HVAC equipment for temperature and humidity controls

Status: Live

The organization will monitor, and maintain within acceptable levels, the temperature and humidity within facilities containing information systems. [UCF ID 00727]

Supporting and supported controls

This control directly supports:

Maintain adequate environmental controls [UCF Control ID 00724]

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .20 § 3.1, ¶ .24 § 3.17; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Exam Tier II Obj 1.3; FFIEC IT Examination Handbook – Operations, July 2004, Pg 18, Exam Tier I Obj 7.1, Exam Tier II Obj D.1; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, PE-14; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-14; The Standard of Good Practice for Information Security, CI2.6.4(d); ISO 17799:2005 Code of Practice for Information Security Management, § 9.2.1; ISO/IEC 27002-2005 Code of practice for information security management, § 9.2.1; Archer Control Table, ATCS-155, ATCS-156, ATCS-157, ATCS-159, ATCS-773

Sarbanes Oxley Guidance

The organization should have measures implemented to protect against environmental risks. [¶ .20 § 3.1, ¶ .24 § 3.17, AICPA Suitable Trust Services Principles and Criteria]

Banking and Finance Guidance

[Exam Tier II Obj 1.3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should have heating, ventilation, and air conditioning (HVAC) systems installed and operational in its computer rooms in accordance with the requirements for the installed computers. [Pg 18, Exam Tier I Obj 7.1, Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

For Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

NIST Guidance

The organization regularly maintain within acceptable levels, and monitor, the temperature and humidity within facilities containing information systems. [PE-14, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records, documents, and the facility should be examined to ensure the temperature and humidity of the facility is continuously monitored and maintained, they function properly, and specific responsibilities and actions are defined for the implementation of the temperature and humidity control. Any problems discovered during the implementation of the temperature and humidity control should be documented and used to improve the controls.
Interviews should be conducted with personnel who maintain the temperature and humidity controls to ensure they are configured and operating correctly. [PE-14, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

The environmental should be monitored for conditions that could adversely affect the equipment. [§ 9.2.1, ISO 17799:2005 Code of Practice for Information Security Management]

The environmental should be monitored for conditions that could adversely affect the equipment. [§ 9.2.1, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

All rooms housing critical IT equipment should have temperature and humidity controls installed. [CI2.6.4(d), The Standard of Good Practice for Information Security]