Compliance policies and procedures followed in data centers
Along with the growth of information technology the amount of data accumulated is also rapidly grown. The biggest threat that existing on these days is to make sure these data are secure. In order to make sure the high availability of data without cyber any attack or loosing chances it’s necessary to take necessary steps in every possible ways.
Compliance typically involves adherence to standards set by government regulatory agencies. There are a significant number of regulations in effect worldwide related to protecting private and sensitive data. For many businesses, regulatory compliance is a topic that simply cannot be ignored. Handling confidential customer data in all its varied forms has become a routine, even essential, task in almost every industry, and companies that ignore the legal obligations they have to keep that data secure do so at significant peril. In 2018, for instance, the health insurance giant Anthem Inc. was fined a record $16 million by the US government for failing to comply fully with HIPAA standards in the wake of the data breach that occurred in December 2014-January 2015.
Have you ever thought where does all these data are existing? Simply we may say on internet or in any applications that you are using. Let’s take the example of Facebook, we are all having a Facebook account and many things related to us is available(photos, videos, personal information etc)on Facebook. You can see all these data from anywhere in the part of world just with an internet connection. There is a massive IT infrastructure is available in background to support your activity. Where does these IT infrastructures existing? The answer is nothing but on data centers. The biggest security threat that can affect your data is nothing but the insecurities in a location where it resides. Now you can imaging the necessity of complying with policies, procedures and standards in a data center.
For a data center, providing compliance assurances is a matter of transparency and security. By providing infrastructure that meets compliance standards for data security, a facility can help their customers to better mitigate business risks and enhance reporting procedures. The best facilities build their infrastructure from the ground up with compliance in mind rather than viewing it as a “bolt-on” service to be incorporated after the fact. Some are focused on protection of specific industry information, where others are more concerned with proper disclosure of data loss incidents and general privacy attributes. Most of today’s standards and compliance regulations are concerned largely with the protection of private data at rest, during transactions, and while it traverses network connections.
The compliance rules and regulations within a data center environment can be based on two things which are,
· Data related
· Non-Data related
What does it mean is Remember these two terms where we will segregate different compliance standards based on this two types.
There are three things which are said to be the pillars of compliance and namely
· Codes & Regulations - These are usually enforced by national law and compliance is mandatory.
· National/International standards – This is an agreed set of minimum requirements, conformance with which ensures quality and operational performance.
· Industry guidelines and best practices – Commonly published by manufactures to describe installation procedures for equipment. Have also been published to describe process in the absence of an appropriate standard.
Let’s have a deep look into each of these pillars.
Codes & Regulations
Codes and regulations are usually enforced by national law and compliance is mandatory. We know that the laws has to be obeyed by every citizens without any exceptions. Depending on the region where data centers resides there will be regulations law by government entities which is mandatory to be followed. Laws are usually created to protect,
· The safety and health of people
· The rights and freedoms of individuals
· National infrastructure
· National security
· Personal data
And many more things. Some of the codes and regulations within the data centre you are governed by is as below,
If anybody would like to know more about above codes and standard, do let me know and I can catchup more details for you.
National/International standards
What is a standard? A standard is a published document that contains a technical specification or other precise criteria designed to be used consistently as a rule, guideline or definition. In simple standards are designed for voluntary use and do not impose any regulations. However, laws and regulations may refer to certain standards and make compliance with them compulsory.
So in a data center we would have international standards, national standards and regional standards. But as you know adoption of all standards is not compulsory unless they are mandated in contract. Let me give you an example, when you are a data center co-location provider and one of the health customer want to lease the space. It is a standard that the data center should follow the Health Insurance Portability and Accountability Act (HIPAA) when they want to lease the space for this health related customer. As you can see this is just a standard and it’s not necessary for data center to operate. They can still lease their co-location space to customers of other industry without any issues. But following HIPPA standard will become part of a regulation law when you want to host the data of this health industry based customer.
Always remember that your regional and national standards are having higher priority than international standards. Because the regional standards will be defined by understanding local conditions whereas international standards are general.
Some of the major international initiatives for standardizations are ISO(International organization for standardization), BSI(British standards), CENELEC (French: Comité Européen de Normalisation Électrotechnique; English: European Committee for Electrotechnical Standardization), ANSI(American National Standards Institute) and TIA(Telecommunications Industries Association).Some of the data center specific standardization by these bodies are as below,
· BS EN 50600 – Information Technology- Data center facilities and infrastructure.
· BS EN 50173-5 - Information Technology-Generic cabling systems
· BSEN 50174-2 - Information Technology-cabling installation
· TIA 942- Telecommunications Infrastructure Standard for Data centers
· ISO/IEC 24764 – Information Technology-Generic cabling systems for data centers.
· ANSI/BICSI 002 – Data center design and implementation best practices.
· ANSI/ASHRE standard 90.4-2016 standard for data centers.
Industry guidelines and best practices
There are many organizations that contribute to the data center industry through the publication of industry best practices and codes of conduct. They do provide the certifications also based on their criteria which is considered as a standard measures to prove the operation, design and facilities capabilities.
Some of the bodies who provides the guidelines for data centers are as following,
- Uptime institute – Provides guidelines for improving the performance , efficiency and reliability through innovation, collaboration and independent certification.
- European Commission – In 2007 EU has developed a code of conduct in response to the increasing energy consumption in data centers and need to reduce the related environmental, economic and energy supply security impacts.
- US Department of energy – They have partnered with industry to create the data center energy practitioner program. It is reinforced proven best practices as well as introduce new tools and techniques in key areas such as IT department, air management, cooling systems and electrical systems.
- The Green Grid – The green grid association is a non-profit, open industry consortium of information and communications technology(ICT) industry end users, policy makers, technology providers, facility architects and utility companies that works to improve IT and data center resource efficiency around the world.
- BREEAM – It’s an international scheme that provides independent third party certification of the assessment for sustainability performance of individual buildings, communities and infrastructure projects.
- U.S Green building council – They have developed the national certification for leadership in energy and environmental design(LEED) to encourage the construction of energy and resource efficient buildings that are healthy to live in.
As a summary of this article we have discussed the necessity of compliance at data centers and various ways that data is protected through data center facilities.
Have a comment or points to be reviewed? Knowledge is power let’s grow together. Feel free to comment.
Acom consultant
ReplyDelete