Technology assets are protected from environmental threats
Physical and environmental threats, including power failures, temperature extremes, fire, flooding, and unauthorized physical access, can destroy or compromise technology assets just as thoroughly as a cyberattack. Data centers and server rooms that lack environmental controls and physical security are vulnerable to threats that no amount of software security can mitigate.
Implementation steps
- 1
Ensure physical security for systems processing sensitive data
Systems that process sensitive data should be in physically secured areas: locked server rooms with badge or key access, visitor logs, and surveillance. For cloud-hosted infrastructure, your cloud provider manages the physical security of data center facilities. For co-location or on-premises, verify that the facility meets your requirements.
- 2
Implement power protection and redundancy for critical systems
Critical on-premises systems should be protected by uninterruptible power supplies (UPS) sized to allow graceful shutdown during a power event, and a generator for extended outages if uptime requirements demand it. Verify that UPS units are tested regularly and batteries are replaced on schedule.
- 3
Configure environmental monitoring and alerting
For any on-premises infrastructure, deploy temperature and humidity sensors and configure alerts if environmental conditions go outside acceptable ranges. Include fire suppression systems appropriate for electronics (not water-based) and verify they are tested on schedule. Receive alerts before environmental conditions become a crisis.
pagerdutydatadog
Evidence required
Physical security controls for data processing facilities
Evidence that systems processing sensitive data are housed in physically secured locations with access controls.
- · Cloud provider data center security certifications (e.g., SOC 2 Type II covering physical security)
- · Co-location facility physical security documentation
- · On-premises server room access control records and badge access logs
Power and environmental control documentation
Evidence of power redundancy and environmental monitoring for critical on-premises infrastructure.
- · UPS maintenance and test records
- · Temperature monitoring system configuration and alert history
- · Environmental controls section of the data center or server room policy
Related controls
Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
Technology Infrastructure Resilience
Physical access to assets is managed, monitored, and enforced commensurate with risk
Identity Management, Authentication, and Access Control
Networks and environments are protected from unauthorized logical access
Technology Infrastructure Resilience
Adequate resource capacity to ensure availability is maintained
Technology Infrastructure Resilience