Beruflich Dokumente
Kultur Dokumente
This specification has been revised as indicated below and described in the revision record on the
following page. Please destroy all previous revisions.
Record of Revisions
TABLE OF CONTENTS
Section
3.0 DEFINITIONS................................................................................................................................ 4
1.0 GENERAL
A. This specification defines the minimum mandatory requirements governing the data
center for the Power and Water Utility Company for Jubail and Yanbu (MARAFIQ). The
Data Center Physical Security and Environmental Controls protect data information stored
within the Data Center. Information resources require physical security measures to
ensure proper and timely operation, to protect value, to safeguard the integrity of
information, and to ensure the safety of personnel. Where practicable computer systems,
facilities, and tape storage areas shall be protected from theft, alteration, damage by fire,
dust, water, heat and humidity, power loss, vibration, other contaminants, and
unauthorized disruption of operation.
B. The design, permitting and approval of this system are the Contractor’s
responsibility. Installation, commissioning and startup shall be by a contractor
experienced in the technology and approved by MARAFIQ.
2.0 REFERENCES
A. This document defines the functional requirements, while allowing flexibility to benefit
from Contractor’s experience and expertise. The use of equipment and components that
are field proven is preferred. Where the intent of this document may be satisfied with
variations that permit greater utilization of Contractor’s standard techniques, Contractor is
encouraged to highlight the differences and propose alternatives for MARAFIQ’s
consideration.
C. Standards:
3.0 DEFINITIONS
1. Access List: Listing of personnel that have access (badge or key) to the Data
Center.
2. Data Center: Secure controlled access area where centrally used remotely
accessed multi-user systems and support infrastructure are located.
Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 5 of 12
Revision: 1
A. All Data Centers must be adequately secured from theft and vandalism.
B. Security of Data Centers shall be consistent with applicable laws, regulations, contracts,
local codes and directives, and must be implemented in conjunction with the Security and
Facilities organizations.
C. Data Center managers shall ensure appropriate security controls are in place and working
effectively, commensurate with the level of risk and compromise to the Data Center.
D. Data Centers shall be physically controlled areas. Such controls may include manned
security stations, cipher locks, door card readers, biometrics technology devices and/or
other mechanisms. Door key locks are the minimum level of protection required where
other mechanisms are not practical or applicable. In those locations where physically
restricting access to the servers is not feasible, lock down enclosures/cabinets/racks are
an acceptable means of controlling accessibility.
E. If the Data Center utilizes physical keys to access them, ensure that the same key is not
used to access the overall facility and that controls are in place to review and monitor all
personnel with keys on a regular basis to determine overall access, and that all keys are
engraved with “Do Not Duplicate”. Access List reviews of all physical keys should be
done quarterly and retained for a minimum of two years.
F. Doors to the Data Center can be manually closing, self closing or an automatic. If
manual, the person closing the door should validate the door has been secured by
checking the handle. If either self closing or automatic, the time required to close the
door should be within a reasonable time frame of within 7 to 10 seconds. If local Health
and Safety law requires a longer timeframe for the closure of automatic doors this should
be documented as an exception to this process. The exception should state the specific
legal requirement and be signed off by the Service Delivery Manager.
G. All Data Centers should utilize Visitor Logs. Visitor Logs should be maintained at each
entrance of the Data Center.
Therefore, Data Centers should not have labels highlighting the nature of this room for
easy identification.
I. If the Data Center has windows, ensure that they are locked and covered to prevent
external viewing. Precautions should be implemented to reduce entry through a
damaged window.
J. The Data Center should be designed with a ceiling to slab configuration to ensure access
into it cannot be obtained via a drop down ceiling.
L. When setting up a new Data Center, consideration must be given to natural and man
made risks. Those risks should be mitigated in the selection and layout of the Data
Center where practical.
A. The primary objective in controlling unescorted physical access to Data Centers is that
such access must be limited to the minimum number of individuals as possible. Thus,
unescorted access must be granted and justified on a per individual basis and not based
on an individual’s affiliation to a specific group, such as security guards and/or
maintenance personnel.
2. All personnel entering the Data Center must have proper authorization. Access
to Data Centers shall be controlled, monitored and reviewed by the SDM or their
authorized designee.
3. All requests for access (badge or key) to Data Centers must be approved by the
SDM or their authorized designee in writing.
4. Access must be restricted to only a subset of the core IT and support staff that is
required to provide support for the systems hosted within the Data Center.
Contractor access must have a specific end date not to exceed one (1) year in
duration.
Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 7 of 12
Revision: 1
1. All persons no longer requiring access (badge or key) to Data Centers, including
individuals no longer meeting the criteria for unescorted access, must have their
access removed within a timely basis.
Assuring that only people meeting the access criteria have access
(badge or key) to the Data Center
1. Logging of access entries and departures into Data Centers must be retained for
a minimum period of one (1) year.
3. The Access List for sites with badge or physical key access should be approved
by the SDM or their authorized designee and retained for a minimum of period of
one (1) year.
4. The Access List (badge or key) should be reviewed (signed and dated) by the
SDM or their authorized designee on a quarterly basis at minimum and records
retained for a minimum period of one (1) year.
F. Visitor/Escorted Access
1. Anyone who does not have authorized individual access (badge or key) to the
Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 8 of 12
Revision: 1
2. All visitors entering the Data Center must adhere to the following guidelines:
Visitors must log in/out when entering/exiting the Data Center via the
Visitor Log.
1. The Visitor Access log entries must be retained for a period of one (1) year and
should be reviewed (signed and dated) by SDM or assigned delegate on a
quarterly basis at minimum.
1. The results of the access log reviews must be documented and must be retained
for a minimum period of one (1) year.
A. Detailed Procedures
A. General
1. The selection and layout of Data Centers should take into account any risks
Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 9 of 12
Revision: 1
associated with natural and man made disasters and implement reasonable
safeguards against said disasters. Data Centers need to be monitored and set up
for humidity, temperature, cooling/airflow, fire suppression, power interruption,
and vibration/shock where applicable.
B. Humidity
1. Humidity levels within the Data Center, whether low or high, need to be monitored
to maintain acceptable relative humidity (RH) levels. When relative humidity
levels are too high, water condensation can occur and when too low electrostatic
can build up resulting in discharge that can be damaging to electronic
component. Equipment operating requirements for the acceptable range is
between 20% and 80% non-condensing.
2. Recommended early warning alerts are between 40% and 60% relative humidity,
with critical alerts at 30% and 70% relative humidity. When an early warning alert
has been made, the SDM or his delegate will need to investigate the cause of the
deviation from standard and take actions necessary to return levels to normal.
The event should be logged along with the actions taken to return levels to
normal. The log of the event should be retained for a minimum of one year. If a
critical event occurs, the SDM or his delegate should take immediate steps to
return the levels to within acceptable levels while the underlying issue is
diagnosed and resolved.
4. All persons carrying out work on the internals of data center computer equipment
should be grounded to earth by connecting themselves via an antistatic strap to
the rack the equipment is in. Likewise, any components being placed in or taken
out of a piece of data center computer equipment should be placed on an
antistatic mat which is also grounded to earth through the rack.
C. Temperature
D. Fire Suppression
E. Cooling/Airflow
F. Power Interruption
H. Daily Monitoring
1. Devices that monitor temperature and humidity levels should be installed at the
Data Center. If possible, the output data from these devices needs to be
accessible externally from the Data Center to allow Security and/or Facility
Management personnel to monitor environmental levels within the Data Center
without requiring access.
2. The temperature and humidity levels at the Data Center need to be recorded and
reviewed on a quarterly basis to ensure that the deviations from acceptable limits
were identified and appropriate actions taken.
Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 11 of 12
Revision: 1
I. Warning System
1. Facility Management will test the monitoring system at least quarterly to ensure
proper operation of the system. Test results shall be provided to the IT
representative managing the data center, SDM or their authorized designees.
Reviews of the testing will be logged, signed, dated and retained for a minimum
of one (1) year.
1. The alerting function of the temperature and humidity controls should be tested
on a quarterly basis. In testing the alerting, an event must be generated that
triggers an automated alert to validate the function is performing correctly and
that all the appropriate target group(s) receive the alerts.
2. To generate the event that triggers the alert, it is suggested that you use your
breath to trigger a humidity alert or your hand heat to generate a temperature
alert. However, keep in mind that you may need to use an alternative method
depending on your sensor equipment. It should be noted that water and/or fire
should never be used to generate this test alert.
3. Prior to initiating this test, all people in the target group must be notified.
Feedback will then need to be gathered from all the target group(s) to verify that
they received the alert as well as when the alert was received. If any issues are
detected as part of this test, these issues will be rectified and then retested and
with details logged.
4. A record of the complete results of this test should be logged, signed, dated and
retained for a minimum of one (1) year.
A. Security breaches in Data Centers should be immediately reported to local site security
representatives. The security breach should be documented in writing following the
incident and e-mailed to the IT representative managing the data center, SDM or their
authorized designees and IT Security.
Power and Water Utility Company for Jubail and Yanbu (MARAFIQ) Master Specification: MQ-SP-T-7813
Project Name: Date: 27 Jul 2011
Contract Number: Page: 12 of 12
Revision: 1
A. Deviations and exceptions to the standards defined in this practice are to be submitted in
writing by the IT representative managing the Data Center to their respective SDM and
RSDM or other senior level IT management personnel.