Certified Data Centers for financial entities in Colombia



For several years now, the Financial Superintendence in Colombia has been looking into implementing a legislation that requires all financial entities in Colombia to have both the principal and backup data center certified.  Although until now the initiative has yet to be implemented, it will most likely be consolidated this year or in 2018. Hence the importance of having the support and guidance of expert consulting companies, with which to evaluate existent physical infrastructure, the final requirements that are promulgated and the gap between them, to make the correct adjustments or changes needed, without overspending.

The Financial Superintendence of Colombia has been, since 2013, seeking to develop Project 028 of 2013 which refers to the minimum requirements for the processing of information in financial entities, including pension funds and different entities related to the operation of the stock exchange.[1] This project has undergone many modifications and delays, but it is important to mention that’s it’s still an important part of the normative agenda of the Financial Superintendence and will probably be consolidated between 2017 and 2018. [2]

Despite the fact that the Superintendence’s project has been postposed several times – mainly to allow Colombian financial institutions to have more time to prepare their computer centers facilities – it is inevitable that at some point the regulations will be implemented. As a result, financial institutions should begin to pave the way for and prepare for adjustments, in order to avoid last minute difficulties with evaluation projects, analysis of compliance with TIER, restructuring or readjustment and even with projects of construction of new computer centers, which can take between 18 and 24 months to materialize.

Taking the above into consideration, Ingenium has developed the “TIER Gap Analysis” and “Data Center Assessment” services to evaluate a data center with focus on availability. On one hand the “TIER Gap Analysis” service seeks to assist the client in the identification of mayor and minor inconformity´s in the topology design of the data center that prevent the achievement of the design certification under TIER standard of the Uptime Institute, in this particular case referring to the level III TIER; so that, to understand the gap in the current design or implementation – if applicable – in relation to the TIER standard and its objective level, it is possible to determine the viability of the required changes implemented in order to obtain the TIER III certification of design of your data center and the subsequent certification of Built Installation.

On the other hand, the “Data Center Assessment” service, with focus is availability seeks to assist the client in identifying current risks and vulnerabilities in the existing data center from the aspect of system availability and single points of failure, through the analysis and audit of the main subsystems of the data center, including power systems, architectural systems, air conditioning, telecommunications and special systems (CCTV, access control, fire detection and extinguishing and BMS).

Based on these services, the starting point is the identification of single points of failure that affect the availability of the computer room and, therefore, the incompliance of the concurrent maintenance criterion for the feasibility in obtaining the documentary certification TIER III of the Uptime Institute. Once this starting point is determined, it is possible to define what type of projects (for example: adaptation, restructuring or new project) are necessary to comply with TIER III guidelines of the Main Data Processing Center and the Alternate Data Processing Center, and later of the Disaster and Recovery plans and Business Continuity.

Therefore, it is important for all financial entities in Colombia to begin with evaluations of the TIER level of their main and alternate data centers as soon as possible, in order to identify all points of failure and develop projects that will help mitigation, so that they are properly prepared for the moment in which the regulation is finally implemented in the country.

By: Juan Carlos Londoño – Senior Consultant Colombia – INGENIUM
[email protected]



[1] For more information on the obligatory implementation of level III TIER in the Main Data Processing Center and the Alternate Data Processing Center, the minimum acceptable distance between these and the implementation of Disaster and Recovery Plans as well as the Business Continuity , see: Superintendencia Financiera de Colombia. (2014). Proyectos de normatividad 2013.

[2] See section 57: “Requerimientos mínimos para la administración de los Centros de Procesamiento de Datos (CPD), Centros Alternos de Procesamiento de Datos (CAPD), Centros de Servicio Compartido (CSC) y Continuidad del Negocio” in:  Superintendencia Financiera de Colombia. (2016). Agenda normativa 2016.