S 2.317 Criteria for the procurement of servers

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Purchaser

The procurement of a server involves both the hardware and the software the server is to consist of. If errors are made while procuring a server, this may have severe consequences for the secure operation of a network, because the level of security aimed at may only be attained with some difficulty when inappropriate hardware and software is installed.

Therefore, before a server is procured, a requirements list must be drawn up that can be used to evaluate the products available on the market. Based on the evaluation, it is then possible to make a well-founded decision on which components to purchase ensuring that the server will meet the requirements during actual operation.

Even purely functional server features may affect information security. This mostly refers to the basic value of availability, for example if a server does not achieve the required response times or throughput rates due to insufficient memory capacity. Furthermore, the support provided by the manufacturer plays a role that must not be underestimated, for example when it comes to promptly providing patches for security gaps.

The primary requirements for servers from the perspective of information security include:

• Hardware and software must be designed in such a way that the requirements regarding availability and integrity of the data can be met
• Administration using secure protocols must be possible
• User administration must allow for appropriate implementation of the organisation-wide role concept
• It must be possible to encrypt particularly sensitive data, if required.

The following lists some requirements to be considered when procuring servers:

• basic functional requirements
  • Does the device support all required hardware interfaces?
  • Does the software support all required protocols and data formats?
• security
  • Does the system support secure protocols for administration?
  • If servers aren¿t administrated via a separate administration network, administration by means of secure network protocols must be possible.
• maintainability
  • Does the manufacturer offer regular updates and promptly available security patches for the software?
  • It is particularly important that the manufacturer reacts quickly to security deficits that become known.
  • Is it possible to conclude maintenance contracts for the product?
  • Access to updates and support services from the manufacturer is often only possible in connection with a valid maintenance contract.
  • Can maximum response times for problem-solving be defined in the maintenance contract?
  • A maintenance contract is only appropriate if the specified demands on the devices¿ availability can be met with the guaranteed response times and times needed to return the device to service.
  • Does the manufacturer offer a technical customer service (hotline) that is able to help immediately in case of problems?
  • This point should be part of the concluded maintenance contract. When concluding the contract, attention should be paid to the language of the available hotline.
• reliability/failure safety
  • Is there reliable information on the reliability and operational reliability of the hardware and software?
  • Does the manufacturer offer high-availability solutions, if required?
  • If the availability requirements cannot be covered by maintenance contracts, the system should support high-availability solutions.
• user-friendliness
  • Is the product simple to install, configure, administrate and use?
  • In addition, training measures for the product should be offered.
• cost
  • How much does the hardware and software cost to purchase?
  • How high are the expected ongoing costs of the hardware and software (maintenance, operation, support)?
  • These costs must also be taken into account in the procurement phase. The contents of the maintenance and support contracts should be checked (response times, hotline, qualification of staff, etc.)
  • How high are the expected ongoing costs for personnel?
  • Do additional software and hardware components need to be purchased?
    This question should already be answered in the planning phase. For example, if a network management system is already in use, compatibility with the devices to be purchased should be checked.
  • Moreover, the effort needed for integration in an existing infrastructure should be taken into consideration.
  • How high are the costs for training administrators?
  • What costs are to be expected if the hardware must be upgraded due to an increase in capacity requirements?
  • In this case, the costs could be considerably higher than the costs for the hardware itself, because in many licence models of software suppliers the licence price depends on the number of processors or the processor rate, so that a new program licence could simultaneously become necessary with the hardware upgrade.
• logging
  • Which logging possibilities exist?
  • The logging possibilities offered must at least meet the requirements specified in the security policy. The following points are particularly relevant:
  • Is it possible to configure the level of detail of logs?
  • Are all relevant data collected by logging?
  • Does the system support central logging (e.g. syslog)?
  • Can logging be performed in such a manner that the data privacy regulations can be satisfied?
  • Are alert functions supported?
• infrastructure
  • Dimensions and compatibility with protective cabinets
  • When purchasing a server, the space it requires must also be taken into consideration. Can the device be installed in the provided protective cabinets (shape, weight, fastening elements)?
  • Power supply and waste heat
  • Information on power consumption and requirements in regard to the ambient temperature should be made available by the manufacturer. Are the existing capacities of power supply and UPS sufficient? Is the existing cooling capacity sufficient for drawing off the device¿s waste heat?

The requirements and the selection decisions made on the basis of the requirements should be documented in such a way that it can be comprehended later how the decision was made.

Review questions:

• Is there a requirements list including all required features for procuring servers?