Facebook's backup generators at their data center in NC. Photo from http://www.datacenterknowledge.com/.

Facebook’s backup generators at their data center in NC. Photo from http://www.datacenterknowledge.com/.

Environmental Security audits are designed to ensure that data and information technology infrastructure are protected from environmental dangers that might cause harm to critical data or I.T. infrastructure. That includes protecting server racks from fire or overly humid conditions in a data center or even backup generators in the event of a power outage.

Environmental Security (a lot like physical security) audits are most common for data centers and co-location providers, but might be considered valuable to any company that stores their own data or performs a critical process on site. That may include hard copy data as well.

I discussed this example last week, but I think it is still relevant here: A few of my previous clients were in the industry of printing and bulk mailing customized mass mail (think bank statements or government notifications). Their print floor housed millions of envelopes full of social security numbers, telephone numbers, account numbers, and mailing addresses. It was basically a hard copy version of a large customer database. Even though they didn’t host their own digital data – various environmental security controls are still important to demonstrate their commitment to protect customer data. Another interesting twist was that humidity had to be carefully controlled to prevent their giant rolls of paper from tearing during production. So environmental security played a role in security as well as quality.

Here are a few controls you might want to consider for your next environmental security audit:

1 The Company’s data center is protected with a dry pipe sprinkler system to prevent damage to the servers located in the data center in the case of fire.
2 Server racks are stored on raised flooring to protect hardware in the event of flooding caused by sprinkler activation.
3 The Company’s data center has multiple independent Air Conditioning (AC) units in a minimum N+1 format, and the units are monitored for significant temperature and humidity fluctuations through alarms sent to technical support staff.
4 On a semi-annual basis, AC units undergo scheduled maintenance.
5 Alarms notifications are identified by technical support when air conditioning, leak detection, and power issues occur. Incidents are followed up on and their resolution is documented.
6 Fire alarms detected in the data center trigger automatic fire department dispatch.
7 On a semi-annual basis, maintenance of the uninterruptible power supply (UPS) systems is completed and documented.
8 The Company maintains back-up generators to run the facility in the event of a power outage.
9 On a monthly basis, load testing for generators is completed and documented.
10 On an annual basis, maintenance of generators is completed and documented.
11 On a semi-annual basis, the leak detection system is tested to limit the risk from flooding to the servers located in the Company’s data center.
12 Facilities personnel perform a checkpoint walkthrough of the facility to inspect environmental systems deployed for errors each business day.
13 Maintenance contracts are in place for all significant electrical equipment (Generators, Power Panels, and HVAC).

Let us know if we are missing anything.