How we once again passed the Cisco Gold Certification: features, a couple of tales and pitfalls

Ideally, the model looks like this: we need certification from the manufacturer to confirm the level of expertise, plus it allows us to get a discount from the vendor to be competitive in tenders. The manufacturer certifies its partners - first of all, confidence in the quality of work and professionalism of the integrator. The certificate is issued once a year.

The key condition for auditing is the availability of trained certified specialists and passed specializations - architectures, as well as the presence of projects implemented using vendor technologies. Cisco has this way: to get gold, you need to really move the market: from this year, the requirements have changed quite a bit and tightened.
')
Based on my experience, it is difficult to prepare from scratch for an audit for "gold". But, fortunately, we have been passing this story since 2002, plus we have audits on ISO, German TÜV SÜD and other standards.

This time we were audited with the infrastructure projects of the railway passenger and large energy companies, a state corporation, etc. The auditor sometimes nervously shuddered when we showed information security documents.

What you need to pass an audit

• Have in the staff of 20 professionals with the appropriate education and personal certificates.
• Make at least three large projects over the past two years using vendor technology.
• Show competencies in 4 different areas: for example, corporate communications, data center networks and infrastructure, disaster recovery and virtualization. And separate management at about the same level as required by ISO 9001. In fact, this means that you either have to have your own Cisco data-center infrastructure, or you have to sell your partner customers. We have a deployed data center leverage on VCE Vblock (there is a Cisco Nexus network transmission and storage infrastructure), computing resources (Cisco UCS), virtualization on VMware vSphere, storage on EMC VNX, and management of Cisco UCS Director.

The most difficult thing is to show services. We showed virtual desktops, virtual firewalls and virtual routers this year, plus disaster recovery of the data center as a service based on Zerto solution (they are authorized by Cisco). For each of the services there is a set of requirements - both to documents, and to the description of processes (as it should be built), and to equipment. You must have certified specialists according to these solutions, and at least 4 people per service.

We need the company's willingness to actually provide these services. In fact, this means a very detailed design of all business processes. For example, you need to have prescribed rules for the escalation of tickets in support and regulations for the development of marketing materials for promotion. Processes are based on ITIL - we need specialists and compliance with the requirements. In short, making papers is fun.

Part of their processes had to be undermined by business requirements adopted in the West and included in the audit. For example, there are requirements that standard and non-standard changes must be described - and for each process. This was done initially so that admins do not mess with their iron. Because, for example, rolling a new firmware onto a bank switch is an adventure, and if something goes wrong, the bank will not be remembered by admin Petrov, but by Cisco.

So, there is an SLA in the process - standard changes are described there, which must be carried out within 24 hours from the moment of the request. Standard is what often repeats itself: setting up a new user, changing the phone number, setting up a redirect. Non-standard — changing the routing, traffic flow pattern, what needs testing, new functionality such as forward rules (such as switching between Internet channels). In non-standard regulations, it is necessary to warn other divisions, check if you will not overwhelm the customer's network, coordinate, draw up papers and sign them, and only then do. Cisco wants to know what you thought and warned everyone. Another plan is to roll back to the previous version and the criteria for applying this plan.

The auditor is interested in reporting, for example, what the customer will see by the power of using the service, how many attacks are filtered and how much traffic is dropped. All this must be prepared and shown.

Preparation and delivery

Preparation begins with the receipt of the audit rules from the vendor's site. It lists all current requirements in English. At that moment, when an audit is planned, the version for which it will be conducted is fixed by the auditor (this is so that at the time of the update there are no surprises). The rules for passing audits change constantly, but rather smoothly.

Then we are going to the setup meeting: we distribute who is responsible for which items. This year there were as many as three engineering teams from different departments.

It all starts with pre-qualification: in order to set the audit date, you need to load a bunch of documents on people and projects. They look, they say “yes, you conditionally fit,” they set a date for the audit.

Then we meet once a week and see who did what. Responsible for certain points tell what, how, and what problems, what ways to solve them. By the audit date, the frequency of meetings increases, runs appear - this is part of a demonstration of solutions. In general, beta tests. In general, it happens that in any paragraph of the description of the audit one word is added, which radically changes the meaning. It seems you have done it 10 times already, and in the new year - no, not so, the requirements are much higher. Simplifying, for example, the phrase “in real time” can be added to the paragraph - and that’s it, you need to redraw the infrastructure.

In general, in the last two weeks before the audit, no one sleeps. It seemed that in 3-4 months they started to get ready, and everything was done according to the schedule - and still it turns out every time that unexpected people emerge.

The guru personally comes to the audit. Everything goes in English. As practice shows, the auditors themselves, too, over the years pumped over and understand where and how to get to the bottom. In addition, they, having traveled to other companies around the world, begin to use it as additional knowledge and ask features that are somewhere else.

For example, this year the Tier III data center was put into operation (all three Uptime certificates are now) - and in the Cisco audit, a lot of documentation was used from there, especially on processes and personnel. ISO, Germans and other regulations - everything also helps a lot. There are a lot of things described, it remains to narrowly narrow their processes. By the way, the audit spurs the company to bring the processes to the best international standards. It may, of course, creep in the idea of ​​forging documentation and showing on paper what is not in reality, but it is almost as difficult as actually implementing processes.

This year, the auditor walked around the office, went to our network operations center (technical support in Russian), talked to people, made sure that there really was everything in place. A day before his arrival, we carried out a general cleaning of the room, made posters that describe some holes in the firmware in a satirical manner. A support came, was frightened and thought that he had confused the cabinet.

The audit is scheduled for 2 days. This year we showed the main for the first day, on the second left minor formalities, in fact, one section with statements. This time, our auditor was from the financial sphere, but, as it turned out, he himself was an admin in his youth, so he was well-fed and also quite robust in engineering. For them, even the head office conducts special technical training, so the auditors come to us more than prepared.

They conceived a scenario: a large retail comes to us, brings a portfolio of problems - with security, with service stability, with certified personnel turnover, with remote offices unavailable, when you don’t get information by phone - you cannot reach the all-terrain vehicle as close as possible to life according to the needs of the order. And we paint in colors, how we solve one problem after another, implement business communications, take everything on outsourcing and technical support. In general, radical illness is a radical solution. And we had a similar, though not on their technology. The vendor, and then the auditor, look, listen, and then shake their heads: “Oh, you don't have a business living with an IT infrastructure from the 90s, this is some kind of game. You are too complex. ”
Lucky there in the West, they do not happen. We didn’t tell them how outgoing channels someone in Siberia had recently done with phones taped to mops with tape, because otherwise there was no signal to the BS.

It is also important that over the years the auditors begin to understand the Russian language. With some unexpected jambs, we speak Russian, and they are firing. In the documents they already also know which sections are called as in Russian. So, our auditor himself constantly wrote down new words. He has a program where he should tick each item out of the requirements whether it’s sounded or not. So, it was necessary to indicate root cause in one of the sections, we show that he nods:
"Yes, Yes, ah know, Kornavaya pychyn".

For some reason, in the documents on the management of the service catalog, he was frightened by the word “liquidation” (where old services are removed from the catalog according to certain criteria), said that he only associates this word with killers

Links

• Gold Level Partner Requirements
• Our status with Cisco since 2000
• Cisco cloud shoulder in our data center
• My mail is SVrublevskaya@croc.ru