LRZ services: Continuing to be reliable and secure

Defined processes reliably secure IT services and information security at the LRZ. Photo: A.Podo/LRZ

Verifyable processes and reliable IT services: in 2019, the Leibniz Supercomputing Centre (LRZ) was for the first time certified in accordance with the ISO/IEC standards for IT service management (20000-1) and information security (27001). Now the data centre has completed its first official recertification – again with great success and praise from the auditors: "Overall, the integrated management system shows a high degree of readiness," the DEKRA auditors concluded, adding: "The continuous improvement of the information and security management system was again demonstrated in this audit cycle." Customers of the LRZ enjoy greater security thanks to the certification: they can rely on the fact that services for IT and technical support are carried out in a reliable way based on clearly defined processes and that the information processed and stored there is kept safe. It also means that in the event of technical problems or failures, appropriate countermeasures are taken and alerts are issued. "Standards provide orientation and help professionalise management processes," says Stefan Metzger, CISO at the LRZ and part of the team coordinating the work for the certification process. "Now all the work steps are documented, which is very helpful when it comes to training new colleagues. Above all, however, security and technical incidents are processed in a structured way so that IT services are back in operation as quickly as possible."

Certification means that work processes and results have to be assessed by external experts. This requires processes to be scrutinised, changed if necessary, and also optimized. Above all, however they have to be set down in writing, which poses a challenge for every organisation. In 2017, the preparatory work for the initial certification in 2019 began at the LRZ, after which the LRZ was audited every year: In this way, the auditors ensure that organisations continue to improve management and understand the requirements of recertification. "With the current recertification, we will no longer be treated with kid gloves; from now on, the auditors will take a closer look at how measures and processes are implemented just in everyday life," says Metzger. The auditors praised the communication among employees and between departments, as well as the efficient, comprehensible description of work steps. In addition, the auditors provided valuable suggestions on how the management system can be further improved. The LRZ has time to implement these until its next recertification audit in 2025.

The LRZ is the first scientific supercomputing centre to have its IT service management and information security certified. While the initial focus was on the operation of the supercomputing centre and on its IT and support services, its research departments have now also been included in the certification process and other departments will gradually follow as well. The LRZ is setting a precedent: more and more computer centres of universities and research institutions are realising the benefits of undergoing a certification audit – and they ask the LRZ for advice and practical help in terms of preparation and implementation.