Operators and users of data security centres should put in place individual risk management strategies to protect their critical assets and systems, according to recently issued guidance.
The UK’s Centre for the Protection of National Infrastructure (CNPI) and the National Cyber Security Centre issued detailed data centre security guidance for owners and users last month, with a core message that data security defences are highly likely to be breached at some point and risk management strategies are therefore critical.
The guidance notes that data and data centres underpin almost all facets of modern life, making data security centres attractive targets for hackers to target physical and cyber weaknesses for financial gain or to disrupt critical services.
According to the guidance, a holistic approach to security which brings together the physical, personnel and cyber elements of data centres into a single strategy will help owners and users better withstand attacks. It said risk management strategies between users and owners were inter-dependent.
The guidance proposes a risk management framework which helps organisations involved in data centre security to manage risk.
Assets should be identified and categorised in relation to how critical they are in supporting a business. Owners and users should identify threats, assess the risk of those threats happening and what the impact would be.
The framework suggests building a risk register to enable senior decision makers to make informed judgements on risk appetite and resource allocation, and developing a security strategy to mitigate risks.
Proportionate risk management measures are advised to be implemented and reviewed regularly, particularly when there is a change in threat or operational environment.
Data centre operators need to prove resilience, and the guidance recommends data owners ask the operators to ensure they are less vulnerable to deliberate attacks – such as by diversifying power supply and having back-up options, and whether they have multiple storage locations to reduce the risk of having a single point of failure.
For data owners, the guidance provides examples of different data centre options to help inform risk management strategies.
The guidance also identifies seven areas of risk which it says should be factored into an overarching risk management strategy. These are: cybersecurity; geographic and ownership security; data centres’ physical perimeter and buildings; the data hall; ‘meet-me’ room considerations; people security considerations; and supply chain considerations. It said all seven should be considered when drawing up a risk management strategy for both data centre operators and users.
The specific risk of ransomware attacks was recently highlighted in separate guidance issued by the UK’s data protection authority, the Information Commissioner’s Office (ICO). The ICO advised organisations to establish incident response, disaster recovery and business continuity plans to address that risk.