It doesn’t matter whether you manage a Tier IV data center or never bothered officially going through formal certification, a good way to think about how to provide services revolves around infrastructure, software, people, procedures, and data. These are the components the American Institute of CPAs (AICPA) uses for certification. If you are SOC 2 certified, you are likely very familiar with this framework. But how do these components work differently in different scale data centers? Is it even feasible for a small data center to think in terms of these components? I argue that this framework can be a useful way to think about better managing your data center and its security no matter what size it is.