In today’s ever-growing regulatory compliance landscape, companies and organizations are continually looking for alternatives to reduce expensive in-house IT hosting but continually run into the problem of meeting corporate governance and compliance requirements. What’s more, these companies are seeking to use services from companies like Canadian Web Hosting who can provide assurances that a strong control environment is in place, complete with data centre and physical security best practices.

The focus of this article is to take a deeper look at an equally important aspect of web hosting and that is looking at the facility that the servers are actually hosted in and outlining integral best practices that allow you to meet your governance needs and ensure that the servers are hosted in an environment that provides limited access and ensures physical protection. Because of this, Canadian Web Hosting’s best practices for physical and data centre security, which are tested by an independent CPA firm for SSAE16 (formerly SAS70) audit compliance, are implemented throughout all areas of a data centre, rather than being segmented to cover only specific areas and include both data centre facilities located in Vancouver, BC and Toronto, ON.

Why is it important to look for the SSAE16 auditing standard? Since 1992, SSAE 16 and SAS70 have been, and will continue to be, one of the most effective and well-recognized compliance audits for testing and reporting on controls in place at data centres.

Physical Security
So, how does physical security actually benefit the end user? Let’s take a deeper look at what types of best practices and physical security features each of our data centres has. It is important to note that these processes are the same regardless of location.

Built and Constructed for Ensuring Physical Protection
The exterior perimeter walls, doors, and windows are constructed of materials that provide Underwriters Laboratories Inc. (UL) rated ballistic protection.

Protection of the Physical Grounds
The data centre has physical elements in place that serve as a physical protection barrier that protect the facility from intruders.

Bullet Resistant Glass

Certain areas within the data centre, such as the lobby area and other entrance mechanisms, are protected by bullet proof or bullet resistant glass.

Security Systems and 24×7 Backup Power

The data centre’s security systems are functioning at all times, complete with uninterruptible power supply (UPS) for ensuring its continuous operation.

Cages, Cabinets and Vaults

The physical structures which house equipment must be properly installed with no loose or moving components, ultimately ensuring their overall strength and rigidity.

Man Trap
Each data centre has a man trap that allows for secure access to the data centre “floor”.

Electronic Access Control Systems (ACS)
Access to all entry points into and within the data centre are protected by electronic access control mechanisms which allow only authorized individuals to enter the facility. Included within the framework of electronic access control should also be biometric safeguards, such as palm readers, iris recognition, and fingerprint readers.

Provisioning Process

Any individual requesting access to the data centre are enrolled in a structured and documented provisioning process for ensuring the integrity of the person entering the facility.

Off-boarding Process
Any data centre personnel or clients utilizing the facility services must be immediately removed from systems that have allowed access to the facility itself. This includes all electronic access control mechanism along with removal of all systems, databases, Web portals, or any other type of sign-in mechanism that requires authentication and authorization activities.

All visitors must be properly identified with a current, valid form of identification and must be given a temporary facility badge allowing access to certain areas within the data centre. This process must also be documented in a ticketing system.

All exterior doors and sensitive areas within the facility must be hard wired with alarms.

Each Canadian data centre facility has a mixture of security cameras in place throughout all critical areas, both inside and out, of the data centre. This includes the following cameras: Fixed and pan, tilt, and zoom (PTZ) cameras.

“Threat Conditions Policy”

Each Canadian data centre location has a “threat conditions policy” in place whereby employees and customers are made aware of changes in the threat level.

Badge and Equipment Checks

Periodic checks are done on employees to verify badge access and equipment ownership.

Local Law Enforcement Agencies

Canadian Web Hosting Management has documented contact information for all local law enforcement officials in the case of an emergency.

Paper Shredding
A third-party contractor is utilized for shredding documents on-site, then removing them from the facility, all in a documented fashion, complete with sign-off each time shredding is done.

Data Centre Security Staff
These individuals must perform a host of duties on a daily basis, such as monitor intrusion security alarm systems; dispatch mobile security officers to emergencies; monitoring to prevent unauthorized access, such as tailgating; assist all individuals who have authorized access to enter the data centre; controlling access to the data centre by confirming identity; issue and retrieve access badges; respond to telephone and radio communications.

Additionally, they should also conduct the following activities:
Response and resolution to security alarms; assistance for cage lockouts and escorts; scheduled and unscheduled security inspections; enforcement of no food or drinks on the raised floor area; Enforcement of no unauthorized photography policy; fire and safety patrol inspections.

Physical Security Features
Specific to each location, Canadian Web Hosting also utilizes several additional security processes that enhance the above best practices. This includes, but is not limited to, the following:

• Access to sensitive areas within the data centre is controlled with an electromagnetic badge and/or biometric access system that is maintained, administered and controlled by physical security or operations personnel
• Visitors must be pre-scheduled seventy-two (72) hours in advance and present a valid photo ID or and be pre-authorized to gain admittance to data centre facilities
• To gain access to secured raised floor area, visitors (and documented employee) must sign in and be escorted by authorized data centre personnel
• Monitored through surveillance cameras, CCTV and regular patrols by security and operations personnel 24 hours per day, seven days per week
• Areas housing critical IT infrastructure are protected by a two-door access control system
• Management maintains documented security policies and procedures to guide employees’ activities for controlling and monitoring physical access to and within the facility
• Digital surveillance cameras monitor and record physical access to and within the facility
• Video backups of surveillance activity for a minimum of 30 days
• A dual challenged badge access system that requires an access card and personal identification number (PIN) is used to control access and movement within the facility. This system logs facility access and is available for review purposes.
• Biometric fingerprint scanning is used to control access to the data centre, telecom and power rooms
• Combination or key locks and biometric scanners must be used to access server/network equipment

If you’re looking for additional information on this topic, you may email us at, call us at 1-877-871-7888, or contact us through social media on Twitter at @cawebhosting or through our Facebook Page. You could also leave us a comment below.