Critical Facilities Operations Process: Explanations and illustrative examples.
For training videos, please visit https://m.youtube.com/channel/UCYw2fG4p7buyhJD0EYHahuQ
Digital Communication Essentials: DPCM, DM, and ADM .pptx
10. Process: ocp cfops security and access
1. Coromatic Academy
Open Compute Project, Critical Facilities Operations Framework
Process: Security and Access
Rev 2020-08-03
Information classification: Public
4. Site Operations
Integration
Terms &
Conditions
OCP CFOPS Delivery model
Incidents
Work Orders & Projects
On-site Access
Service Levels
Organization
KPI Monitoring
& Reporting
Lifecycle &
Financial
Mgmt
On-site
services
Security &
Access
Maintenance
In / outdoor
FM
Site
assistance
Site Inspection
Audits and
Compliance
Site Management
Delivery Support
Service Level
Mgmt
Lifecycle &
Financial
Mgmt
WO & Project
Mgmt
Monitoring &
Reporting
Governance
and BCP
Advisory and
Benchmarking
Supply Chain
and Sourcing
Service Desk
24/7
Incident Mgmt
Team &
Suppliers
Capacity
Mgmt &
Optimization
Document
Mgmt
Compliance
Mgmt
Service
Improvements
Asset List
Border List
Customer
Managed
Operating
Center
Source: OCP CFOPS 2019 v1.4
5. Security and Access
MindMap Overview Process Summary
The security and access process, procedures and building construction
should be appropriate to the assets that they are protecting. This would
include critical assets in the primary area as well as site systems in other
parts of the net floor area.
Perimeter protection
A critical facility should be appropriately protected against threats that may
break the perimeter. By protecting against external and environmental
threats, i.e. man-made or natural disasters, it is focused on ensuring that
only designated access points can be used to gain entry to the critical facility.
Typical services may include patrolling by guards or CCTV monitoring of
different parts of the building and its external premises.
Furthermore, the building construction itself may allow for several
protective layers or zones which can increase the level of the perimeter
protection and further protect against breaches outside the ordinary access
control points.
Source: OCP CFOPS 2019 v1.4
6. Lessons learned / Customer experiences
“Every time we have US or UK based site Owners ask us to
manage their sites, they expect us to have armed on-site
guards 24/7.
It usually does not take very long to convince them of the
cost benefits and reliability of remote security monitoring
with scheduled patrols and call-outs, especially when
considering the protection classification based on the
passive security measures of the building itself and the
restrictions on armed security guards…”
7. Security and Access
MindMap Overview Process Summary
The security and access process, procedures and building construction should be
appropriate to the assets that they are protecting. This would include critical
assets in the primary area as well as site systems in other parts of the net floor
area.
Access control
All personnel, visitors and deliveries to the site should be registered and processed
according to operational procedures where at least the following should be made:
• Verification of identity, i.e. authentication
• Verification of authorization
• Logging of access
Remote monitoring of alarm systems and CCTV is normally used to control access
to premises or rooms when a correct authentication has been performed.
Appropriate controls are put in place to ensure that access control audit logs
cannot be altered, tampered, or deleted, thus destroying evidential integrity. This
integrity is generally required to support a potential criminal prosecution because
of a security incident.
The access control system audit logs should be inspected on a recurring basis.
Source: OCP CFOPS 2019 v1.4
8. Lessons learned / Customer experiences
“The importance of separating accountabilities have proven to be a
success factor to us:
the Site Owner is accountable for authorizing who should be allowed
into the premises, while the outsourced Site Access service provider is
accountable for authenticating individuals wanting to gain access.
This means that if a person is properly authenticated and has the
authorization to gain access they will be let in. Otherwise not.
By independent reviews of the access logs, it is validated that these
procedures are followed diligently.
We even have service levels with penalties for this process.”
9. Final notes
• Passive perimeter protection should be complemented
by active protection measures
• Access control relies on a well managed process for
“Team & Suppliers Management” (Staff Register)
• On-site works should always include updating and
finalizing related documentation and service records
• Handling of personal data need to be GDPR compliant
Clear market leader in turnkey data centers and other critical facilities
Highly skilled and experienced workforce operating out of 20 locations
Unrivalled experience as a full-service provider of turnkey critical facilities solutions
Proven international delivery capabilities
Strong Nordic customer base across a wide range of industries