Auditing a Data Centre – But to What Standard? - BICSI a... · Auditing a Data Centre – But to...

Auditing a Data Centre – But to What Standard?

Barry Elliott, RCDDCapitoline LLP

belliott@capitoline.co.ukwww.capitoline.eu

Data Centre AuditingData Centre Auditing• Capitoline has audited over 30 data centres in

the UK, Ireland, Netherlands and the Middle East

• Capitoline is the audit partner for the Amsterdam Internet Exchange and Cisco EMEAN t t h th t ti• No two customers have the same expectation from a data centre audit

What are the motives to obtain a DC audit?What are the motives to obtain a DC audit?• Their customers require it

N d t d t d ‘Ti ’ ti• Need to understand ‘Tier’ rating• Know they have problems but need an external

lt t t fi th t t f f diconsultant to confirm that to free up funding• Have current and severe operational problems

and need to start the overhaul/replacementand need to start the overhaul/replacement process

• Need ISMS audits such as ISO 27000• Need ISMS audits such as ISO 27000• Need to know their green/CO2 /PUE position• Want compliance with H&S and other legislation• Want compliance with H&S and other legislation

About 50 separateseparate standards that could be applied to a ppdata centre plus many national requirements

Tier RatingTier Rating

The UpTime Instit teThe UpTime Institute

=TIA 942

=BICSI 002=

‘Tier’ StandardsTier Standards• TUI is a design philosophyg p p y

– Tier 1, basic requirements– Tier 2, redundant components, p– Tier 3, concurrently maintainable– Tier 4, Autonomous fault toleranceTier 4, Autonomous fault tolerance

• TIA 942, a prescriptive design guideBICSI 002 some different ideas• BICSI 002, some different ideas

ISMSISMSInformation Security

Management standards

ISO 27000 Series

ISO 27002 Code of PracticeInformation technology Security techniques Code of practice forInformation technology — Security techniques — Code of practice for

information security management

1. Introduction and scope2. Terms & definitions3. Structure of the Standard4. Risk assessment and treatment5 S it li

Big on questions but proposes no answers

5. Security policy6. Organisation of information security7. Asset management8. Human resources security8. Human resources security9. Physical and environmental security10. Communications and operational management11. Access control12. Information systems, acquisition, development & maintenance13. Information security incident management14. Business continuity management15 Compliance15. Compliance

Do you handle credit/debit card transactions or keep financial data?

U S RequirementsU.S. Requirements• Sarbanes-Oxley Act• Health Insurance Portability and accountability

Act• Gramm-Leach Billey Act• State level legislation• Payment card industry standard• International Traffic in Arms Regulationsg

Green CredentialsGreen Credentials• 2001 European Directive on Energy

performance in Buildings• 2006 Building Regulations Part L

2006 EU E S i Di ti• 2006 EU Energy Services Directive• 2007 Climate Change Bill• Server and Data Center Energy Efficiency• Server and Data Center Energy Efficiency,

Public Law 109-431, April 2007

Code of Conduct on DataCode of Conduct on Data Centres November 2008

Make Your Reputation by Inventing a Metric

• The Green Grid• The Green Grid• Environmental Protection Agency, EPA• US Department of Energy, DoEUS epa e o e gy, o• Silicon Valley Leadership Group• Mckinsey• The UpTime Institute• Leader Environmental Design, LEED• BREEAM• Transaction Processing Performance Council, TPPC

Data Centre MetricsData Centre Metrics

DCiE Data Centre infrastructure Efficiency

DCiE =IT equipment Power

DCiE Total facilities Power

Power Usage Effectiveness, PUE = 1

DCiE

Advantages – SimpleDisadvantages – the servers, though taking most of the energy, may not actually be doing any useful work

Energy Usage Effectiveness EUEEnergy Usage Effectiveness EUE

Energy Star is developing an ‘improved ‘metric* called

E U Eff ti (EUE) T t l E / UPS EEnergy Usage Effectiveness (EUE) = Total Energy / UPS Energy

•EUE is based on energy, not power•Total Energy includes all fuels (electricity natural gas diesel etc )Total Energy includes all fuels (electricity, natural gas, diesel, etc.)•EUE is based on source energy, not site energy•Source Energy is the total amount of raw fuel required to operate the buildingg

•Build on existing ENERGY STAR platform with methodology similar to existing ratings (1-100 scale)g ( )•Usable for both stand-alone data centers and data centers housed within office or other buildings•Offer the ENERGY STAR label to data centers with a rating of 75 or higher

The UpTime InstituteThe UpTime Institute • Data Center Energy Efficiency and productivity

(DC-EEP) Index• DC-EEP=(IT-PEW) x (SI-EER)• IT-PEW=IT Productivity per embedded watt• SI-EER=Site Infrastructure Energy Efficiency

(same as PUE)• TUI say average SI-EER is 2.5 or 40%

Data Centre AuditingData Centre Auditing• What does the customer want to achieve?• Use the right audit package to answer the

customer’s questions/requirements• Select from the range of appropriate standards

available. There is no one standard that fits all i trequirements

• An audit includes business processes not just ph sical attrib tesphysical attributes

Thank youThank you

Barry Elliott, RCDDCapitoline LLPCapitoline LLP

belliott@capitoline.co.ukwww capitoline euwww.capitoline.eu