One’s first-ever IT audit likely included a review of data centre environmental controls.  I remember going to a cement factory to review the “computer room” controls early in my career.

There is sometimes not too much focus on these control measures as businesses are now “moving systems to cloud”.  Having said that, I have seen that most clients still have an extensive on-premise infrastructure.

Data centre related outages occur quite frequently, actual outages I have seen include:

  • The data centre (under a kitchen) flooding causing all electrics to fail.
  • An air conditioning system failing with consequent overheating, resulting in the destruction of hard drives in all computers in the data centre.
  • A veld fire outside the data centre destroying network cables, resulting in all systems becoming unavailable.
  • A fire suppression system breaking and destroying some of a data centre.

Probably the root cause of most of these incidents was a degree of neglect and some complacency.

Most audit programmes will require the auditor to check some of the basic data centre controls.  These include whether there are adequate physical security measures; that there is sufficient air conditioning; fire detection/suppression systems; and possibly water detection systems.

The following are suggested audit tests sometimes missing from audit programmes, which could add value to clients:

  • Firstly, to check that there is an ongoing maintenance programme of all server room equipment, covering air conditioners and other environmental management systems. This maintenance should be performed by qualified technicians with sufficient frequency.
  • Secondly to check that the temperature inside the computer room is constantly monitored, so if it goes over a certain level an alert is set off.
  • Thirdly to check the tidiness of the data centre. A messy data centre poses the risk of fires. It is also an indication of other potential issues.

One last suggestion for audit teams is to consider getting a data centre specialist to assist with the review every 3 years or so. I have found the fountain of knowledge of these people can add true value to audit clients.