When auditing a data center facility, the first thing an auditor should do is evaluate the environment in which the data center resides. The goal is to identify high-risk threats. For example, the data center we are auditing may be in the flight path of a regional airport, a FEMA flood zone, or a high-crime area. These types of environmental characteristics will reveal otherwise latent threats. In our audit, we will be looking for controls that reduce the likelihood of one of these threats being realized. Some of the things we will be evaluating include
Building orientation
Signage
Neighbors
Exterior lighting
Environmental hazards
The facility's proximity to emergency services
Data center facilities should provide a physically secure environment for personnel and information systems. A breach of physical security, whether through a bomb, a physical intrusion, or a weather-related event, would compromise information and personnel security.
As we approach the facility, we will notice how far the building is set back from the curb and whether or not there are barriers to prevent cars from getting too close to the building. As we proceed into the facility, we also will determine which floor of the building the data center resides. These are important data security center characteristics. Specifically, we will look for controls such as building setback and physical barriers that reduce the risk of vehicle accidents or car bombs impacting the data center. I know, you're thinking, "Car bombs, vehicles crashing into buildings; is this really a risk?" The answer is yes. Prior to September 11, 2001, deliberately flying a plane into a skyscraper was considered an unthinkable scenario as well.
The floor in which the data center resides is important as well because below-ground and ground-level data centers are susceptible to flooding. Data centers on higher floors are more prone to lightning, wind, and tornado damage. The ideal is a single-story data center that is 5 ft or so above ground.
Signage Data centers also should be anonymous, away from main thoroughfares, and inconspicuously marked, if marked at all. In fact, most data centers employ what we call in the security industry security through obscurity. Maintaining relative anonymity will reduce the possibility of the facility becoming a target for espionage, theft, or sabotage.
Neighborhood The next question is, "Who are the neighbors of the data center facility?" Is it located in a multitenant building, or is it a stand-alone structure? If there are neighbors who are within a close proximity, what sort of business are they engaged in? A data center that is located next to a warehouse or manufacturing facility may have an increased risk of being affected by hazardous material spills or fires. The ideal is a stand-alone structure without any neighbors within close proximity.
Exterior Lighting Another control that we will evaluate is exterior lighting. Proper lighting deters crime and loitering around the facility. Critical facilities should have exterior walls and parking lots illuminated uniformly at an intensity level that allows for viewing at a reasonable distance.
Environmental threats such as floods, severe weather, and transportation-related accidents can destroy or severely damage a data center. In the event of an emergency, rapid response from authorities is critical. Therefore, the proximity to fire stations, police stations, and hospitals is important.
Either before or after the on-site review is performed, the auditor should do some research to identify environmental hazards that may not be evident during the on-site visit. This research would entail either finding the following information in previous audit reports or compiling it from readily available sources:
Flood elevations
Weather and earth movement threats
Proximity to transportation-related hazards
Local crime rate
Proximity to industrial areas
Flood Elevations According to FEMA, floods are one of the most common hazards in the United States. After the 2005 hurricane season, it is apparent that this assessment is based in fact. Finding flood-zone information on the Internet is relatively easy.
Note | The following Internet resources are available to assist auditors in evaluating flood risks: http://www.esri.com/hazards/makemap.html http://www.hazards.fema.gov/ http://www.msc.fema.gov/ |
Weather and Earth Movement Threats Since different geographic zones are prone to different weather and earth movement hazards, it is also important for the auditor understand which of these threats are prevalent in the geographic area in which the data center resides. For example, if the data center we are auditing is in Dallas, the threats would be tornados, flooding, and extreme heat, whereas in northern California the threat would be earthquakes. The goal here is to understand the weather- and earth-related characteristics of the area in which the data center we are auditing resides.
Note | Some excellent weather-related Internet resources include http://www.noaa.gov/ http://www.earthquake.usgs.gov/ http://www.hazards.fema.gov/ |
Proximity to Transportation-Related Hazards Planes, trains, and automobiles represent another risk to data center operations. Specifically, we will research whether or not the data center we are auditing is in an airport flight path or if there is a rail line next to the data center facility. Though rare, planes do crash and trains do derail and therefore pose a risk to nearby facilities. As auditors, it is our responsibility to inform management about risks to business. It is management's responsibility to decide where to spend limited resources in an effort to mitigate risk. Maps and observation are good methods for identifying nearby transportation-related hazards.
Local Crime Rate Obviously, if our data center is in a high-crime area, there is a higher risk of theft and other crimes. Therefore, another statistic we will research is the local crime rate. If the area in which the data center we are auditing resides has a high crime rate, we may recommend mitigating controls such as reinforced fences, an increased presence of security personnel, closed-circuit television (CCTV), and perimeter alarm systems.
Note | There are several excellent sources of online crime statistics. Below are a couple of the better websites: http://www.ojp.usdoj.gov/bjs/dtdata.htm http://www.cityrating.com/crimestatistics.asp |
Proximity to Industrial Areas Many data center facilities are situated in industrial zones near factories and warehouses. These areas generally have a higher crime rate and a higher risk of hazardous materials spills affecting data center operations. Therefore, if the data center is situated in an industrial area, the auditor should evaluate the risks inherent to the area.
Proximity to Emergency Services When there is an emergency within a data center, each additional minute that it takes for authorities to respond can be very costly. Therefore, it is important to evaluate the distance to police stations, hospitals, and fire stations. This information can be obtained from the blue pages of the local phone book.