Establish and maintain temperature and humidity controls for the HVAC equipment.

UCF ID: 00727

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain adequate environmental controls and processes. [UCF Control ID 00724]

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .20 § 3.1, ¶ .24 § 3.17; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Exam Tier II Obj 1.3; FFIEC IT Examination Handbook – Operations, July 2004, Pg 18, Exam Tier I Obj 7.1, Exam Tier II Obj D.1; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § PE-14; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-14; The Standard of Good Practice for Information Security, CI2.6.4(d); ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 9.2.1; ISO/IEC 27002 Code of practice for information security management, 2005, § 9.2.1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, PETC-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, PETC-1; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.12.3; PAS 77 IT Service Continuity Management. Code of Practice, 2006, Annex E.2.2; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.7(6)

Banking and Finance Guidance

[Exam Tier II Obj 1.3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should have heating, ventilation, and air conditioning (HVAC) systems installed and operational in its computer rooms in accordance with the requirements for the installed computers. [Pg 18, Exam Tier I Obj 7.1, Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

For Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Temperature controls are installed that provide an alarm of fluctuations potentially harmful to personnel or equipment operation. [PETC-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Temperature controls are installed that provide an alarm of fluctuations potentially harmful to personnel or equipment operation. [PETC-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

NIST Guidance

The organization must establish and maintain temperature and humidity control policies and procedures to regularly maintain the temperature and humidity within acceptable levels, and monitor the temperature and humidity within facilities containing information systems. [App F § PE-14, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records, documents, and the facility should be examined to ensure the temperature and humidity of the facility is continuously monitored and maintained, they function properly, and specific responsibilities and actions are defined for the implementation of the temperature and humidity control. Any problems discovered during the implementation of the temperature and humidity control should be documented and used to improve the controls.
Interviews should be conducted with personnel who maintain the temperature and humidity controls to ensure they are configured and operating correctly. [PE-14, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

The environmental should be monitored for conditions that could adversely affect the equipment. [§ 9.2.1, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

The environmental should be monitored for conditions that could adversely affect the equipment. [§ 9.2.1, ISO/IEC 27002 Code of practice for information security management, 2005]

Service providers should ensure humidity and temperatures are measured in areas that house restricted facilities to check for the proper operation of the A/C systems, measurements are taken throughout the day at different times, and the A/C system is capable of maintaining the temperature and humidity in the room within the required limits and is designed to maintain the temperature if there is a breakdown or during the maintenance of individual air-conditioning units. [§ 6.12.3, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building is considered. Safeguards in this area are listed below.
6. Power and Air-conditioning
All IT equipment should be protected from power failures, if necessary. A suitable power supply should be provided, and an uninterruptible power supply should be introduced, if necessary. Another aim of protection should be to ensure admissible temperature and humidity. [¶ 8.1.7(6), ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

General Guidance

The organization should have measures implemented to protect against environmental risks. [¶ .20 § 3.1, ¶ .24 § 3.17, AICPA Suitable Trust Services Principles and Criteria]

All rooms housing critical IT equipment should have temperature and humidity controls installed. [CI2.6.4(d), The Standard of Good Practice for Information Security]

UK and Canadian Guidance

The data center should have adequate cooling to dissipate the heat generated by the equipment. [Annex E.2.2, PAS 77 IT Service Continuity Management. Code of Practice, 2006]