ETTE’s datacenter security is comprised of physical, electronic and legal (compliance) elements, listed below:
Physical Security
Because of the physical nature of a datacenter, it is important to have an extensive physical security, as well as cybersecurity.
ETTE’s datacenter has the following physical security elements:
Security fence: Made of precast concrete, the security fence meets US Department of State K8 certification standards. With K8 standards, a 15,000 kg diesel truck, traveling at the barrier at 40 MPH, will not penetrate the barrier by more than 36 inches.
Physical setback: The perimeter of the datacenter property has a physical setback of 40 – 100 feet. This setback allows for a clear field of vision for the CCTV and guard patrols to detect intruders.
Access gate: The facility features two hardened access gates staffed 24 hours a day, 7 days a week, by trained security guards. Guards perform a 100% ID check for all persons seeking to enter the facility.
Building perimeter: To supplement the property security fence, precast crash-resistant concrete protects the building perimeter.
Security check–in: Visitors entering the building are greeted by a fully-staffed reception desk. At the desk, visitors sign in and out of the building. Our staff provides appropriate (escort or non-escort) badges fo reach visitor accessing the facility.
Closed Circuit Television (CCTV): CCTV is present throughout the interior of the building and exterior and facility grounds. The CCTV feeds into a protected and hardened control room. Our system records and preserves the feed in the event it is required for later review.
2 Factor Authentication Factor Access Control: Access to and through datacenter facilities requires a possession factor (card key) and biometric factor (biometric scanners). Card keys have codes to provide only access to relevant places in the datacenter for a given user. Visitor card keys expire to prohibit unreturned card use for unauthorized access at a later date.
Security Staff: The ETTE datacenter features an experienced, fully trained security staff protecting the datacenter 24/7. The security staff is responsible for manning the front gate, building check-in, CCTV control room. Roving security teams patrol the building and grounds.
Cybersecurity:
The IT systems at the datacenter have these defenses, designed to prevent, detect, and respond to a cyber attack. Note that these defenses apply to datacenter systems and not necessarily individual client systems. Client systems may have stronger or lighter security measures in place:
Firewall: ETTE’s datacenter has a strong firewall to appropriately test and block questionable network traffic.
Data Encryption: Encrypting data means that even data stolen from a network is unusable without a decryption key. We use encryption for data transfer and storage.
Advanced Anti-Virus and Anti-Malware protection: Advanced systems employ artificial intelligence to predict and stop attacks before they begin.
Endpoint Protection: A cyberdefense strategy that focuses on hardening access points to a system’s network, including connectable points like laptops, smart phones, and data ports.
Intrusion and Detection Protection Systems: Monitor applications that seek, assess and respond network anomalies that may be developing attacks.
Multi-factor Authentication: In addition to a password, systems require an additional level of user verification to gain access to the IT environment.
Real-time Reporting and Auditing: System monitors that review the IT environment and issue warnings, alarms and reports for the network operation.
Stringent and Enforced Security Policies: For example, policies requiring users to change passwords on a regular basis, disabling default security setting, prohibitions against credential sharing, etc.
Security Certifications and Standards:
ETTE’s datacenter either holds these certifications, or has met the requirements for these published industry standards:
ISO 27001: Defined by the International Organization for Standardization (ISO), our datacenter meets the information security standard. An independent third party has audited our security systems for complance. To achieve an ISO 27001 Certification, the datacenter needed to develop a comprehensive plan to manage, operate, support, and review information security management system, using identified relevant controls for a datacenter. ETTE uses these controls to prevent, detect, or respond to security threats. The security controls can be physical, procedural, technical or legal in nature.
FISMA Compliant: The Federal Information Security Management Act (FISMA) is US legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. To be FISMA compliant, an organization needs to follow a seven-point framework: information systems inventory, risk-level based information and systems categorization, relevant security controls, comprehensive risk assessment, system security plan, plan and controls certification, and continuous (ongoing) monitoring. While FISMA is a standard for government systems, in the private sector FISMA is considered the standard for storage of government IT data and systems for government contractors.
GSA ISC Level IV: The US General Services Administration (GSA), in coordination the Department of Homeland Security and some other US government agencies formed the Interagency Security Committee (ISC). The ISC’s mission is to develop building construction standards to ensure that security becomes an integral part of the design and construction of government properties. As with FISMA, GSA-ISC compliance in the private sector renders a building suitable for government activity. “Level IV” refers to a size standard, in this case over 150,000 square feet.
SOC 2 Type II: While not a certification per se, a System and Organization Control (SOC) 2 report describes the security controls at a service organization. Type I reports review management’s security controls, and reports on their suitability for the proposed service function (in this case, a datacenter). The Type II report comments on the effectiveness of those security controls. The American Institute of Certified Public Accountants, a member association of financial professionals administers SOC.
Payment Card Industry Data Security Standard (PCI-DSS): This standard was collectively developed by major credit card issuers, such as Visa, Mastercard, and others. PCI-DSS sets standards to securely store and electronically process credit card data. The standard specifies 12 requirements grouped into six control objectives: 1) Build and Maintain a Secure Network and Systems, 2) Protect Cardholder Data, 3) Maintain a Vulnerability Management Program, 4) Implement Strong Access Control Measures, 5) Regularly Monitor and Test Networks, 6) Maintain an Information Security Policy.
HIPAA, HITECH and cGMP compliance: ETTE’s datacenter meets US government standards for the secure storage of medical records. Compliance requires four key controls: 1) Adequate physical and electronic security, 2) auditable systems, 3) Written policies and procedures, and 4) independent security systems audit.