7-4 Environmental Security

Environmental security controls must be implemented at the facility, room, and information resource level to protect servers, mainframes, and critical information resources as described below:

  1. Protection against lightning, wind, and building collapse must be implemented.
  2. Protection against water damage from water supply lines, sewer systems, and roof leaks must be implemented (e.g., plastic sheets are available and master shutoff valves are accessible, working properly, known to operations personnel, and automatic where feasible).
  3. Additional temperature and humidity safeguards must be implemented to monitor and maintain acceptable levels.
  4. Protection against flooding, earthquakes, or other natural disasters must be implemented (e.g., drains are installed below the computer room floor).
  5. Additional fire safeguards:
  6. Fire detection and suppression equipment (e.g., smoke and heat detectors, handheld fire extinguishers, fixed fire hoses, and sprinkler systems) must be implemented.
  7. Fire detection and suppression equipment must automatically notify the organization and emergency responders.
  8. Additional power (electricity) safeguards:
  9. A short-term alternate power supply must be implemented to ensure proper shutdown in the event of a power interruption.
  10. A long-term alternate power supply must be implemented to maintain minimal operational capability in the event of a power outage.
  11. Automatic emergency lighting systems must be implemented to illuminate emergency exits and evacuation routes in the event of a power outage or disruption.
  12. Surge protection must be implemented for all information resources.
  13. Redundant power feeds and redundant communications paths must be implemented for critical information technology sites.

For areas containing concentrated information resources, Facility Management may require the capability to shut off power to information resources that may be malfunctioning (e.g., due to an electrical fire) or threatened (e.g., due to potential flooding) without endangering personnel by requiring them to approach the equipment. See ASM 273, Facility Security, and Handbook RE-5, Building and Site Security Management, for the requirements for remote power shutoffs.