APPENDIX A DATA CENTER EVALUATION CHECKLISTS This online document contains data center evaluation checklists that you can use to determine whether your current computing resources meet the minimum suggested requirements for a dependable computing environment. The checklists are useful for identifying the elements that you must manage to achieve a dependable computing environment. NOTE Digital provides this document in SYS$EXAMPLES as a cour- tesy to readers of the handbook, Building Dependable Sys- tems: The VMS Approach. The handbook's order number is AA-PH62A-TE. It is part of the VMS documentation set. This text file is based on information in Appendix A of Building Dependable Systems: The VMS Approach. If desired, you can use this file to complete the data center checklist online. However, please do not modify the version of this file that resides in SYS$EXAMPLES. Digital recommends that you instead copy this file from SYS$EXAMPLES to a private directory, invoke a text editor, and then complete the data center checklist. A PostScript[R] version of this document is also available. Print VMS_DEPENDABILITY_CHECKLIST.PS from SYS$EXAMPLES if you have a PostScript printer and prefer to complete the checklist in printed form. The information in this document is subject to change without notice and should not be construed as a commitment by Digital Equipment Corporation. Digital Equipment Corpo- ration assumes no responsibility for any errors that may appear in this document. ©Digital Equipment Corporation. 1991. All rights reserved. ___________________ [R] PostScript is a registered trademark of Adobe Systems Incorporated. The questions are structured so that the correct answer is Yes. If, after completing the checklists, you find that you have an- swered a majority of the questions with a No, you should take steps to remedy the particular inadequacy. If you need profes- sional help, the Digital Facilities Management Services (FMS) group is chartered to help you analyze areas that need improve- ment and come up with a schedule for implementing changes to create a more dependable computing environment. Contact your Digital representative for more information about the Digital FMS group. The evaluation checklists are organized into the following categories: o General planning (see Section A.1.) Comprehensive, well-documented plans are essential to a data center. The general planning checklist evaluates your data center's general planning strategies. o Environment management (see Section A.2.) Effective management of your data center's management is critical. The environment management checklist evaluates your data center's environmental management strategies. o Data center organization (see Section A.3.) The data center organization checklist evaluates your overall strategies. 2 Data Center Evaluation Checklists o Security (see Section A.4.) Strict security strategies must be implemented to protect your data center from intruders. The security checklist evaluates your data center's security strategies. ---------------------- Caution ----------------------- Use discretion in selecting which options to enable. Extensive use of security auditing can consume significant system resources. o Application software (see Section A.5.) Vendor-supplied application software and your group's ap- plication software must be evaluated and tested extensively before it can qualify to be installed on production sys- tems in your data center. The application software checklist evaluates your data center's application software strategies. o Digital service and support (see Section A.6.) Digital specialists can help you plan strategies for building a data center. The Digital service and support checklist evaluates your data center's support strategies. Section A.7 contains a compliance summary table so that you can determine how well your data center complies with suggested techniques for achieving a dependable computing environment. Data Center Evaluation Checklists 3 A.1 General Planning Checklist o Are the computing system tools and techniques used in conformance with architectures and strategies approved by Digital? Yes____ No____ o Is Digital aware of the your group's telecommunications needs and desires? Yes____ No____ o Regarding long-range business, technology, and service plans: - Is there a current, published mission or charter statement for the data center group? Yes____ No____ - Is there a current organization chart for the data center group? Yes____ No____ - Do current plans for the data center group include the following: * Capacity planning? Yes____ No____ * Hardware planning? Yes____ No____ * System software planning? Yes____ No____ * Technology planning? Yes____ No____ * Project planning? Yes____ No____ * Human resource planning? Yes____ No____ * Business planning? Yes____ No____ - Are the plans updated annually? Yes____ No____ o Is there sufficient capacity and bandwidth in the network to meet future requirements? Yes____ No____ o Does the data center group have a long-range plan and is it consistent with the business long-range plan? Yes____ No____ o Are planned deliverables associated with resource projections? Yes____ No____ 4 Data Center Evaluation Checklists A.2 Environmental Management Checklist o Regarding the construction and location of the computer room: - Are the computer room walls away from outside walls? Yes____ No____ - Are the computer room walls not sharing walls with public areas such as a cafeteria? Yes____ No____ - Are there floor-to-ceiling walls? Yes____ No____ - Is the computer room protected by self-lock doors that are not affected by air pressure? Yes____ No____ - Is an emergency power shutoff located at each door and away from light switches? Yes____ No____ - Are there adequate emergency exits available and clear of obstruction? Yes____ No____ - Is emergency lighting available in computer room? Yes____ No____ - Are cables (if not under raised floor) secure so as to avoid tripping or injury? Yes____ No____ - Is there an intrusion detection system with monitoring? Yes____ No____ o Are the procedures and equipment in place for fire protection? Yes____ No____ o Have all tests of procedures and equipment been documented? Yes____ No____ o Have you taken the following precautions: - Smoking forbidden in computer room? Yes____ No____ - Eating and drinking forbidden in the computer room? Yes____ No____ Continued... Data Center Evaluation Checklists 5 - Adequate humidity, air-conditioning, and temperature controls in place and regularly tested? Yes____ No____ - Flammable materials not stored in computer room? Yes____ No____ - Sprinkler systems designed to minimize damage to equipment? Yes____ No____ - Fire evacuation plan in place? Yes____ No____ - Smoke detectors and heat-sensitive alarms installed? Yes____ No____ - Halon gas fire extinguishers available? Yes____ No____ - Fire detection and alarm systems linked to main system for the building? Yes____ No____ - Link to fire department established? Yes____ No____ - Fire extinguishing systems and hand-held extinguishers accessible from every location in computer room? Yes____ No____ - Fire extinguishers tested periodically and up to date? Yes____ No____ o Is the media library separated from the computer room? Yes____ No____ - Is it constructed with similar precautions as the computer room? Yes____ No____ - Does it have the same types of physical security controls? Yes____ No____ o Are records kept for: - Terminals connected to systems? Yes____ No____ - Nodes connected to networks? Yes____ No____ - List of system users? Yes____ No____ o Is there a documented layout of all hardware? Yes____ No____ o Is the facility wiring well documented? Yes____ No____ o Is there a facility-wide wire labeling standard? Yes____ No____ o Are all wires and cables labeled? Yes____ No____ o Is the data switch well documented? Yes____ No____ 6 Data Center Evaluation Checklists A.3 Data Center Organization Checklist o Regarding human resource plans and implementations: - Is the delegation of duties supported by current job descriptions? Yes____ No____ Are there full job descriptions for all data center personnel outlining their duties and responsibilities? Yes____ No____ - Are there current and signed (manager and employee) job plans? Yes____ No____ - Is there on file a documented training and development schedule for all personnel within the data center group? Yes____ No____ - Is the plan being implemented on schedule? Yes____ No____ o Is the number of nondesktop computer systems managed per system manager (or data center operations support person) less than four (managed means substantial system support is provided)? Yes____ No____ o Is the number of desktop computer systems and other computing devices for each support person less than 50? Yes____ No____ - Are floppy disks stored in a dust-free, magnetic-free area? Yes____ No____ - Is there a formalized backup procedure for floppy disks and evidence that the procedure is being followed on a routine schedule? Yes____ No____ o Is the percent of printers in the computing environment less than 60% of all printers at the site? Yes____ No____ o Is the percent of data being backed up less than 60% of all data on disk or tape? Yes____ No____ o Are backup and archiving retrieval process and measurements planned and implemented? Yes____ No____ Data Center Evaluation Checklists 7 A.4 Security Checklist o Is there a documented process for requiring password changes on a regularly scheduled basis? Yes____ No____ o Is there a process to control passwords? Yes____ No____ Does this include password minimum length checks and password expirations so that passwords are difficult to guess? Yes____ No____ o Are computer system and network passwords changed at least every 3 months and other passwords changed every 6 months? Yes____ No____ o Have you published a system security and internal control training and awareness schedule for all data center personnel? Yes____ No____ o Is there documented evidence that the schedule is being implemented? Yes____ No____ o Is there a documented procedure to grant accounts on computer systems? Yes____ No____ Does this procedure include: - Statement of need? Yes____ No____ - Signatures of requester, requester's manager, system manager, and person setting up the account? Yes____ No____ - Time periods for access and an expiration date? Yes____ No____ o Does each user have his or her own account? Yes____ No____ o Are account privileges strictly controlled? Yes____ No____ o Do privileged users have nonprivileged accounts for normal access (consider whether additional password controls are required, such as password minimum length checks, password expirations, and using only system-generated passwords)? Yes____ No____ Continued... 8 Data Center Evaluation Checklists o Are accounts that have been inactive for long periods of time verified as being current (for example, to check for employees transferred or terminated)? Yes____ No____ o Are approved computer security tools and processes implemented for all computer systems? Yes____ No____ o Have you enabled notification for: - World-readable files? Yes____ No____ - Passwords shorter than minimum length? Yes____ No____ - Expired passwords? Yes____ No____ - Privileged access and modifications to critical system files? Yes____ No____ - Login or file access failures? Yes____ No____ o Do all computer systems ensure maximum security? Yes____ No____ o Are all accounts authenticated at least once every 6 to 12 months? Yes____ No____ o Are computer system accounts that are not used on a regular basis deactivated until actually required? Yes____ No____ o Is there a procedure to periodically check the user authorization file (UAF) for unauthorized access? Yes____ No____ o Is physical access to the computer room controlled in these ways: - Is there a written list of authorized personnel? Yes____ No____ - Is the reason for access included? Yes____ No____ - Is one person responsible for keeping this list current? Yes____ No____ - Has the list been updated within the last 3 months? Yes____ No____ - Is there a visitors' log? Yes____ No____ - Is the visitors' log kept in a secure area? Yes____ No____ - Are access doors locked? Yes____ No____ - Is there a documented procedure for assigning keys, key cards, and combinations? Yes____ No____ Continued... Data Center Evaluation Checklists 9 - Are access controls changed periodically and on transfer or termination of employees? Yes____ No____ - Are there clear procedures written for users and visitors to the computer room to outline the process? Yes____ No____ o Regarding security for terminals and personal computers located outside the computer room: - Is there a program running on the computer systems that will log out terminals that have not been used for a given period of time? Yes____ No____ - Are user terminals logged off when unattended? Yes____ No____ - Is there a security awareness program for the organization (outside of the data center operations group)? Yes____ No____ - Do you have software approved by Digital on your systems? Yes____ No____ - Are desktops clear of the hardcopy information relating to computer system, network passwords, and other system account information? Yes____ No____ - Are the desks and file cabinets locked? Yes____ No____ - Are floppy disks inaccessible in or near workstations? Yes____ No____ - Are keys kept out of open view? Yes____ No____ o Regarding additional controls applied to guest accounts of the computer systems: - Are activities reviewed and timely adjustments made to changes in status? Yes____ No____ - Is a special default guest account established? Yes____ No____ o Regarding controls for dial-in numbers: - List of authorized users? Yes____ No____ - Periodic changing of numbers? Yes____ No____ - Procedures to notify users of number changes? Yes____ No____ - A policy to minimize publishing dial-in numbers? Yes____ No____ Continued... 10 Data Center Evaluation Checklists - Long-range plans for dial-back equipment? Yes____ No____ - Policy about changing passwords when employees with access are terminated? Yes____ No____ o Is there documentation available and in place about: - A dial-back system? Yes____ No____ - Details about the network? Yes____ No____ - Terminal equipment installed? Yes____ No____ - Terminal switching systems? Yes____ No____ - Details about all terminal devices connected to the network? Yes____ No____ - Details about all dial-in equipment? Yes____ No____ o Are fault logs maintained to record problems? Yes____ No____ o Is the transmission of sensitive information closely monitored? Yes____ No____ o Are there contingency arrangements for network failures? Yes____ No____ o Regarding controls to manage internal network connections and monitor usage: - Documentation showing wide area network (WAN) circuits and business reasons? Yes____ No____ - Documentation showing network links? Yes____ No____ - Network registration include written approval of the manager, statement of need to connect, and statement of security controls implemented on node? Yes____ No____ o Are controls in place to conform to international regulations if networks are used to pass information over national boundaries? Yes____ No____ o Are the wide area network (WAN) and local area network (LAN) availability and performance measurements consistent with the service agreement? Yes____ No____ Continued... Data Center Evaluation Checklists 11 o Computer systems remotely monitored or managed: - Are services evaluated for potential out-sourcing to other internal or external groups? Yes____ No____ - Is the percent of computer systems remotely monitored or managed greater than 40% of all remote computer systems? Yes____ No____ - Is the percent of managed computer systems remotely diagnosed or maintained greater than 60% of all computer systems managed? Yes____ No____ - Are system management tools and techniques in conformance with Digital architectures? Yes____ No____ o Is the tool set planned or implemented? Yes____ No____ o Is the percent of costs for backup and archiving less than 16% of total support costs? Yes____ No____ o Is a program to reduce backup and archiving volumes and costs planned or implemented? Yes____ No____ o Is the number of monthly failures fewer than 5 (failure means user access or activity is delayed for more than 30 minutes)? Yes____ No____ o Is the mail menu response time less than 4 seconds (average, measured in seconds)? Yes____ No____ o Are system capacity and utilization criteria and measurements planned or implemented? Yes____ No____ o Is migration to the latest hardware and released software upgrades planned and implemented when justified? Yes____ No____ o Is there involvement in product improvement through participation in field tests or other feedback to Digital engineering? Yes____ No____ o Are data center policies and operating instructions regularly maintained and made available to employees responsible for planning or maintaining the computing environment? Yes____ No____ o Is the coverage of the Digital service contracts sufficient to ensure minimum down time for critical systems and time periods (fiscal closings, development schedules, and so on)? Yes____ No____ 12 Data Center Evaluation Checklists A.5 Application Software Checklist o Regarding operations involvement in life-cycle process for all mission-critical applications: - Is there active participation in a formal process to review application development proposals and projects to ensure that the application is making the best use of technical advances and automation to reduce data center staffing requirements? Yes____ No____ - Do you make sure, prior to online implementation, that new systems or modifications have been authorized by computer operations personnel and system management? Yes____ No____ - Is there a formalized review and approval process prior to publication and distribution of all computer operations and applications documentation? Yes____ No____ - Is operational support of third-party software consistent? Yes____ No____ o Regarding the application acceptance process in partnership with developers and users and the procedures to monitor and control installation capacity: - Are there established performance criteria for each application? Yes____ No____ - Is there an ongoing process in place to evaluate current system utilization? Yes____ No____ - Are application development and enhancement projects reviewed for capacity impacts? Yes____ No____ o Does a controlled test environment exist? Yes____ No____ Does formal testing take place before production use of system and application software? Yes____ No____ o Are Digital software applications, as well as versions of VMS, tested before they are installed? Yes____ No____ o Is there a formal process implemented for installing system and application software? Yes____ No____ Data Center Evaluation Checklists 13 A.6 Digital Service and Support Checklist o Regarding a service portfolio and delivery plan: - Is a formal process implemented for updating operating systems? Yes____ No____ Are upgrade notifications published? Yes____ No____ - Is there a current listing of all software applications being used? Yes____ No____ - Is there a current listing of all software, hardware, and services that Digital is chartered to support? Yes____ No____ - Are there on file appropriately signed, current, and published agreements and contracts supporting the portfolio? Yes____ No____ - Is there documented evidence that terms and conditions of the service agreements and contracts are reviewed on a periodic basis for compliance and that revisions are being identified and completed? Yes____ No____ o Are production problems monitored and noted? Yes____ No____ Is corrective action taken? Yes____ No____ o Is there a system management council or steering committee where data center personnel meet with Digital to assess activity and prioritize future requirements? Yes____ No____ 14 Data Center Evaluation Checklists A.7 Compliance Summary Table 1 provides a method for you to compile the results of the evaluation checklists. The table helps you compare the number of times that you answered Yes to the total number possible. By examining areas where you are deficient, you can define what traits are lacking from your computing system and plan a strategy for achieving a desirable level of dependability. ________________________________________________________________ Table_1:__Compliance_Summary____________________________________ Total Possible Yes Category___________Compliance__Answers_____%_Compliant__________ General plan- 15 ning Environmental 34 management Data center 12 organization Security 78 Application 11 software Digital service 9 and support Total compli- 159 ance____________________________________________________________ Data Center Evaluation Checklists 15