Other Standards
Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism.
PCI-DSS - Payment Card Industry Data Security Standards
These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents.
Tools to assist organizations validate their PCI DSS compliance include Self Assessment Questionnaires. Linked here shows some of the tools available to help organizations become PCI DSS-compliant.
For device vendors and manufacturers, the Council provides the PIN Transaction Security (PTS) requirements, which contains a single set of requirements for all personal identification number (PIN) terminals, including POS devices, encrypting PIN pads and unattended payment terminals. A list of approved PIN transaction devices can be accessed here.
To help software vendors and others develop secure payment applications, the Council maintains the Payment Application Data Security Standard (PA-DSS) and a list of Validated Payment Applications.
The Council also provides training to professional firms and individuals so that they can assist organizations with their compliance efforts. The Council maintains public resources such as lists of Qualified Security Assessors (QSAs), Payment Application Qualified Security Assessors (PA-QSAs), and Approved Scanning Vendors (ASVs). Large firms seeking to educate their employees can take advantage of the Internal Security Assessor (ISA) education program.
COBIT4.1 / COBIT5
COBIT
COBIT 4.1, Val IT and Risk IT users who are already engaged in governance of enterprise IT (GEIT) implementation activities can transition to COBIT 5 and benefit from the latest and improved guidance that it provides during the next iterations of their enterprise’s improvement life cycle.
COBIT 5 builds on previous versions of COBIT (and Val IT and Risk IT) and so enterprises can also build on what they have developed using earlier versions.
UPTIME Institute / TIA-942
TIA-942
As part of an ongoing effort to expose myths and misconceptions about its Data Center Tier Classification System, The Uptime Institute (TUI) recently took issue with the notion that the TIA-942 Telecommunications Infrastructure Standard for Data Centers is a guideline for tier classifications. “The similarities between the Uptime Institute Tiers and TIA-942 stop at the surface,” the group said in its fourth round of Tier Myths and Misconceptions documents. “Uptime Institute Tiers is functionally disconnected from TIA-942,” it continued. “The core objective of Uptime Institute Tiers is to guide a design topology that will deliver high levles of availability, as dictated by the owner’s business case. Uptime Institute Tiers evaluates data centers by their capability to allow maintenance and to withstand a fault. Uptime Institute Tiers is not available in checklist form.”
Data Center / Disaster Recovery Site Standards
Location: New York – Department: Engineering
Depending on the nature of the disruption, the data center’s overall integrity may be untouched or it could be totally destroyed. DR plans need to be flexible and scalable to address a broad range of disruption scenarios. This article, with its associated data center disaster recovery plan template, will help you structure a plan that addresses your data center’s operational and people issues.
For purposes of comparison, a data center disaster recovery plan focuses exclusively on a data center facility and its infrastructure, e.g., physical location, construction, security, power sources, and environmental systems. By contrast, a disaster recovery plan is a broad term that describes a process to recover disrupted IT systems, networks, and other critical assets an organization uses.
Tier based Standards
Tier Standard Overview
Data center tier standards exist to evaluate the quality and reliability of a data center’s server hosting ability. The Uptime Institute uses a somewhat mysterious four-tier ranking system as a benchmark for determining the reliability of a data center. This proprietary rating system begins with Tier I data centers, which are basically warehouses with power, and ends with Tier IV data centers, which offer 2N redundant power and cooling in addition to a 99.99% uptime guarantee. A Tier III data center is concurrently maintainable, allowing for any planned maintenance activity of power and cooling systems to take place without disrupting the operation of computer hardware located in the data center. In terms of redundancy, Tier III offers “N+1″ availability. Any unplanned activity such as operational errors or spontaneous failures of infrastructure components can still cause an outage. In other words, Tier III isn’t completely fault tolerant. A Tier IV data center is fault-tolerant, allowing for the occurrence of any unplanned activity while still maintaining operations. Tier IV facilities have no single points of failure.
The basic concept is that a Tier IV design requires double the infrastructure of a Tier III design. Note that both Tier III and Tier IV data center specifications require IT equipment to have dual power inputs to permit maintenance of power distribution components between the UPS and IT equipment.Data center tier standards exist to evaluate the quality and reliability of a data center’s server hosting ability. The Uptime Institute uses a somewhat mysterious four-tier ranking system as a benchmark for determining the reliability of a data center. This proprietary rating system begins with Tier I data centers, which are basically warehouses with power, and ends with Tier IV data centers, which offer 2N redundant power and cooling in addition to a 99.99% uptime guarantee. A Tier III data center is concurrently maintainable, allowing for any planned maintenance activity of power and cooling systems to take place without disrupting the operation of computer hardware located in the data center. In terms of redundancy, Tier III offers “N+1″ availability. Any unplanned activity such as operational errors or spontaneous failures of infrastructure components can still cause an outage. In other words, Tier III isn’t completely fault tolerant. A Tier IV data center is fault-tolerant, allowing for the occurrence of any unplanned activity while still maintaining operations. Tier IV facilities have no single points of failure. The basic concept is that a Tier IV design requires double the infrastructure of a Tier III design. Note that both Tier III and Tier IV data center specifications require IT equipment to have dual power inputs to permit maintenance of power distribution components between the UPS and IT equipment.