Power Continuity | It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]

Computer systems require uninterrupted, clean power to operate. Data centers typically employ several different types of controls to maintain clean power. These controls include

Redundant power feeds that provide power from two or more power stations
Ground to earth to carry excess power away from systems during electrical faults
Power conditioning systems to convert potentially dirty power to clean power
Battery backup systems (UPSs) that provide immediate power, typically for short periods of time
Generators to provide sustained power during extended power losses

When performing data center audits, the auditor should verify that adequate power continuity controls are present and working properly.

9 Determine whether the data center has redundant power feeds.

Some data centers are built in locations where they can connect to more than one power station. When the power supplied by one feed is lost, the other often will remain live. As a result, redundant power feeds can be used to maintain utility power continuity.

How

This control is not always present, but it is worth exploring with the data center facility manager during interviews.

10 Verify that ground to earth exists to protect computer systems.

Ungrounded electrical power can cause computer equipment damage, fire, injury, or death. These perils affect information systems, personnel, and the facility itself. Today, buildings that do not have grounded electrical outlets most likely will be in violation of building code.

How

Unlike redundant power feeds, the ground-to-earth control always should be present. Ground to earth is a basic feature of all electrical installations. It consists of a green wire that connects all electrical outlets to a rod that is sunk into the ground. When short circuits or electrical faults occur, excess voltage is passed through the ground wire safely into the ground rather than short-circuiting electrical equipment. This control should be present in any facility less than 30 years old or so, but it is definitely worth verifying. Older buildings that have not had electrical systems upgraded may not have an electrical ground, however. Electrical ground normally is required in building codes. This information can be obtained by interviewing the data center facility manager or through observation.

11 Ensure that power is conditioned to prevent data loss.

Power spikes and sags damage computer systems and destroy information. Power conditioning systems mitigate this risk by buffering the spikes and sags.

How

Clean power can be represented as a wave pattern with symmetric peaks and valleys. Normal utility power has a wave pattern with peaks and valleys that are far from symmetric, causing momentary spikes and sags. These spikes and sags shorten the life of electronic components and sometimes cause system faults. Power conditioning systems smooth out the wave pattern to make it symmetric. Through interviews and observation, the auditor should verify that power is being conditioned by either a power conditioning system or a battery backup system.

12 Verify that battery backup systems are providing continuous power during momentary black-outs and brown-outs.

Power failures can cause data loss through abrupt system shutdowns. UPS battery systems mitigate this risk by providing 20 to 30 minutes of power as well as power conditioning during normal utility power conditions.

How

Battery backup systems or UPSs offer immediate power in the event of a power loss. They are typically designed to provide somewhere between 20 minutes and 1 hour of computer run time. Basically, they provide enough time for the generator to turn on and begin generating electricity. They also perform a power conditioning function because they logically sit in between utility power and computer center equipment. As a result, the batteries are actually powering the data center all the time. When utility power is live, the batteries are charged constantly. Conversely, when power is lost, they begin to drain. The auditor should interview the data center facility manager and observe UPS battery backup systems to verify that the data center UPS system is protecting all critical computer systems and affords adequate run times.

13 Ensure that generators protect against prolonged power loss and are in good working condition.

Mission-critical data centers, by their nature, cannot withstand any power loss. Since it is impractical to install enough batteries to power the data center for more than an hour or two, generators allow the data center to generate its own power in the event of a prolonged loss of utility power.

How

Generators come in two common varieties: diesel-powered and natural gas- or propane-powered. Each has its benefits and drawbacks.

Diesel generators are most common but have a finite amount of fuel stored in their tanks. Diesel fuel is also a biohazard. If it is spilled, there could be significant cleanup expenses. Also, if the generator is in close proximity to the data center, there is a danger of a spill that reaches into the data center itself, which would be disastrous. These risks can be mitigated though fuel service contracts and spill barriers, however.

Natural gas generators run cleaner and theoretically have an infinite supply of fuel as long as the gas lines are intact. There is no danger of spills, but there is an increased danger of fire. Natural gas generators are employed rarely, however, because of the expense.

Propane generators are also expensive but have a limited supply of fuel. Again, this can be mitigated with service contracts.

All types of generators require frequent maintenance and testing. As a result, the auditor should review both maintenance and test logs during a data center audit. Additionally, auditors should obtain the sustained and peak power loads from the facility manager and compare them with current power generation capacity. Generators should be able to produce at least double the sustained power load.