Security and Standards
ac3’s data centres are highly secure. The ac3 security policy based is on ACSI 33, AS 4360 and AS/NZS 7799 standards. ac3's information governance accredited to the ISO 27001:2006 standard.
The standards based approach involves attention to all relevant aspects of physical and logical security. Physical provisions include access controls including the “escorted visitor” policy, the physical construction and layout of the facilities, video surveillance, 7x24x365 security patrols and environmental monitoring. Logical aspects of security include layered firewalls, enforced policy, e-mail screens and virus protection, LAN segmentation, access controls to all computers and storage and token-based strong authentication for user access.
All networked devices are constantly monitored and ac3 uses a purpose built network surveillance system to detect incidents and failures and alert operational staff.
Perimeter Security
ac3 has a secure gateway with multiple firewalls to protect both the packet and application levels against unauthorised access from the network. Customers can choose an appropriate security level to meet their business needs. The local area network is divided into trusted and untrusted domains, protected from one another by firewall services.
Secure Access
Users are encouraged to use secure protocols for communication with their facilities located at ac3. ac3 can advise customers on the best practice means and software available.
Security Audit and Security “hardening”
ac3 enforces a security audit and security “hardening” on any server placed in ac3’s data centres that uses shared services, such as Internet access or backup. This is done to ensure that an adequate level of security is in place for all customers.
Responsibility and Incident Reporting
The Security Manager is responsible for the security of the data centres. This responsibility cannot be delegated. The Security Manager, on approval from the CEO, reserves the right to suspend any customer service on detection of a security breach.
Any security breaches and alerts noticed by clients should be reported to the Security Manager as soon as practicable, but remedial and emergency actions may be taken by others in accordance with policy and operating procedures. Reporting of security breaches to the proper legal entities is encouraged by ac3; however such incidents are treated with respect to the customers appropriate security policy and business requirements.
Physical surveillance
The perimeter at the ATP data centre is guarded by 24x7x365 security patrols, who make frequent, but random, patrols. The Global Switch data centre has 24x7x365 security on site, with man traps for access past the lobby area. Video surveillance in the data centres allow the security service to monitor the data centres at all times.
Environmental Monitoring
Air temperature and humidity, power in and out of the UPS, status of fire detection systems, under-floor water detection etc are monitored continuously. Any alarms at the ATP data centre are sent automatically24x7 to rostered ac3 staff, as well as to the on-site security service. As a precautionary measure, automatic escalation is in place. In the case of the Global Switch data centre, environmental monitoring is handled by the Global Switch on-site staff.
Access to Data Centres
There is no general access to the data centres. ac3 has an “escorted visitor” policy, where visitors are accompanied by ac3 staff at all times. Requests to enter the data centres must be lodged with the Service Desk at least 48 hours in advance to ensure that resources are available. The usual rules apply to activities permitted in the machine room including NO food, drink, smoking, use of chemical solvents or other activities considered to possibly cause damage to either personnel or the computing resources. The escort present with any visitor is a technically competent person capable of judging the activities for their potential damage, and is not a security guard or a member of administrative staff.
ATP Data Centre: Entrance is by means of three locked doors — the main operational entry via the Operations area double key-padded air-lock, a double door for equipment delivery protected by security mesh and bollards, and a fire exit accessible from the inside only. To access the computer room one must have a Smartcard for the front door, the combination for the electronic lock on the air-lock and the combination to the mechanical combination lock on the computer room door.
Global Switch Data Centre: Regular visitors, such as ac3 staff, are provided with access cards. Before gaining access to the Global Switch lobby, visitors identify themselves through a security camera and intercom, and finally gain access to the lobby at the instigation of Global Switch Security. Visitors need a valid escort to proceed further, and are checked against an approved list for whom 24 hours notice has been provided. Visitors finally gain access to the main data centre, accompanied by their nominated escort, through a man trap. Access to particular areas in the Global Switch complex is via swipe cards.