At regular intervals, TÜV, KPMG, and SAP itself test whether the technology and infrastructure are operating smoothly. An overview of the most important checks is provided below.

Continual checks

Databases and servers are routinely checked in real time to ensure that they operate properly.

Batteries for the emergency power supply must always be charged. Thus, the condition of batteries is continuously tested. If a battery’s maximum capacity decreases excessively, it is replaced.

Gas cylinders containing the INERGEN fire-extinguishing gas must sustain a specific level of pressure. An electronic pressure gauge on each gas cylinder electronically transmits deviations from the standard value to the central gas distribution facility.

Monthly

The diesel engines are automatically started once per month to perform a full load test.

Every three months

An aspirating smoke detector (ASD) emits a preliminary alarm to the security department upon the slightest signs of fire or smoke. A second fire detector then emits a piercing alarm in the event of an emergency. An external company performs tests every three months using a smoke device to determine whether the ASD and fire detectors are still active.

Every six months

The diesel engines’ switch control panels are checked twice annually by an external company. The inspection ensures that, in a real power outage, the switchover will function and that power is supplied to the servers.

Every year

Doors, windows, and ventilation systems are inspected annually. The TÜV (an international safety certification organization) inspects all access points to the data center in accordance with ISO 27001 specifications. The door check verifies what types of door locks (toggle locks or dead bolt locks) are used and whether they comply with the ISO standard. In addition, doors may not be kept open for too long. During the TÜV inspection visit, the door is left open for one minute to see whether an alarm is triggered as per the standard.

KPMG goes one step further and inspects the data center’s “black box” according to the international ISAE 3402 (or SSAE 16) certification standard. In other words, it checks the video recordings made over the last 365 days that prove that doors were opened only for authorized individuals. Inspectors refer to this measure as a “door effectiveness” check.

Access authorization: Records from log files, card scanners, and duty rosters of the security service are checked by the TÜV once annually according to ISO 27001. Some of the items on the TÜV checklist include: how the security service organizes its 24-hour surveillance; how access cards are issued; and how the approval process is conducted.

For the “black building” test, a power outage is simulated once annually. The external power supply is cut off, so that the emergency power supply is actuated. This procedure ensures that the batteries can bridge the power failure as expected, the diesel motors start up automatically, and an extended supply of electricity is provided. This test is conducted and recorded by the data center operator. The reports are then submitted to the TÜV, which compares them to the ISO 27001 standards.

The assigned installation company regularly services the fire-extinguishing system and generates reports on the operability of sensors, for example, or any possible gas emissions. The reports are sent to the TÜV and KPMG. This annual inspection is part of the ISO 27001 and ISAE 3402 (or SSAE 16) certification process.

An external company inspects construction measures along with the engineering and architectural blueprints. This ensures that construction work on the data center does not damage a critical power cable due to improper or careless installation, for example. SAP submits the engineering and architectural blueprints to auditors once annually.

Fire protection: Ceilings, walls, and doors in the data center must provide 90 minutes of fire resistance, according to the T90 and F90 classifications for fire resistance, that is. The TÜV checks this capability using construction plans and an inspection of the premises, in following with the ISO 27001 specifications.

Air-conditioning system/temperature: As part of the annual inspection, the TÜV reviews the maintenance records of the electronic systems and room temperature reports in accordance with ISO 27001.

Information about SAP’s mobile security cloud portfolio >