EN 50600-2-5:2016

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Informacijska tehnologija - Naprave in infrastruktura podatkovnega centra - 2-5. del: Varnostni sistemiInformationstechnik - Einrichtungen und Infrastrukturen von Rechenzentren - Teil 2-5: SicherungssystemeTechnologie de l’information - Installation et infrastructures de centres de traitement de données - Partie 2-5: Systèmes de sécuritéInformation technology - Data centre facilities and infrastructures - Part 2-5: Security systems35.030Informacijska varnostIT SecurityICS:Ta slovenski standard je istoveten z:EN 50600-2-5:2016SIST EN 50600-2-5:2016en01-maj-2016SIST EN 50600-2-5:2016SLOVENSKI
STANDARD
EUROPEAN STANDARD NORME EUROPÉENNE EUROPÄISCHE NORM
EN 50600-2-5
March 2016 ICS 35.020; 35.110; 35.160
English Version
Information technology - Data centre facilities and infrastructures - Part 2-5: Security systems
Technologie de l'information - Installation et infrastructures de centres de traitement de données - Partie 2-5: Systèmes de sécurité
Informationstechnik - Einrichtungen und Infrastrukturen von Rechenzentren - Teil 2-5: Sicherungssysteme This European Standard was approved by CENELEC on 2016-01-25. CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique Europäisches Komitee für Elektrotechnische Normung CEN-CENELEC Management Centre: Avenue Marnix 17,
B-1000 Brussels © 2016 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN 50600-2-5:2016 E SIST EN 50600-2-5:2016

Pressure relief: Additional information . 36 A.1 General . 36 A.2 Design considerations . 36 Bibliography . 38
Tables Table 1 — Examples of Protection Classes for data centre spaces . 12 Table 2 — Protection Classes against unauthorized access. 13 Table 3 — Protection Classes against internal fire events . 24 Table 4 — Protection Classes against internal environmental events . 29 Table 5 — Protection Classes against external environmental events . 31 Table 6 — Elements of systems for the prevention of unauthorized access . 33
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CENELEC [and/or CEN] shall not be held responsible for identifying any or all such patent rights. This document has been prepared under a mandate given to CENELEC by the European Commission and the European Free Trade Association. Regarding the various parts in the EN 50600 series, see the Introduction. SIST EN 50600-2-5:2016

Figure 1 — Schematic relationship between the EN 50600 standards EN 50600-2-X standards specify requirements and recommendations for particular facilities and infrastructures to support the relevant classification for “availability”, “physical security” and “energy efficiency enablement” selected from EN 50600-1. EN 50600-3-X documents specify requirements and recommendations for data centre operations, processes and management. This European Standard addresses the physical security of facilities and infrastructure within data centres together with the interfaces for monitoring the performance of those facilities and infrastructures in line EN 50600-3-1 (in accordance with the requirements of EN 50600-1). SIST EN 50600-2-5:2016

Figure 2 — Risk assessment concepts These four items are analyzed during the risk assessment process, to identify the baseline risk posed to the data centre. Management of the identified baseline risk employs appropriate technical, physical and procedural countermeasures or a combination thereof. Following the deployment of baseline countermeasures, further decisions shall be taken relating to the residual risk(s) as follows, driven by the acceptance of risk of the asset owner: 1) toleration - the remaining risk(s) are accepted and no additional countermeasures deployed; 2) treatment - additional measures are deployed to counter the remaining risk(s); 3) transferral - the risk(s) are transferred to another party, for example obtaining additional insurance cover the mitigate the risk(s); 4) termination - the activity posing the risk is terminated. 5.3 Designation of data centre spaces - Protection Classes Each of the data centre spaces, independent of the size or purpose of the data centre, is designated as being of a particular Protection Class. There is no concept of a data centre of a given Protection Class. SIST EN 50600-2-5:2016

This applies to premises entrance facilities which are within the control of the data centre. b
Access restrictions apply to pathways leading to areas of Protection Classes of a lower Protection Class. 6 Protection Class against unauthorized access 6.1 General This standard applies the four Protection Classes in relation to access to spaces accommodating the elements of the different facilities and infrastructures as detailed in Table 2 (in accordance with EN 50600-1). SIST EN 50600-2-5:2016

The Protection Classes feature increasing levels of access control. The areas of the data centre requiring the greatest physical protection against unauthorized access will be accommodated in spaces with the highest Protection Class. Further guidance can be found in the EN 60839-11 series. It should not be assumed that: a) all areas of a given Protection Class are accessible to persons having access to an area of that Protection Class; b) persons having access to an area of that Protection Class have access to all areas of a lower Protection Class. This clause defines the rules for implementing such Classes. The access to spaces and systems shall be limited to the inevitable necessary operative minimum. This applies to the aspects of spaces, time, personnel and knowledge. The implementation of physical security shall be effected according to the philosophy shown schematically in Figure 3, referred to as the “Onion Skin” or “Defence in Depth” approach/model.
Figure 3 — Protection Classes within the 4-layer physical protection model In order to be applicable to more general implementations of data centres, the simplistic model of Figure 3 may be visualized as series Protection Class islands as shown in Figure 4. SIST EN 50600-2-5:2016

Figure 4 — Protection Class islands Subclause 5.3 provides examples of the Protection Classes applied to data centre spaces but the technological solutions to the control of unauthorized access vary across the particular data centre spaces within a Protection Class. All elements of the border/barrier of an area with a given Protection Class shall have the same level of resistance to unauthorized access. Where the data centre infrastructures specified in EN 50600-2-1 to EN 50600-2-5 cross boundaries from one Protection Class to another they shall be provided with protection suitable to the highest Protection Class interconnected as shown in Figure 5. NOTE National or local regulations can prevent security measures being applied to pathways (e.g. maintenance holes, etc.) for infrastructures external to the premises.
Figure 5 — Interconnection between Protection Class islands Access control systems of a given Protection Class shall be managed from areas with the same or higher Protection Class. Pathways of the data centre infrastructures (e.g. power supply, environmental control and telecommunications cabling) shall be designed to prevent unauthorized passage between areas of different Protection Class. Data centres and their complementary functions of technical infrastructure shall be organized in areas which mirror the needs of security, safety and availability of the data centre which match the assumed risks and protection goals. SIST EN 50600-2-5:2016

Figure 6 — Example of Protection Classes applied to data centre premises without external barriers If the premises are provided with an external physical barrier that provides a demarcation of Protection Class 1 then, as shown in the example of Figure 7: 1) the number of penetrations of the boundary of Protection Class 1 for personnel and vehicular access shall be minimized; SIST EN 50600-2-5:2016

Figure 7 — Example of Protection Classes applied to data centre premises with external barriers In Figure 7, the buildings/structures shown may be dedicated to specific spaces serving the various data centre infrastructures e.g. generator space or transformer space. Each building/structure shall apply appropriate barriers to protect the relevant infrastructure element. In addition, the barriers may be required to provide visual and acoustic screening. As described above, roof-tops may be considered Protection Class 1 or 2, depending on the configuration of the premises containing the data centre. Any openings in roof-tops shall be protected in accordance with the Protection Class of the space immediately below the opening. In addition, any roof-top structures dedicated to specific spaces serving the various data centre infrastructures shall apply appropriate barriers to protect the relevant infrastructure element. Any access routes to the roof, for purposes of maintenance and repair of the roof, roof-top structures and, where relevant, to infrastructure elements, shall be within areas of Protection Class equal to or higher than that of the roof-top. The requirements for the barriers between areas of different Protection Class in relation to protection against unauthorized access are not based on their physical construction i.e. they may be fences, exterior or interior walls of buildings together with doors and other penetrations fitted with appropriate systems (see Clause 10). SIST EN 50600-2-5:2016
...