Skip to content

Page219

Operation of Hardware

Operation of hardware involves day-to-day operational issues such as redundant power, maintaining proper warranties, and support contracts.

Redundant Power

Critical equipment such as routers and firewalls should be equipped with redundant power supplies. Each power supply should be connected to different electrical outlets that are also on different electrical circuits. Surge protectors and UPSs should be used, and generator backup should be available for critical devices. We will discuss surge protectors, UPSs, and generators in Chapter 8, Domain 7: Security Operations.

Warranty and Support

All critical devices should be covered under active vendor warranty and have proper support contracts. Support contracts are often priced based on response time and other variables (faster response costs more than slower). Cisco SmartNet offers various levels of coverage:

  • 24 × 7 × 2: 2-hour response, 24 hours a day, 7 days per week, including holidays
  • 24 × 7 × 4: 4-hour response, 24 hours a day, 7 days a week, including holidays
  • 8 × 5 × 4: 4-hour response, local business hours based on depot time, 5 days a week, no holidays
  • 8 × 7 × Next Calendar Day: Next-calendar-day delivery, local business hours based on depot time, 7 days a week, including holidays
  • 8 × 5 × Next Business Day: Next-business-day delivery, local business hours based on depot time, 5 days a week, no holidays[17]

Note that Cisco SmartNet itself is not testable; the example above was used because these types of tiered levels are common throughout the industry. There is no “right answer” for which level of support to choose: the desired response time may be determined after a thorough risk assessment. Business Continuity Planning metrics such as Maximum Allowable Downtime (MAD, discussed in Chapter 8, Domain 7: Security Operations) can help determine which support level to purchase. Critical devices should be retired before reaching End-of-Support (EoS, as discussed in Chapter 3, Domain 2: Asset Security). Note that organizations may choose to self-insure for less critical devices including commodity PCs, but a thorough risk assessment must be conducted before self-insuring.