Computer systems require specific environmental conditions such as controlled temperature and humidity. Data centers are designed to provide this type of controlled environment. When auditing a data center, the auditor should verify that there is enough heating, ventilation, and air-conditioning capacity to service the data center even in the most extreme conditions.
Heating, ventilation, and air-conditioning systems are used to provide constant temperature and humidity levels within the data center. This is important because computer systems are damaged by extremes in either. High humidity levels can cause corrosion over time, and low humidity levels cause static electricity to occur.
Data center temperatures should range from 65 to 70°F. Temperatures above 85°F will damage computer equipment. Humidity levels should be between 45 and 55 percent. The auditor should review temperature and humidity logs to verify that each falls within acceptable ranges over a period of time. The auditor also should review the heating, ventilation, and air-conditioning design to verify that all areas of the data centers are covered appropriately. This information usually can be obtained from the facility manager during an interview.
Electronic equipment creates electronic emissions that, in theory, can be captured and disseminated to compromise the information that is being processed by the equipment. These are the same emissions that create crosstalk conditions in phone and network wires. The level of risk that electronic emissions creates is debatable, but nonetheless, many data centers provide electronic shielding to mitigate it as well as the risk of electronic interference from outside sources.
There was a program that the National Security Agency (NSA) initiated in the 1960s called the TEMPEST project that was created to study the feasibility of using electronic emissions to gain access to otherwise protected information. The TEMPEST project still continues today. Although information about it is scarce, see http://www.cryptome.sabotage.org/tempest-time.htm for additional information about project history.
The auditor should review any shielding strategies that the data center employs to protect against interference or unauthorized access through emissions. Also determine whether there are any nearby sources of electronic interference. The data center facility manager usually can provide this information during an interview.