Reducing Risks for Data Centers
The Data Center Consolidation Initiative is focused on lowering the University’s overall technology risk by ensuring that its computing infrastructure and institutional data is secure. Through the Data Center Consolidation Initiative, IT Services is working with unit IT partners across campus to inventory, assess, and secure the systems that are managed as a part of unit operations. The collective term used for these systems and servers in University policies and standards is “information systems”. The Data Center Consolidation Initiative includes an assessment based on a series of interviews, a survey that collected self-reported data about compliance with new data center and information systems management standards based on NIST 800-53r4, and the implementation of InsightVM, a vulnerability scanning tool that identifies security issues. Upon completion of the assessment, a final report containing the major risks identified, a maturity score, and recommendations for improvement is delivered to each unit participating in the Data Center Consolidation Initiative. Later efforts will ensure that the hosting facilities housing these information systems are appropriately located.
The Information Systems and Managed End-User Device Standards and the Information Systems Physical Environment Standards can be reviewed on Box.
|System Role||System Management||In Inventory||In InsightVM/In Scope for Physical Standards|
|Administrative||Unit IT Staff||Yes||Yes|
|Research||Unit IT Staff + Researcher||Yes||Yes*|
*discuss exceptions to InsightVM scanning with IT Security by emailing email@example.com
What are the logical standards, and what do they mean?
As part of phase 1 of the Data Center IT Risk project, a set of logical standards were designed and vetted by ITLC. These standards were turned into a questionnaire, subsequently filled out by IT leadership on a per-unit basis. These standards allow for a qualitative baseline for measuring IT risk in these areas. Paired with quantitative data from a vulnerability management tool, an accurate assessment of risk could be made.
What are the physical standards, and what do they mean?
The physical standards are the counterpart to data center logical standards as part of the broader IT Risk program’s Data Center project. They provide a consistent way to measure IT risk posed by environmental issues on campus and were based on NIST 800-53r4.
The Low controls form the baseline that all University of Chicago Computer Rooms must meet. Moderate and High controls are generally reserved for facilities that handle restricted data or that the University designates as suitable for systems and services with high availability requirements. Environments seeking to host restricted research data may also need to implement moderate or high controls per University guidance from applicable authorities.
What is the self-managed VM service, and why would I use it?
As part of the IT Risk program, IT Services infrastructure offerings were re-evaluated with feedback from IT partners. The current offerings include Managed VMs and co-location space in data centers. The need for an additional offering, self-managed VMs, was identified.
Self-managed VMs allow system administrators to design and manage every layer of their infrastructure to meet unique research and administrative needs at a reasonable monthly cost. A user pays for a computer processing, memory, and storage, and can build one or more machines of any OS. The service manages at scale the risks and burden of:
- Maintaining physical hardware
- Maintaining the data center environment for that hardware
- Managing and updating the software that runs the virtual machine
Now that I’ve gone through the risk assessment process, what’s next?
Divisions or units that have been assessed should implement vulnerability management for all new in-scope servers and technologies. Quarterly meetings will be scheduled to allow for follow-up, progress reporting on risk mitigations, and general question and answer purposes. Future assessments are not scheduled at this time, but requests for specific assessments or consultations are welcome! Email firstname.lastname@example.org for assistance or with questions.