About DCSA

Contents

Why we created the DCSA…
Version 3.0 – What’s new?
Single Site and Interconnected Site – two audits?
How we communicate the results…
How many stars do I actually need?
Target Group and Focus
Our Service Packages
   A. Preparatory Workshop
   B1. Initial Audit – Single Site
   B2. Initial Audit – Interconnected Site
   C1. Follow-Up Audit – Single Site
   C2. Follow-Up Audit – Interconnected Site
   D. Revision Audit
Schedule
Assessment Criteria
   A. Single Site
   B. Interconnected Site
   C. Approved Energy Efficient Datacenter

Why we created the DCSA…

The goal of eco is to support the commercial use of the Internet.

Without specialist knowledge, individuals and companies who want to take advantage of data center services are often unable to objectively assess the performance, the facilities, or the organizational and technical measures provided by the operator of the data center in question.

As a result, there is often uncertainty about what data center, providing which services, should be chosen for the planned or already operating business model.

The goal of the project “eco Datacenter Star Audit” (DCSA) is therefore to avoid these uncertainties through the auditing of data centers. The audit provides the data canter with an assessment based on a pre-determined and published set of criteria.

The quality of service of the data center can then be determined from the results of the audit.

[top]

 
Version 3.0 – What’s new?

The eco Datacenter Star Audit Version 3.0 is a completely new audit, revised in 2013, which replaces the previous Version 2.0.

As a result of the complete revision of the audit, the results obtained in this certification are not comparable to those from older versions.

In the eco DCSA Version 3.0, data centers are assessed by at least two independent auditors according to predetermined criteria and assessment matrixes. The focus of the audit remains on the areas availability and security in data centers.

The assessment incorporates three different constituents:

  1. The Redundancy Concept
     
  2. The points achieved in each of the four categories of the questionnaire:
    • Organizational Security
    • Structural Building Security
    • Supply Security
    • Technical Security
  3. Presentation of the required documentation

The results of the certification are reflected in a star rating. The number of stars awarded indicates what infrastructure and which measures are provided by the operator concerned, with regard to the availability and security of the operator’s data centers.

[top]

 
Single Site and Interconnected Site – two audits?

In Version 3.0, two separate audita are offered:

  • Single Site – an individual data center is audited, and a certification of between 3 and 5 stars can be awarded.
     
  • Interconnected Site – two (or more) connected data centers from one operator are audited. The variant Interconnected Site has as prerequisite a Single-Site assessment for each data center. A result of 4 or 5 stars can be awarded. The audit can be extended to include further data centers from the given operator.

[top]

 
How we communicate the results…

What do hotels have in common with data centers? – They are both classified with three, four or five stars, and this symbol characterizes not only what they offer, but also their target group.

When choosing a hotel, a potential guest often weighs up whether or not they are likely to make use of the services offered. For an overnight stay on a business trip, a 3-star hotel might be enough, but for a holiday, the traveler would probably prefer the comfort of a 4 or 5-star resort.

With the classification of data centers, we decided on “stars” as symbols, in order to provide the potential customers of a data center with an easily understandable tool for orientation.

In the Version 3.0, the classification of a data center incorporates several constituents.

The smallest common denominator from all the constituents and categories determines the overall result. The results in individual categories are also listed on the Audit Certificate, alongside the overall classification. As a result, the service offered is discernible at a glance, with regard to availability and security.

If particularly energy-efficient systems, strategies and measures are used in a data center, a so-called “green” star (Approved Energy Efficient Data Center) can be awarded by the auditors. This can be found on the bottom left of the Audit Certificate.

[top]

 
How many stars do I actually need?

What level of certification a data center operator should aim at, and how many stars a potential customer requires, can not always be clearly determined.

Here are a few considerations to bear in mind:

  • A data center certified with 3 stars already offers adequate security and availability. A first point of failure is covered, and in the event of power failure, there is an emergency power supply available. A back-up solution in another data canter is advisable. It makes sense to take all of the results in the individual categories into consideration when making a decision.
     
  • If a data center has been awarded 4 stars, this means that maintenance of essential components is possible during operation, and a high level is guaranteed in the security categories. These data centers are, as a result of their structure, very complex and require an experienced and well-rehearsed team. A back-up strategy is in any case necessary.
     
  • 5-stars demonstrates redundancy of all components, which means a large investment. In these data centers, a second point of failure is also covered, so that very high security and availability can be contractually agreed upon.
     
  • With the Interconnected Site Audit it is possible for two individual 3-star data centers (under specific conditions) to, in combination, receive a 5-star Interconnected Site rating – an ideal condition for a Two-Location Strategy.

[top]

 
Target Group and Focus

The eco DCSA is suitable for any company which operates data centers. The size of the IT area is not relevant, but rather that the minimum requirements for technical components (Redundancy Concept) and security are fulfilled.

The Audit is now also appropriate for operators who are renting the space to be audited from a Colocation provider.

What benefits does the eco DCSA offer you as a data center operator or a user of colocation space?

  • Prompt performance of audit, at a reasonable price
  • Quality assurance and increase in reliability and trust
  • Cost reductions in the initiation of business contact
  • Demonstration of potential
  • Improvement of the company internal understanding of security and quality
  • Positive addition to marketing mix
  • Efficient audit procedure, through questionnaire and inspection of location
  • Marketing support through eco (e.g. publishing on the eco website, in the eco newsletter, press releases and user reports)
  • A Two-Location Strategy can now be looked at through the Interconnected Site Audit
  • Reduction of time and effort for subsequent certifications
  • Recognition of the module “Datacenter Infrastructure” for the SaaS Star Audit from the EuroCloud Association

And what advantages do your data center customers gain?

  • Cost-effective tendering and screening process of data centers possible
  • Market transparency through star-rating
  • Assessment symbol - star - is familiar
  • Easier matching of requirements to services offered
  • Ability to assess the currently-used data center and compare with others
  • Objective proof of quality, security and availability through independent association structure and auditors
  • Regular quality control and continual further development of the DCSA
  • Basis for financial auditors, banks, insurance companies, etc.
  • Energy efficient data centers awarded special rating

[top]

Our Service Packages

For the Datacenter Star Audit (DCSA), the following standard packages are offered:

Package Single Site Interconnected Site  
A. Preparatory Workshop x x  
B. Initial Audit x x  
C. Follow-up Audit x x  
D. Revision Audit x x  

Further services can be individually agreed upon.

 
A. Preparatory Workshop

The Preparatory Workshop includes the following services:

  • Preliminary telephone interview with an auditor
  • A 1-day workshop with an auditor at the customer site
  • In this workshop the principal service requirements will be discussed, on the basis of the DCSA Request for Information (RfI). We recommend an inspection of the data center as part of this workshop.
  • Generation of a report of the workshop
  • Telephone negotiation and agreement between data center operator and auditor

[top]

 
B1. Initial Audit – Single Site

If only one data center is to be audited, then this service package should be chosen. This service package is for first-time DCSA Audits, as well as for data centers whose DCSA License Renewal is more than 3 months overdue.

A DCSA License is valid for 24 months from the date of audit. The date of audit is the day on which the audit result and the classification is announced to the data center operator.

The service package includes the following services:

  • Preliminary telephone interview with an auditor
  • Telephone support from an auditor for the completion of the Request for Information – Single Site
  • Telephone agreement about Marketing measures for/after the announcement of the result
  • Inspection of the site by 2 independent auditors – the auditors will audit the data center based on the completed Request for Information of the DCSA Single Site. As well as the provision of all necessary documentation and the presence of expert staff, an inspection of the data center, including all technical rooms, is an essential requirement. The auditors can be expected to be on location for 6-8 hours.
  • Audit Report (internal assessment for the contractor, and summary) – The auditors write the Audit Report on the basis of the audit results.
    The internal assessment for the contractor includes details and confidential company-internal information and, if necessary, recommendations for improvements in the security.
    The summary is designed so that the data center operator can supply copies to third parties. On request, the summary can be written in German or English.
  • On-site debriefing with an auditor
  • Presentation of the DCSA Certificate and Placard (press conference), and the start of the agreed Marketing measures

[top]

 
B2. Initial Audit – Interconnected Site

An Interconnected Site Audit encompasses the following steps

  • DCSA Single Site audit for two (or more) of the customer's data centers
  • Additional DCSA Audit - Interconnected Site for these data centers

This service package can also be applied to more than two data centers. This service package is for first-time DCSA Audits, as well as for Datacenters whose DCSA License Renewal is more than 3 months overdue.

A DCSA License is valid for 24 months from the date of audit. The date of audit is the day on which the audit result and the classification is announced to the Datacenter operator.

The service package includes the following services:

  • Preliminary telephone interview with an auditor
  • Telephone support from an auditor for the completion of the Request for Informations - Single Site for both data centers as well as the additional Request for Information Interconnected Site.
  • Telephone agreement about Marketing measures for/after the announcement of the result
  • Inspection of the site by two independent auditors
  • Based on the completed Request for Information of the DCSA, the auditors will audit the data centers individually (Single Site) as well as in combination (Interconnected Site).
    As well as the provision of all necessary documentation and the presence of expert staff, an inspection of the data center, including all technical rooms, is an essential requirement. The auditors can be expected to be on location for 2 days.
  • Audit Report (internal assessment for the contractor, and summary) – The auditors write the Audit Report on the basis of the audit results.
    An assessment is written of each data center (Single Site) as well as a further one from the perspective of the Interconnected Site audit.
    The assessments include details and confidential company-internal information and, if necessary, recommendations for improvements in the security.
    The summaries (one for each data center, and also one for the Interconnected Site) are designed so that the company can supply copies to third parties. On request, the summary can be written in German or English.
  • Debriefing on-site with an auditor
  • Presentation of the DCSA Certificate and Placard, and the start of the agreed Marketing measures

[top]

 
C1. Follow-Up Audit – Single Site

The DCSA-License is issued for 24 months. During this time and up to three months after the end of the time, a Follow-up Audit can be applied for. The services correspond to the Initial Audit - Single Site.

[top]

 
C2. Follow-Up Audit – Interconnected Site

The DCSA-License is issued for 24 months. During this time and up to three months after the end of the time, a Follow-up Audit can be applied for. The services correspond to the Initial Audit - Interconnected Site.

[top]

 
D. Revision Audit

The operator has the right to apply for a Revision Audit, with the purpose of improving the original audit result. This needs to be conducted within six months of the notification of the original audit result and rating.

The application for a Revision Audit is to be made to eco in writing within four weeks of the presentation of the audit report. The auditors will then produce a report which highlights the measures which would contribute to a higher star rating.

Those measures which are identified as obligatory must be fulfilled; the measures identified as optional precautions contribute to both an increase in the necessary points and an improvement in security.

The Revision Audit must be carried out within six months of the presentation of the audit report. The Revision Audit has no effect on the length of validity of the original audit. The Revision Audit can be undertaken several times in sequence.

In the case of an improvement in the audit result, the DCSA License will be awarded only after the Revision Audit.

The service package includes the following services:

  • Telephone agreement with an auditor
  • Inspection of the site by 2 independent auditors
  • Based on the revised Request for Information of the DCSA and the measures conducted from the Audit Report, the auditors will re-audit the Datacenter. The auditors can be expected to be on location for 4-6 hours.
  • Revision of the Audit Report – (internal assessment for the contractor, and summary)
  • Telephone debriefing with an auditor
  • Presentation of the DCSA Certificate and Placard, and the start of the agreed Marketing measures

[top]

 
Schedule

The duration of a DCSA audit and certification is predominantly influenced by the length of time the contractor needs for completing the Request for Information questionnaire. We recommend fixing the dates in good time – in particular the on-site appointments for the auditors.

The following plan serves as a rough guide for both Single Site and Interconnected Site:

Audit Step Customer Auditor Weeks
1 2 3 4 5 6 7
Commissioning x                
Completion of Questionnaire (RfI) x                
Return of Questionnaire x                
Auditors On-Site   x              
Generation of Audit Report   x              
Presentation of Results x x              

[top]

 
 
Assessment Criteria

 
A. Single Site

In the eco DCSA, data centers are assessed by at least two independent auditors according to predetermined criteria and assessment matrixes. The Request for Information (RfI) – Single Site, filled out by the contractor, forms the basis of the audit, along with the documentation made available, the inspection of the data centers and the information provided by the operator on-site.

The number of stars awarded to a data center is the result of three different constituents:

  1. The Redundancy Concept
     
  2. The points achieved in the questionnaire (RfI) in each of the four categories:

    • Organizational Security
    • Structural Building Security
    • Supply Security
    • Technical Security
  3. Presentation of the required documentation

The constituent or the category with the lowest star rating defines the overall rating. As a result, the results and star ratings in individual categories are also presented on the certificate, and should be taken into consideration in the overall view.

1. Redundancy Examples

Redundancy Concept

Continuous redundant power supply lines to the racks
Redundant installation of components for:

  • Power supply
  • Climate control
  • Data network
2. Four categories of the questionnaire Examples
Organizational Security Processes:

  • Capacity Management
  • Risk Management
  • Availability Management
  • Security Management
  • Service Level Management
  • Operational and Emergency Management

Personnel:

  • Employment times / hours of operation
  • Main duties
  • Number and qualifications of staff
Structural Building Security Information on:

  • Geographical location / surroundings
  • Building construction / engineering
  • Building Security Concept
Supply Security More detailed information on:

  • Electricity supply
  • Climate control
  • Data network
Technical Security Information on:

  • Fire protection, alarms and extinguishing technology
  • Admittance system and supervision
  • Burglar alarm technology
  • Video surveillance technology
  • Danger Management System
3. Documentation Examples
 
  • Maintenance records
  • Operating manual
  • Concepts
  • Records of training
  • Checklists

The weighting of the four categories is given in the following table:

Category Weighting
% Points
1. Organizational Security 25 250
2. Structural Building Security 15 150
3. Supply Security 40 400
4. Technical Security
 
20 200
Total 100 1000

Each of these categories has diverse sub-categories, according to which the assessment criteria are arranged. 
Both the categories and the sub-categories are subject to a weighting scheme.

The requirements for the star ratings are:

Classification and Criteria
3 Stars
  • Every relevant or important component is installed to have at least parallel redundancy. (n+1)
  • In every case, the risk of a first point of failure is covered.
  • Minimum 70% of the possible points awarded in every category
  • All required documentation presented
4 Stars
  • Every major component (climate control, USP, etc.) must be able to undergo maintenance or be replaced without limiting the availability. Redundancy lies between n+1 and 2n
  • In every case, the risk of a first point of failure is covered.
  • Minimum 80% of the possible points awarded in every category
  • All required documentation presented
5 Stars
  • Every component (including valves, pipes, etc.) must be able to undergo maintenance or be replaced without limiting the availability. Redundancy lies between 2n and 2n+1
  • In every case, the risk of a second point of failure is covered.
  • Minimum 90% of the possible points awarded in every category
  • All required documentation presented

[top]

 
B. Interconnected Site

Prerequisites for the eco DCSA Interconnected Site Audit are the corresponding eco DCSA Single Site Audits for at least two data centers from one operator.

The results of the Single Site Audits are incorporated into the Interconnected Site Audit.

Supplementary information from the Request for Information – Interconnected Site is incorporated into the assessment given by at least two independent auditors from eco e.V.

In the Request for Information – Interconnected Site, the following constituents are to be dealt with:

Organizational Security Examples
  Information on:

  • Processes for Interconnected Sites
  • Customer involvement
  • Onsite Support
  • Distance
  • Personnel
Supply Security Examples
  More detailed information on:

  • Power supply
  • Data network

The criteria for the star rating are the result of an overall view which incorporates many further criteria.

An initial non-binding reference point is given in the following overview:

Classification and Criteria for a 4 Star Interconnected Site
Results from the Single Site Audit:
Organizational Security Minimum 90% from the complete category
Structural Building Security Minimum 70% from the complete category
Supply Security Minimum 70% in every sub-category
Technical Security Minimum 70% in every sub-category
Redundancy Concept Minimum n+1
 
Requirements from the Interconnected Site Audit:
Organizational Security Processes must be prepared and personnel must be trained for the interconnected situation
Structural Building Security Possible danger situations of the individual locations should be eliminated through the other data center
Supply Security Minimum redundant trunks connecting the sites
 
 
Classification and Criteria for a 5 Star Interconnected Site
Results from the Single Site Audit:
Organizational Security Minimum 90% in every sub-category
Structural Building Security Minimum 70% from the complete category
Supply Security Minimum 70% in the sub-categories Power Supply and Climate Control; and minimum 80% in the sub-category Data Network
Technical Security Minimum 80% in the sub-category “Superordinate Danger Management”; in the other sub-categories minimum 70%.
Redundancy Concept Minimum n+1
 
Requirements from the Interconnected Site Audit:
Organizational Security Processes must be prepared and personnel must be trained for the interconnected situation
Structural Building Security Possible danger situations of the individual locations should be eliminated through the other data center
Supply Security Minimum redundant trunks connecting the sites, connections through several carriers

[top]

 
C. Approved Energy Efficient Data Center

A supplementary star "Approved Energy Efficient Data Center" can be awarded by the auditors.

This special star - also called the “green” Star - is located separately on the certificate, and indicates that the company places particular importance on energy efficiency, has already implemented initial measures, has established this as a continuing task, and that the management actively supports this.

The essential criteria for this are:

  • Processes, methods, tools, measurements and further measures 
for the performance monitoring of areas and energy
  • The efficiency and technology of the installed hardware
  • Autonomous power during outages, temperature level and humidity
  • Measures to ensure air flow
  • Maintenance in accordance with manufacturer instructions and legal requirements

[top]