Performing an Environmental Security Audit

Facebook's backup generators at their data center in NC. Photo from

Facebook’s backup generators at their data center in NC. Photo from

Environmental Security audits are designed to ensure that data and information technology infrastructure are protected from environmental dangers that might cause harm to critical data or I.T. infrastructure. That includes protecting server racks from fire or overly humid conditions in a data center or even backup generators in the event of a power outage.

Environmental Security (a lot like physical security) audits are most common for data centers and co-location providers, but might be considered valuable to any company that stores their own data or performs a critical process on site. That may include hard copy data as well.

I discussed this example last week, but I think it is still relevant here: A few of my previous clients were in the industry of printing and bulk mailing customized mass mail (think bank statements or government notifications). Their print floor housed millions of envelopes full of social security numbers, telephone numbers, account numbers, and mailing addresses. It was basically a hard copy version of a large customer database. Even though they didn’t host their own digital data – various environmental security controls are still important to demonstrate their commitment to protect customer data. Another interesting twist was that humidity had to be carefully controlled to prevent their giant rolls of paper from tearing during production. So environmental security played a role in security as well as quality.

Here are a few controls you might want to consider for your next environmental security audit:

1The Company’s data center is protected with a dry pipe sprinkler system to prevent damage to the servers located in the data center in the case of fire.
2Server racks are stored on raised flooring to protect hardware in the event of flooding caused by sprinkler activation.
3The Company’s data center has multiple independent Air Conditioning (AC) units in a minimum N+1 format, and the units are monitored for significant temperature and humidity fluctuations through alarms sent to technical support staff.
4On a semi-annual basis, AC units undergo scheduled maintenance.
5Alarms notifications are identified by technical support when air conditioning, leak detection, and power issues occur. Incidents are followed up on and their resolution is documented.
6Fire alarms detected in the data center trigger automatic fire department dispatch.
7On a semi-annual basis, maintenance of the uninterruptible power supply (UPS) systems is completed and documented.
8The Company maintains back-up generators to run the facility in the event of a power outage.
9On a monthly basis, load testing for generators is completed and documented.
10On an annual basis, maintenance of generators is completed and documented.
11On a semi-annual basis, the leak detection system is tested to limit the risk from flooding to the servers located in the Company’s data center.
12Facilities personnel perform a checkpoint walkthrough of the facility to inspect environmental systems deployed for errors each business day.
13Maintenance contracts are in place for all significant electrical equipment (Generators, Power Panels, and HVAC).

Let us know if we are missing anything.

5 thoughts on “Performing an Environmental Security Audit

  • Great list. I’ve got a few other items for consideration:

    Confirm contracts with local distributors of fuel for generators

    Monthly inspection and annual maintenance on fire suppression systems. This would included monitoring pressure in sprinkler systems and confirming existence and charge on portable fire extinguishers.

    Clearly marked and properly secured emergency power shut-off to the data center. Everyone needs to know where it is – but you also need to prevent accidental shutdown.

    You may also need to consider external environmental factors. I visited a data center that constructed a trench around the facility to minimize flooding and potential spills from a nearby rail yard. Another center installed bullet resistant glass because their facility was in an area prone to drive-by shootings. And my last company had a data center located in the midwest with reinforced walls to stop debris from tornados. You could argue they made poor choices to locate their facilities, but they went with cheap or accessible property.

  • But wait, there’s more …

    Local + remote-sounding alarms with clear response procedures and regular exercises to train the responders (all shifts!)

    Care over rack loading, especially the heat load (may exceed the rated capacity, including the default rack power value used by the architects).*

    Interlocks between power and A/C units (so the fans shut down early to avoid fanning the flames & smoke).

    High sensitivity ‘aspirating’ smoke detectors in racks, and professional guidance on types and locations of other detectors (difficult problem with high-flow A/C units – detectors need to be in all voids, carefully located to avoid dead spots).

    Physical access controls including card access, accompanied visitor procedures (inc deliveries and maintenance workers), CCTV, intruder alarms etc.

    Designated fire points with extinguishers etc. located right by the exit doors (so workers find their escape routes first and foremost, and only fight the fire from there if it is safe and if trained to do so properly).

    Dust controls (depending on local conditions) e.g. regular filter checks and changes in all fan units.

    I’m sure there are more … but it has been a while since my last installation audit!


    * By the way, the current demand from the data center is a key metric. Watch it climb steadily month-by-month as more and more kit is installed. Virtually all that power is supposed to be extracted by the A/C units. All that power needs to be supplied from the mains inlets (multiple), switchgear, UPS/genny, and room distribution. Plot the graphs and predict your capacity needs in good time to schedule upgrades.

Leave a Reply