Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813

Project Name: Date: 27 Jul 2011

Contract Number: Page: 1 of 12
Revision: 1

SPECIFICATION – DATA CENTER

This specification has been revised as indicated below and described in the revision record on the
following page. Please destroy all previous revisions.

Revision Date Originator's Reviewed/Checked By Pages

No. Name & Initials Name & Initials
0 4/4/2011 Cory A. Haynes Anna M. Pham 11
1 7/27/2011 Albert R. Touma Anna M. Pham 12

APPROVALS SIGNATURES DATE

Lead Engineer Thomas B. Robinson

Project Manager: Russell Shulz
Client Approval:

ISSUED FOR : Construction X Other Review/Approval

Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 2 of 12
Revision: 1

SPECIFICATION – DATA CENTER

Record of Revisions

Revision Date Description

No.

0 4/4/2011 Issued for Review/Approval

1 7/27/2011 Added references to section 2.0.C

Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 3 of 12
Revision: 1

SPECIFICATION – DATA CENTER

TABLE OF CONTENTS

Section

1.0 GENERAL ..................................................................................................................................... 4

2.0 REFERENCES .............................................................................................................................. 4

3.0 DEFINITIONS................................................................................................................................ 4

4.0 PHYSICAL SECURITY MEASURES ............................................................................................ 5

5.0 PHYSICAL ACCESS CONTROL .................................................................................................. 6

6.0 LOCAL DATA CENTER PROCEDURES ..................................................................................... 8

7.0 DATA CENTER ENVIRONMENTAL CONDITIONS ..................................................................... 8

8.0 SECURITY BREACHES ............................................................................................................ 11

9.0 DEVIATIONS AND EXCEPTIONS .............................................................................................. 12

Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 4 of 12
Revision: 1

SPECIFICATION – DATA CENTER

1.0 GENERAL

A. This specification defines the minimum mandatory requirements governing the data
center for the Power and Water Utility Company for Jubail and Yanbu (MARAFIQ). The
Data Center Physical Security and Environmental Controls protect data information stored
within the Data Center. Information resources require physical security measures to
ensure proper and timely operation, to protect value, to safeguard the integrity of
information, and to ensure the safety of personnel. Where practicable computer systems,
facilities, and tape storage areas shall be protected from theft, alteration, damage by fire,
dust, water, heat and humidity, power loss, vibration, other contaminants, and
unauthorized disruption of operation.

B. The design, permitting and approval of this system are the Contractor’s
responsibility. Installation, commissioning and startup shall be by a contractor
experienced in the technology and approved by MARAFIQ.

2.0 REFERENCES

A. This document defines the functional requirements, while allowing flexibility to benefit
from Contractor’s experience and expertise. The use of equipment and components that
are field proven is preferred. Where the intent of this document may be satisfied with
variations that permit greater utilization of Contractor’s standard techniques, Contractor is
encouraged to highlight the differences and propose alternatives for MARAFIQ’s
consideration.

B. MARAFIQ Engineering Standards:

Document Document Title

Number

MQ-SP-E-6001 Electrical Design

C. Standards:

TIA-942 - Telecommunications Infrastructure Standard for Data Centers

NFPA 76 - Standard for the Fire Protection of Telecommunications Facilities

3.0 DEFINITIONS

1. Access List: Listing of personnel that have access (badge or key) to the Data
Center.

2. Data Center: Secure controlled access area where centrally used remotely
accessed multi-user systems and support infrastructure are located.
Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 5 of 12
Revision: 1

SPECIFICATION – DATA CENTER

3. Non-Employee: An individual who is not an employee such as a customer,

subcontractor, business partner, contractor or supplier.

4. RSDM: Regional Service Delivery Manager.

5. SDM: Service Delivery Manager.

6. Visitor Log: Formal record that tracks the entry/departure of individuals

requiring escorted access to the Data Center.

4.0 PHYSICAL SECURITY MEASURES

A. All Data Centers must be adequately secured from theft and vandalism.

B. Security of Data Centers shall be consistent with applicable laws, regulations, contracts,
local codes and directives, and must be implemented in conjunction with the Security and
Facilities organizations.

C. Data Center managers shall ensure appropriate security controls are in place and working
effectively, commensurate with the level of risk and compromise to the Data Center.

D. Data Centers shall be physically controlled areas. Such controls may include manned
security stations, cipher locks, door card readers, biometrics technology devices and/or
other mechanisms. Door key locks are the minimum level of protection required where
other mechanisms are not practical or applicable. In those locations where physically
restricting access to the servers is not feasible, lock down enclosures/cabinets/racks are
an acceptable means of controlling accessibility.

E. If the Data Center utilizes physical keys to access them, ensure that the same key is not
used to access the overall facility and that controls are in place to review and monitor all
personnel with keys on a regular basis to determine overall access, and that all keys are
engraved with “Do Not Duplicate”. Access List reviews of all physical keys should be
done quarterly and retained for a minimum of two years.

F. Doors to the Data Center can be manually closing, self closing or an automatic. If
manual, the person closing the door should validate the door has been secured by
checking the handle. If either self closing or automatic, the time required to close the
door should be within a reasonable time frame of within 7 to 10 seconds. If local Health
and Safety law requires a longer timeframe for the closure of automatic doors this should
be documented as an exception to this process. The exception should state the specific
legal requirement and be signed off by the Service Delivery Manager.

G. All Data Centers should utilize Visitor Logs. Visitor Logs should be maintained at each
entrance of the Data Center.

H. Outward appearance of entry/exits to Data Centers should be such as not to draw

attention to the fact that a data center is located on the other side of entry points.
Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 6 of 12
Revision: 1

SPECIFICATION – DATA CENTER

Therefore, Data Centers should not have labels highlighting the nature of this room for
easy identification.

I. If the Data Center has windows, ensure that they are locked and covered to prevent
external viewing. Precautions should be implemented to reduce entry through a
damaged window.

J. The Data Center should be designed with a ceiling to slab configuration to ensure access
into it cannot be obtained via a drop down ceiling.

K. Power and communications lines servicing buildings should be underground, where

possible, or subject to adequate alternative protection. Network cabling should be
protected from unauthorized interception or damage.

L. When setting up a new Data Center, consideration must be given to natural and man
made risks. Those risks should be mitigated in the selection and layout of the Data
Center where practical.

5.0 PHYSICAL ACCESS CONTROL

A. The primary objective in controlling unescorted physical access to Data Centers is that
such access must be limited to the minimum number of individuals as possible. Thus,
unescorted access must be granted and justified on a per individual basis and not based
on an individual’s affiliation to a specific group, such as security guards and/or
maintenance personnel.

B. New or Change in Unescorted Access

1. Access to Data Centers must be limited to authorized administrators and system

maintenance personnel. In those locations where physically restricting access to
the servers is not feasible, the use of lock down enclosures/cabinets/rack is an
acceptable means of controlling accessibility.

2. All personnel entering the Data Center must have proper authorization. Access
to Data Centers shall be controlled, monitored and reviewed by the SDM or their
authorized designee.

3. All requests for access (badge or key) to Data Centers must be approved by the
SDM or their authorized designee in writing.

4. Access must be restricted to only a subset of the core IT and support staff that is
required to provide support for the systems hosted within the Data Center.
Contractor access must have a specific end date not to exceed one (1) year in
duration.
Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 7 of 12
Revision: 1

SPECIFICATION – DATA CENTER

C. Unescorted Access Removal

1. All persons no longer requiring access (badge or key) to Data Centers, including
individuals no longer meeting the criteria for unescorted access, must have their
access removed within a timely basis.

2. The IT representative managing the Data Center is responsible for assuring a

localized written process is in place and adhered to for removing access (badge
or key) when no longer needed. This includes employees and non-employees
who have been terminated, transferred, or resigned from their position.

D. Unescorted Access Requirements

1. The IT representative managing the Marafiq Data Center is responsible for:

 Determining access criteria

 Assuring that only people meeting the access criteria have access
(badge or key) to the Data Center

 Conducting and maintaining appropriate access review documentation

and logs

 The guidelines on who can be given access (badge or key, criteria

required) to Data Centers should be documented in the localized version
of this practice document.

E. Monitoring and Logging of Unescorted Access

1. Logging of access entries and departures into Data Centers must be retained for
a minimum period of one (1) year.

2. Logging can either be automated through an electronic badge access log or

where no automated service exists, by manually entering the event into the data
centre Visitors Log.

3. The Access List for sites with badge or physical key access should be approved
by the SDM or their authorized designee and retained for a minimum of period of
one (1) year.

4. The Access List (badge or key) should be reviewed (signed and dated) by the
SDM or their authorized designee on a quarterly basis at minimum and records
retained for a minimum period of one (1) year.

F. Visitor/Escorted Access

1. Anyone who does not have authorized individual access (badge or key) to the
Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 8 of 12
Revision: 1

SPECIFICATION – DATA CENTER

Data Center is considered a Visitor.

2. All visitors entering the Data Center must adhere to the following guidelines:

 Visitors must be escorted at all times while in the Data Center by

personnel that have authorized individual access (badge or key) to the
Data Center.

 Visitors must log in/out when entering/exiting the Data Center via the
Visitor Log.

 The purpose of the visit must be documented.

 All exceptions must have approval of the SDM or IT representative

managing the Data Center or their authorized designee in writing.
Exceptions and their corresponding approvals should be documented on
the Visitor Log.

G. Monitoring and Logging of Visitor/Escorted Access

1. The Visitor Access log entries must be retained for a period of one (1) year and
should be reviewed (signed and dated) by SDM or assigned delegate on a
quarterly basis at minimum.

H. Reporting of Access Review Results

1. The results of the access log reviews must be documented and must be retained
for a minimum period of one (1) year.

6.0 LOCAL DATA CENTER PROCEDURES

A. Detailed Procedures

1. The IT representative managing the data center should assure existence,

creation, and adherence to localized detailed data center procedures that outline
how the standards defined in this practice are to be implemented locally. This
practice document should serve as the base document. The specific details of the
local implementation of this practice needs to be documented on the local
practice document.

7.0 DATA CENTER ENVIRONMENTAL CONDITIONS

A. General

1. The selection and layout of Data Centers should take into account any risks
Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 9 of 12
Revision: 1

SPECIFICATION – DATA CENTER

associated with natural and man made disasters and implement reasonable
safeguards against said disasters. Data Centers need to be monitored and set up
for humidity, temperature, cooling/airflow, fire suppression, power interruption,
and vibration/shock where applicable.

B. Humidity

1. Humidity levels within the Data Center, whether low or high, need to be monitored
to maintain acceptable relative humidity (RH) levels. When relative humidity
levels are too high, water condensation can occur and when too low electrostatic
can build up resulting in discharge that can be damaging to electronic
component. Equipment operating requirements for the acceptable range is
between 20% and 80% non-condensing.

2. Recommended early warning alerts are between 40% and 60% relative humidity,
with critical alerts at 30% and 70% relative humidity. When an early warning alert
has been made, the SDM or his delegate will need to investigate the cause of the
deviation from standard and take actions necessary to return levels to normal.
The event should be logged along with the actions taken to return levels to
normal. The log of the event should be retained for a minimum of one year. If a
critical event occurs, the SDM or his delegate should take immediate steps to
return the levels to within acceptable levels while the underlying issue is
diagnosed and resolved.

3. As an extra precaution against electrostatic buildup and electrostatic discharge

(ESD), all computer racks should be grounded to earth as standard. This will
allow electrostatic charges to dissipate to earth, avoiding the buildup of charge
and removing the potential for damage from ESD.

4. All persons carrying out work on the internals of data center computer equipment
should be grounded to earth by connecting themselves via an antistatic strap to
the rack the equipment is in. Likewise, any components being placed in or taken
out of a piece of data center computer equipment should be placed on an
antistatic mat which is also grounded to earth through the rack.

C. Temperature

1. Operating expensive IT computer equipment for extended periods of time at high

temperatures greatly reduces reliability and longevity of components. It causes
unplanned downtime. Maintaining an ambient temperature range of 68° to 75°F
(20° to 24°C) is optimal for system reliability. This temperature range provides a
safe buffer for equipment to operate in the event of air conditioning or HVAC
equipment failure while making it easier to maintain a safe relative humidity level.

2. Expensive IT equipment should not be operated in a computer room or data

center where the ambient room temperature has exceeded 85°F (30°C).
Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 10 of 12
Revision: 1

SPECIFICATION – DATA CENTER

D. Fire Suppression

1. Fire suppression equipment, either manually activated and/or automatically

activated, should be installed. Automatically activated fire suppression systems
(if installed) should be inspected and tested annually and records retained for
future inspection.

2. The quantity of self-contained portable fire extinguishers should be sufficient to

ensure complete coverage. Fire extinguishers should be conveniently located,
well marked and inspected annually and records retained for future inspection.

E. Cooling/Airflow

1. Data Centers should provide adequate cooling/airflow to computerized equipment

within the Data Center to help minimize the risk of internal overheating.

F. Power Interruption

1. Data Centers should be equipped with adequate UPS capacity to ensure

continued operation in the event of a power outage or electrical surges. The
capacity of the UPS should be sufficient to either allow for the safe shutdown of
the computer infrastructure or for an alternate power supply to kick in. Though
not required as standard, generators may be installed or utilized to provide an
additional backup power source.

2. All backup power equipment (UPS and Generators) need to be tested on a

quarterly basis, logged, signed by Facility Management, the SDM or assigned
delegate, and retained for a minimum of one (1) year.

G. Vibration/Shock (where applicable)

1. If a Data Center is located in an earthquake zone, it is recommended that the

equipment racks located within it are secured to the floor as to provide protection
from any vibration/shock that the may occur. Though not required, the use of
rack stabilizers are recommended when available and practical.

H. Daily Monitoring

1. Devices that monitor temperature and humidity levels should be installed at the
Data Center. If possible, the output data from these devices needs to be
accessible externally from the Data Center to allow Security and/or Facility
Management personnel to monitor environmental levels within the Data Center
without requiring access.

2. The temperature and humidity levels at the Data Center need to be recorded and
reviewed on a quarterly basis to ensure that the deviations from acceptable limits
were identified and appropriate actions taken.
Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 11 of 12
Revision: 1

SPECIFICATION – DATA CENTER

I. Warning System

1. If the temperature or humidity levels deviate from operational parameters, the

automated environmental monitoring device needs to be capable of sending an
alert to Facility Management and/or IT Management. This alert will enable the
SDM and their delegates to take appropriate action to return the Data Center
within operational parameters as quickly as possible per previous
recommendations.

J. Review and Testing

1. Facility Management will test the monitoring system at least quarterly to ensure
proper operation of the system. Test results shall be provided to the IT
representative managing the data center, SDM or their authorized designees.
Reviews of the testing will be logged, signed, dated and retained for a minimum
of one (1) year.

K. Alert Testing and Verification

1. The alerting function of the temperature and humidity controls should be tested
on a quarterly basis. In testing the alerting, an event must be generated that
triggers an automated alert to validate the function is performing correctly and
that all the appropriate target group(s) receive the alerts.

2. To generate the event that triggers the alert, it is suggested that you use your
breath to trigger a humidity alert or your hand heat to generate a temperature
alert. However, keep in mind that you may need to use an alternative method
depending on your sensor equipment. It should be noted that water and/or fire
should never be used to generate this test alert.

3. Prior to initiating this test, all people in the target group must be notified.
Feedback will then need to be gathered from all the target group(s) to verify that
they received the alert as well as when the alert was received. If any issues are
detected as part of this test, these issues will be rectified and then retested and
with details logged.

4. A record of the complete results of this test should be logged, signed, dated and
retained for a minimum of one (1) year.

8.0 SECURITY BREACHES

A. Security breaches in Data Centers should be immediately reported to local site security
representatives. The security breach should be documented in writing following the
incident and e-mailed to the IT representative managing the data center, SDM or their
authorized designees and IT Security.
Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 12 of 12
Revision: 1

SPECIFICATION – DATA CENTER

9.0 DEVIATIONS AND EXCEPTIONS

A. Deviations and exceptions to the standards defined in this practice are to be submitted in
writing by the IT representative managing the Data Center to their respective SDM and
RSDM or other senior level IT management personnel.