must be given a temporary facility badge allowing access to certain areas within the data center. All access is logged. |
|
| |
Alarms |
All exterior doors and sensitive areas within the facility are hard wired with alarms. |
|
| |
Cameras |
The facility uses a mixture of security cameras in place throughout all critical areas, both inside and out, of the data center. These cameras include the following features: Fixed and pan, tilt, and zoom (PTZ). |
|
| |
Threat Conditions Policy |
Consistent with the rating scale of the Department of Homeland Security, the facility should have a "threat conditions policy" in place whereby employees and customers are made aware of changes in the threat. |
|
| |
Badge and Equipment Checks |
Periodic checks should be done on employees and customers regarding badge access and equipment ownership. |
|
| |
Local Law Enforcement Agencies |
Contact information for all local law enforcement officials is documented in the case of an emergency. |
|
| |
Paper Shredding |
A third-party contractor provides document shredding container on-site, the container is periodically remove for processing. Contractor visit is logged. |
|
| |
Data Center Security Staff |
A third-party contractor provides onsite physical security. These individuals perform a host of duties on a daily basis, such as monitor intrusion security alarm systems; dispatch mobile security officers to emergencies; monitoring to prevent unauthorized access, such as tailgating; assist all individuals who have authorized access to enter the data center; controlling access to the data center by confirming identity; issue and retrieve access badges; respond to telephone and radio communications. Additionally, they should also conduct the following activities: Response and resolution to security alarms; customer assistance for cage lockouts and escorts; scheduled and unscheduled security inspections; enforcement of no food or drinks on the raised floor area; Enforcement of no unauthorized photography policy; fire and safety patrol inspections. |
|
| |
Server Setup |
Description |
|
| |
OS Installation |
Operating System installations include base kernel only. Required services, daemons and processes are then installed. |
|
| |
Daemon and Services |
Package managers such as RPM, yum or aptitude and/or update managers are used to install services and applications. All applications are required to run under a service controller. |
|
| |
Permission |
All service will run under a named user account. Named user is granted least permission require to run in operation system. |
|
| |
Backups |
All backups are scripted using gunzip for linux or 7-zip for windows. ssh, rsync and robocopy are used to migrate data to different server. |
|
| |
Access |
All access to system will be done through name user account. |
|
| |
Monitoring |
Public facing services such as web or email will be actively probed by polling said services. Private services such as CPU, disk and memory will be passive probed by pushing metrics to monitoring server. |
|
| |
Notification and Escalation |
Service outages or failures notices are sent via email or phone. If outage is longer than 1 hour, a follow up status note is sent with estimated restore time. A notice is sent when service is restored. |
|
| |
Firewall |
Appliance and hosted based firewalls are used to perform stateful inspection of network traffic. Port, ip address and protocol are used in Access Control List to restricted network traffic. Setup will start with deny any source to any destination. Then open only necessary access points. |
|
| |
Router |
Routers will use netflow for traffic analysis. |
|
