FedRAMP 3PAO Training


Published on

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

FedRAMP 3PAO Training

  1. 1. Federal Risk and AuthorizationManagement Program(FedRAMP)3PAO TrainingMay 31, 2012
  2. 2. Training Schedule9 am: Welcome, Katie Lewin9:15 am: 3PAO Maintaining Accreditation, NIST9:40 am: Overview of 3PAO Role, Matt Goodrich10:10 am: Q&A on Process and 3PAO Program10:25 am: 15 Minute Break (Hand Out SAP)10:40 am: Developing the SAP, Kevin Dulany11:40 am: Q&A on Developing the SAP12:00 noon: Lunch (Hand out SAR)12:45 pm: Developing the SAR, Laura Taylor1:45 pm: On-Going Assessments, Matt Goodrich2:00 pm: Final Q&A 2
  3. 3. What is FedRAMP?FedRAMP is a government-wide program that providesa standardized approach to security assessment,authorization, and continuous monitoring for cloudproducts and services.  This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments. 3
  4. 4. Policy on Security Authorization of Information Systems in Cloud Computing Environments December 8, 2011 OMB Policy MemoThe Office of Citizen Services and InnovativeTechnology (OCSIT), within the General ServicesAdministration (GSA), is responsible for managingFedRAMP, to provide a unified and government-wide risk management framework that addressesthese problems. 4
  5. 5. FedRAMP’s PurposeProblem:• A duplicative, inconsistent, time consuming, costly, and inefficient cloud security risk management approach with little incentive to leverage existing Authorizations to Operate (ATOs) among agencies.Solution: FedRAMP• Uniform risk management approach• Standard set of approved, minimum security controls (FISMA Low and Moderate Impact)• Consistent assessment process• Provisional Authorization
  6. 6. FedRAMP Executive Sponsors 6
  7. 7. FedRAMP GoalsThe goals of FedRAMP are to:1. Accelerate the adoption of cloud solutions through reuse of assessments and authorizations2. Increase confidence in security of cloud solutions3. Achieve consistent security authorizations using a baseline set of agreed upon standards and accredited independent third party assessment organizations4. Ensure consistent application of existing security practices Increase confidence in security assessments5. Increase confidence in security assessments6. Increase automation and near real-time data for continuous monitoring 7
  8. 8. FedRAMP Phases and Timeline A phased evolution towards sustainable operations allows for the management of risks, capture of lessons learned, and incremental rollout of capabilities FY12 FY12 FY13 Q2 FY14 Pre-Launch Activities Initial Operational Full Operations Sustaining FY12 Capabilities (IOC) Operations FedRAMP Finalizes Launch IOC with Limited Execute Full Operational Move to Full Requirements and Scope and Cloud Service Capabilities with Manual Implementation with Documentation in Provider (CSP)s Processes On-Demand Scalability Preparation of LaunchKey Activities • Publish FedRAMP • Authorize CSPs • Conduct Assessments & • Implement Electronic Requirements (Security • Update CONOPS, Authorizations Authorization Controls, Templates, Continuous Monitoring • Identify Scale Operations Repository Guidance) Requirements and CSP to Authorize More CSPs • Scale to Steady State • Publish FedRAMP Guidance Operations Compliance Guidance for Agencies • Accredit 3PAOs Gather Feedback and Incorporate Lessons Learned • Establish Priority QueueOutcomes • Initial List of Accredited • Initial CSP Authorizations • Multiple CSP • Authorizations Scale 3PAOs • Established Performance Authorizations by Demand • Launch FedRAMP in to Benchmark • Define Business Model • Implement Business Initial Operating Capabilities • Measure Benchmarks Model • Self-Sustaining Funding Model IOC Launch: Covering Operations June 6, 2012 • Privatized Accreditation Board 8
  9. 9. FedRAMP and the Security Assessment and Authorization Process • Maintains Security Baseline including Controls & Continuous Monitoring Requirements • Maintains Assessment Criteria • Maintains Active Inventory of Approved Systems Consistency and Quality Trustworthy & Re-useable Near Real -Time Assurance 2 3 Ongoing A&A 1 Assessment Provisional Authorization (Continuous Monitoring) Independent Assessment Grant Provisional Authorization Continuous Review of Risk • Before granting a provisional • Joint Authorization Board • Oversight of the Cloud Service authorizations, Cloud Service reviews assessment packages Provider’s ongoing assessment Provider systems must be and grants provisional and authorization activities with assessed by an approved, authorizations a focus on automation and near Independent Third Party • Agencies issue ATOs using a risk- real time data feeds. Assessment Organization based frameworkIndependent Assessors to be Authorizations: Ongoing A&A Activities Will Beretained from FedRAMP approved 1. Provisional ATO - Joint Coordinated Through:list of 3PAOs Authorization Board 1. DHS – CyberScope Data Feeds 2. ATO – Individual Agencies 2. DHS – US CERT Incident Response and Threat Notifications 3. FedRAMP PMO – POA&Ms 9
  10. 10. Maintaining 3PAO Accreditation
  11. 11. FedRAMP Third Party Assessment Organization (3PAO) Conformity Assessment Process FedRAMP requires CSPs to use Third Party Assessment Organizations (3PAOs) toindependently validate and verify that they meet FedRAMP security requirements. FedRAMP worked with NIST to develop a conformity assessment process to qualify 3PAOs. This conformity assessment process will qualify 3PAOs according to two requirements: (1) Independence and quality management in accordance with ISO standards; and (2) Technical competence through FISMA knowledge testing. Creates consistency in performing security assessments among 3PAOs in Benefits of accordance with FISMA and NIST standards leveraging a formal • Ensures 3PAO independence from Cloud Service Providers in accordance with 3PAO approval international standards • Establishes an approved list of 3PAOs for process: CSPs and agencies to choose when satisfying FedRAMP requirements. 11
  12. 12. Quality System & ISO/IEC 17020:1998• The Quality System is a living system• Use your Quality System going forward• Specific ISO/IEC 17020:1998 Topics – Independence – Training – SMEs and Sub-contractors – Relationship of your Quality System and FedRAMP processes – Internal audit and management reviews 12
  13. 13. Overview of 3PAO Program
  14. 14. Overview of 3PAO Role• Performs Initial and Periodic Assessments of CSP Security and Privacy Controls• Independent, Cannot Help CSP Prepare Documents!• Reviews CSP Documents for Accuracy• Develops Security Assessment Plan (SAP)• Conducts Security Testing – Use Test Case Workbooks – Manual Tests – Automated Tests• Develops Security Assessment Report (SAR) 14
  15. 15. FedRAMP Stakeholder Roles and Interaction 15
  16. 16. Relationship of 3PAOs and CSPs• FedRAMP does not make introductions• CSPs might interview multiple 3PAOs• 3PAOs must manage their own relationship with CSPs• 3PAO has not assisted CSP in implementing controls• Both parties should allow for contract modifications• Anticipate questions similar to the following: – Can you provide past performance information? – How many FTEs will be required? – Do you have the right scanner licenses? – How long will the process take? – What is the pricing and what does it include? 16
  17. 17. FedRAMP CONOPS: Security Assessment Process 1.1 Initiate Request1.0 Security Assessment2.0 Leverage ATO 1.2 Document Security Controls3.0 Ongoing A&A 1.3 Perform Security Testing 1.4 Finalize Security Assessment Security Assessment Process aligns with NIST 800-37, R1 17
  18. 18. FedRAMP CONOPS: Security Assessment Process Initiate Request1.0 Security Assessment 1.1 Initiate Request Document Services 1.1.1 Boundary and Assets2.0 Leverage ATO 1.2 Document Security Controls3.0 Ongoing A&A 1.3 Perform Security Testing 1.1.2 Identify Impact Level 1.4 Finalize Security Assessment 1.1.3 Tailor Controls First step in the security assessment process • Introduction and management of 1.1.4 Define Control Implementations assessment process/timeframes • Begin defining control responsibility • Identify any alternate implementations of controls 18
  19. 19. CSP Designates a 3PAOInitiate Request (Step 1.1)• Formal notification to FedRAMP of 3PAO selection• FedRAMP Director assigns an ISSO to the CSP• 3PAO will need to communicate with the CSP’s ISSO• CSPs must allow 3PAOs to communicate with ISSO• Any questions or gotchas should go through the ISSO 19
  20. 20. FedRAMP CONOPS: Security Assessment Process Document Security Controls1.0 Security Assessment 1.1 Initiate Request Document System 1.2.1 Security Plan (SSP)2.0 Leverage ATO 1.2 Document Security Controls3.0 Ongoing A&A 1.3 Perform Security Testing 1.4 Finalize Security Assessment Document the System Security Plan (SSP) • Address how the CSP implements each FedRAMP security control • Control responsibility • What solution is being used for the control? • How does the solution meets the control requirement? 20
  21. 21. CSP’s Preparation Before TestingDocument Security Controls (Step 1.2)• Submits the following documents to ISSO: – System Security Plan – IT Contingency Plan – Configuration Management Plan – Incident Response Plan – eAuthentication Template – PTA / PIA Template – Rules of Behavior• All documents approved by JAB prior to testing 21
  22. 22. FedRAMP CONOPS: Security Assessment Process Perform Security Testing1.0 Security Assessment 1.1 Initiate Request 1.3.1 Develop Testing Plan2.0 Leverage ATO 1.2 Document Security Controls3.0 Ongoing A&A 1.3 Perform Security Testing Audit Control 1.3.2 Implementations 1.4 Finalize Security Assessment 1.3.3 Perform Vulnerability / Penetration TestingTest SSP– Begin work with 3PAO• Assess against the SSP with NIST SP 1.3.4 Develop Plan of Action & Milestones (POAM) 800-53a test cases• 3PAO audits assessment and results• 3PAO generates security assessment report 22
  23. 23. Test Planning Process and Kick-off MeetingPerform Security Testing (Step 1.3)• CSP designates 3PAO• ISSO schedules kick-off meeting with 3PAO & CSP• Don’t start testing until SAP has been approved• 3PAO provides CSP Draft copy of SAP with scope• Discussion of scope & testing process in kick-off mtg.• Inform CSP what IP address the scans will come from• Provide timeframe for delivery of results• Post meeting: revise & update SAP and send to CSP for review, then ISSO sends to JAB for approval 23
  24. 24. FedRAMP CONOPS: Security Assessment Process Finalize Security Assessment 1.1 Initiate Request Compile all Updated1.0 Security Assessment 1.4.1 and Final 1.2 Document Security Controls Documentation2.0 Leverage ATO3.0 Ongoing A&A 1.3 Perform Security Testing Answer Questions 1.4.2 Risk Assessment 1.4 Finalize Security Assessment Accept Document 1.4.3 Findings & Make Updates to POAMCompile Completed Authorization Accept ProvisionalPackage 1.4.4 Authorization• Review all documentation• Review risk posture of CSP system• Grant / deny provisional authorization 24
  25. 25. FedRAMP Concept of Operations – Overview Cloud Service Provider FedRAMP Govt. Agency Initiation Logs and Queues Sponsor CSP for Agencies may 1.1 Initiate Request Request Form FedRAMP sponsor a CSP Request 1.2 Document Security Agency may request to Notifies Start of Process Tailor Controls add controls or specific 1.0 Security Assessment Controls Sys Security Plan (SSP) implementation criteria Approves or Provides Feedback on SSP 1.3 Perform Security Security Assessment Testing 3PAO Results (SAR) Approves or Provides Audit / Testing Feedback on SAR 1.4 Finalize Security Security Grants Governmentwide Assessment Package Provisional Authorization Reviews Security Package 2.0 Leverage 2.1 Review of Provisional FedRAMP Data Assesses Impact and Authorization and Security Package ATO Repository Negotiates Contract with CSP 2.2 Grant Agency-Level ATO Grants Agency Specific ATO 3.1 Operational Visibility Updates Artifacts Decision on Ongoing Ensure POAM / Updates meet (Continuous Monitoring) Self Attestation Authorization / Update Repository Agency ATO requirementsAuthorization3.0 On Going 3.2 Change Control Notifications Reviews Change Notifications Receives Info on Changes 3.3 Incident Response Tracks Incident Coordinate w/US-CERT Report Incidents 25
  26. 26. Developing the SAP
  27. 27. Developing the SAP 27
  28. 28. How to Scope the System for Testing• Review all CSP documents thoroughly• Determine what databases need to be tested• Determine the web applications that need testing• Determine the manual tests that you will perform• Where will you need to travel to? Datacenters?• Determine what automated tools you will use• Determine how many IP addresses slated for testing – For large implementations, you need to be able to justify the subset of IP addresses that you selected for testing. 28
  29. 29. Justify the Scope• If you have 100 or fewer IP addresses test them all• Larger implementations: justify the IP addresses that are slated for testing – Why did you pick these IP addresses? – Are they a representative subset of all addresses? – Are they listed in inventory• Web Applications, must test all of them• Database, must test all of them• Role testing: did you test all roles for unauthorized privilege escalation? If you do not plan on testing all, include justification statement on what roles you will test 29
  30. 30. Scanning Considerations• Scans must be fully authenticated• Do you have the right scanner licenses?• Discuss with CSP how your scanners will access their system – Do scanner appliances need to be installed? – Do scanners need to be installed on specific VLANs? – Can you use virtual scanners? – Do ports on firewalls need to be opened? – Do you have fully privileged accounts? – How many IP addresses need to be scanned? 30
  31. 31. SSP Review: Check Control Origination Information• In the SSP, each security control includes a table called Security Control Summary Information. Security control enhancements also require security control summary information.• Defines whose responsibility each control is and notes if there is a shared responsibility. Check to see if these make sense.• Responsible Role: In the field described as Responsible Role, the CSP should indicate what staff role within their organization is responsible for maintaining and implementing that particular security control. Examples of the types of role names may differ from CSP to CSP but could include role names such as: System Administrator Database Administrator Network Operations Analyst Network Engineer IT Director Firewall Engineer 31
  32. 32. Data Center Inspections• Verify address/location of data centers• Plan to verify that data center is using the same controls described in the System Security Plan• Review PE controls in SSP before going on site• Do you have a copy of ASHRAE Thermal Guidelines for Data Processing Environments?• Avoid multiple visits to the same data center -- get it right the first time• Email data center manager with any follow-up questions 32
  33. 33. Assumptions & Methodology• Assumptions listed are samples - 3PAO should edit list of assumptions to indicate the actual assumptions• Methodology is written and prescribed, however, you can add items to the methodology is you feel it is necessary 33
  34. 34. Types of Security Testing• Review documentation – Does it make sense? – Is anything missing? – Are all components named? – Is the network diagram accurate? – Is the data flow diagram accurate? – Double-check description of boundaries and read the section on boundaries in Guide to Understanding FedRAMP• Security Test Cases• Tests performed using automated tools• Tests performed using manual methods 34
  35. 35. ScheduleP. 18 in SAP• Review draft schedule with CSP before submitting the SAP to the ISSO• Leave enough time for documentation review – need to make sure everything is accurate• Include data center inspections in the Perform Testing timeframe• Make sure there is a common understanding of when scans will run• Issue Resolution Meeting: Review Draft SAR with CSP prior to submitting to ISSO 35
  36. 36. Rules of Engagement• Modify Rules of Engagement as necessary• Review rules with CSP• Negotiate rules with CSP• Both parties must agree to the rules and sign them• Make sure general counsel of both parties has an opportunity to review rules• Update Limitation of Liability as necessary 36
  37. 37. Testing Issues• If anything in the System Security Plan (or any other document) is found to be incorrect, communicate this to the ISSO and advise the CSP on what corrections to make• CSP will need to submit updated document to ISSO• Suspend testing until ISSO confirms back to 3PAO and CSP that revised document has been accepted• If you become aware of the fact that the CSP boundary is not accurate, suspend testing, communicate to ISSO, and advise CSP on what corrections to make 37
  38. 38. Any Questions? 38
  39. 39. Developing the SAR
  40. 40. Developing the SAR 40
  41. 41. Testing Integrity & Completeness• FedRAMP ISSOs will be reviewing all test results• It is in your interest (and the interest of the CSP) to avoid having to do multiple revisions of documents• ISSOs will open all scan reports and see if reports match what was approved in the SAP and inventory• IP address and URLs of tests results will be checked against SSP Inventory and information in SAP• All high and medium scan findings should be discussed in the SAR and ISSOs will check for that 41
  42. 42. Security Assessment Report (SAR)• Serves as the primary document that the JAB will review to make risk-based decision on whether or not to issue Provisional Authorization• Review a Draft SAR with the CSP before creating the Final• ISSO / JAB reviews SAR and POA&M – Approval of JAB required – Will provide feedback and ask for revisions if not approved – Feedback may require reassessing some controls 42
  43. 43. Scope and System Overview• If you used any other documents (or files) than those listed on p.13, attach these documents to Appendix H. Possibilities include: – Configuration Guides – Procedures – Files reviewed for secure configurations (e.g. /etc/.rhosts ) – Technical or design specifications• Make sure the System Description and Purpose match the description and purpose listed in the System Security Plan 43
  44. 44. Assessment Methodology• Perform Tests• Identify Vulnerabilities• Identify Threats That Exploit the Vulnerabilities• Analyze Risks & Determine Risk Exposure• Advise and Offer Guidance on Corrective Actions• Document Your Results Likelihood x Impact = Risk Exposure 44
  45. 45. Interconnection Risks• Review the interconnection table in the SSP• Discuss this table with the CSP when reviewing it• Make sure there is a common understanding of what these connections are used for• Is there any risk that third-party connections could be hostile? Describe these risks in the SAR• Are more ports and services than necessary being used?• Did you find any other interconnections that are not listed in this table? Where are they going to? 45
  46. 46. Appending the Test Results• Append test cases results to Appendix B• Append infrastructure scans to Appendix C• Append database scans to Appendix D• Append web application scans to Appendix E• Append other test results using any other automated tools to Appendix F• Append manual test results to Appendix G• Anticipate that all tests results will be reviewed by ISSO 46
  47. 47. Provisional Authorization Recommendation• Tabulate the number of system risks• Make sure each listed risk has an accompanying guidance on how to mitigate the risk• Render a professional opinion on the security of the system – What are the most important things to know regarding the security of the system? – What areas had particularly strong security controls and why? – What areas had particularly weak security controls and why? – Are the security weaknesses fixable?• CSP will leverage SAR to create POA&M 47
  48. 48. Finalize Security Assessment• CSP Submits Supplier’s Declaration of Conformity (SDOC); verification and attestation to the truth and accuracy of the implemented security controls as detailed in the security assessment package• CSP provides complete package of all updated security assessment artifacts• JAB response may require reassessment of some controls• If JAB accepts risk, the CSP is granted a Provisional Authorization• Provisional Authorizations are leveraged by agencies to issue their own ATO 48
  49. 49. Ongoing Authorization (Continuous Monitoring)
  50. 50. Ongoing Authorization (Continuous Monitoring) Cloud Service FedRAMP Govt. Agency Provider (CSP) Analyze. Make Risk 3.1 Operational Visibility Based Decision to Ensure CSP Risk Annual Self-Attestation Maintain Provisional Posture Meets Agency Authorization / Notify ATO Requirements3.0 Ongoing Assessment and Authorization Agency (Continuous Monitoring) 3.2 Change Control Obtains Change Review Changes and Ensure POA&M / Reports / POA&M POA&M. Decision to System Changes meet Updates Maintain Provisional ATO requirements Authorization. Notify Agency 3.2 Incident Response Tracks Incident Notifications Response Handling Responds to Incidents & Coordinate with US-CERT
  51. 51. 3PAO Role in Operational Visibility• CSPs maintain Provisional Authorization by providing evidence on an ongoing basis that the controls they have implemented remain effective• 3PAOs perform quarterly scans (evidence)• 3PAOs test subset of security controls annually (or when there is a significant change to the system)• 3PAOs provide guidance to CSPs on mitigating vulnerabilities• 3PAO results used as evidence to support CSP Self-Attestation indicating controls implemented as required 51
  52. 52. CSP & JAB Role in Operational Visibility• CSP submits updated artifacts to FedRAMP and updates POA&M• Artifacts are listed in Self-Attestation template• JAB reviews evidence and makes a risk-based decision for continuing Provisional Authorization• Leveraging agencies use the evidence to make agency ATO decision 52
  53. 53. Change Control• See Section 3.12 in Guide to Understanding FedRAMP• CSPs will have to notify ISSO if a major change occurs• 3PAO will have to test controls that have changed – Change in authentication or access control implementation – Change in storage implementation – Change in COTS product implemented to another product – Adding more IP addresses to inventory – Implementing a new code release – Change in backup mechanisms and process – Change of IaaS provider (if you are a PaaS or SaaS provider) – Adding new interconnections to outside service providers – Change of alternate (or compensating) control 53
  54. 54. Incident Response• CSPs do not typically play a prescribed role in incident response• However, if CSP requests 3PAO assistance in performing incident handling on an active incident, 3PAO may assist CSP in eradicating intruder from the system• All 3PAO assistance to CSP during an incident must be logged on Incident Response Form• Incident Response Form should include names, times, and dates of all incident handling 54
  55. 55. Any Questions? 55
  56. 56. DatacenterInspections 56
  57. 57. Data Center PE-1 (Policies & Procedures)Before you start inspection, record contact informationfor manager/person giving you the tour. Record thenames of every person you interview.• Ask data center manager if he/she knows what the data center security policies and procedures say• Ask him/her to show you a copy• Find out if staff in data center are aware of these policies and procedures 57
  58. 58. Data Center PE-2 (Access Authorizations)• Can CSP provide a list of who has access?• Who authorizes access to data center?• Are there different authorization levels? (e.g. chillers, electrical substation room, UPS/battery room, generators)• Who issues and gives out access credentials (e.g. keycards) to employees?• Is the data center authorization process documented? 58
  59. 59. Data Center PE-3 (Access Control)• Is there a two-factor access control device to get into data center?• Examples are card reader with a PIN pad or a card reader with a biometric capability (many data centers use hand scanners for access control)• Record make/model of access devices• If PINs or passwords are used, do they meet the password change requirement frequency?• Are cages/racks locked?• Access control on electrical substation room, battery room, chillers, generators? 59
  60. 60. Data Center PE-4 (Access for Transmission Medium)• Ask to see wiring closets and patch panels – Do they have locks? – Who has access?• Are there exposed telecomm jacks that are not locked?• Where does telecomm circuit/Internet connectivity enter the data center?• Check cables and wires – Are they below the floor? – Are they in inaccessible (locked) ceiling trays? 60
  61. 61. Data Center PE-5 (Access Control for Output Devices)• Who can access monitors, printers, fax machines and any other output devices (audio) in the datacenter• Ask what systems can print to data center printers?• Are printers/monitors password protected? (There might be good reasons why such controls are not required, check SSP)• Look for surveillance cameras. Are surveillance camera pointing at the printers and monitors?• Ask what kind of cameras they are using and how long recorded media is kept for 61
  62. 62. Data Center PE-6 (Monitoring Physical Access)• Are there cameras pointed at data center entrances?• Are there guards? Are they armed?• Are balusters near data center building entrance?• Ask what kind of cameras they are using and how long recorded media is kept for• Ask who has access to recorded media and find out where it is stored• Ask who maintains camera system 62
  63. 63. Data Center PE-7 ( Visitor Control)• Receptionist or guard at front desk needs to check IDs of all visitors and record this information into a visitor log book or an online log file• Do guards grant visitor passes for all visitors?• Do visitors have to sign anything? (e.g. book or electronic pad)• Do they take a photo of visitors?• Do they ask for government issued identification of visitors?• Are all visitors, including vendors performing maintenance escorted? 63
  64. 64. Data Center PE-8 (Access Records)• Ask to see visitor log books. If visitor logs are recorded online, ask to see electronic records• Does cardkey pin/pad, hand geometry scanner, or whatever device is used at entrances record log files? Ask to see a sample log for a failed access attempt into datacenter• Ask to see log file that shows record of authorized employee access 64
  65. 65. Data Center PE-9 (Power Equipment)• Electrical substation should be in a locked room• Are there circuit breakers in place to protect against voltage overload?• Are circuit breakers in a locked substation room?• Is access to generators and UPS controlled?• Are there at least two different circuits that provide electricity to the data center for redundancy?• How is access to battery room/UPS controlled? How is access to generators controlled? 65
  66. 66. Data Center PE-10 (Emergency Shutoff)• There needs to be an emergency power off (EPO) button in the data center• It should be located near the exit and should be behind a clear plastic safety cover to prevent unintended pushes• Is there one at each exit? 66
  67. 67. Data Center PE-11 (Emergency Power)• Ask to see UPS/battery room and generators. Ask who services UPS/battery room and how often.• Ask how often generators are tested. (Newest generators usually programmed to perform automated testing. Ask what kind of fuel generators hold (usually diesel or natural gas). If not using natural gas, ask how many gallons of fuel does generators hold. Ask what companies service the generators. If there are fuel deliveries, find out how often they occur.• How many seconds/minutes can data center run off of UPS before generators kick in? 67
  68. 68. Data Center PE-12 (Emergency Lighting)• Data center should have emergency lighting that automatically activates in the event of a power outage• Look for the lights and ask who maintains them and how often they are tested• Emergency lighting should also be in operations center, stairwells and at all emergency exits and evacuation routes 68
  69. 69. Data Center PE-13 (Fire Protection)• Is fire suppression (and detection) in place?• Is a sprinkler system used or inert gas (e.g. Inergen) used? If gas is used, ask to see gas tanks, who services tanks?• If a sprinkler system is used ask if it is wet pipe, dry pipe, pre-action, or deluge• Ask who services sprinklers or gas system Is it monitored 24 x 7 x 365 by an outside service and does alert local fire authority if activated?• Is fire inspection performed by local fire marshal annually or whenever local building codes require it? Ask to see the inspection certificate• Ask if chillers are controlled by fire suppression system 69
  70. 70. Data Center PE-14 (Temp & Humidity Controls)• Note make/vendor of AC system (usually Liebert) -- ask how many tons it is• How is access to air conditioners/HVAC controlled? Do AC systems have PIN pad or key?• Ask what temperature and humidity controls are set for and compare these numbers to what is noted in the System Security Plan. ASHRAE recommends 65- 77 F (dry bulb) for temp and 40-55% for relative humidity• Ask about humidity control alarms - are there send alerts if relative humidity goes either under 40% or over 55%? Who receives alerts? 70
  71. 71. Data Center PE-15 (Water Damage Protection)• Ensure that water sensors are put in strategic locations (usually under floor tiles, often near chillers)• Ask to have a floor tile removed so you can see a water sensor• Ask where water sensor alarms are sent to• Are there master water shut-off valves? Where? 71
  72. 72. Data Center PE-16 (Delivery and Removal)• Is there a way to monitor entering and exiting of facility, data center, and NOC (e.g. surveillance cameras).• Where the video is archived (either on site or by a managed service provider)• How long is video archived for?• Who has access to camera video?• Is a property removal pass required? 72
  73. 73. Data Center PE-17 (Alternate Work Site)• Need to have designated alternate work sites – where are they? (e.g. government facilities, homes)• Need to have controls, policies, procedures, and Rules of Behavior in place for alternate work sites – what are they?• Examples of controls for alternate work sites: – VPNs – Two-factor authentication – Home User Procedures Guide – Laptops configured with full disk encryption 73
  74. 74. Data Center PE-18 (Location of System Components)• Is data center on a fault line?• Is data center in a location prone to hurricanes?• Is data center in a near a river, in a flood zone?• Is data center along a coastline? (recall Japanese Tsunami)• Are there exterior windows on the data center?• Is there an exterior sign to the building that is visible from the roads?• Is data center in an area prone to electrical outages?• Take a picture of the outside of the facility (if you can) 74
  75. 75. Any Questions? 75