Back

Establish, implement, and maintain a Heating Ventilation and Air Conditioning system.


CONTROL ID
00727
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Employ environmental protections., CC ID: 12570

This Control has the following implementation support Control(s):
  • Install and maintain an environment control monitoring system., CC ID: 06370
  • Protect air intakes into the organizational facility., CC ID: 02211
  • Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system., CC ID: 06368
  • Install and maintain backup Heating Ventilation and Air Conditioning equipment., CC ID: 06369
  • Install and maintain a moisture control system as a part of the climate control system., CC ID: 06694
  • Install and maintain hydrogen sensors, as necessary., CC ID: 06705


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • F46: The organization shall install automatic temperature and humidity recorders or alarm systems in the computer rooms and data storage rooms to detect and alert personnel about extreme temperature or humidity for computer system preventive maintenance and identifying possible causes of computer sy… (F46, F72, F131, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • For the measurement of temperature and humidity, it is necessary to avoid any locations directly exposed to exhaust air from computer equipment and air blown from air-conditioning facilities, near the entrances to the rooms, and other such places that experience significant variations in temperature… (F46.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is thus recommended to install and run several pieces of major equipment for air-conditioning facilities to ensure consistent air-conditioning to the computer system even if some pieces of device fail to operate correctly. Installation of several pieces of equipment allows a margin of capacity fo… (F75.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • As for the lighting and air-conditioners necessary for the operation of a computer system, it is recommended that its power can also be supplied from a private power generation facility. Since it takes some time to switch over to the private power generation facility, room temperature will rise and … (F64.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to provide every air-conditioning facility with proper dust removal filters, dust collectors, or other proper means at the fresh-air inlet and also the point of mixing the fresh air and recirculation air to ensure protection against the entry of any polluted air and dust particles. (F73.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • To ensure proper temperature and humidity conditions, it is recommended that dedicated air- conditioning facilities be installed. In cases where dedicated air-conditioners are required to ensure proper temperature and humidity conditions for the operating conditions of servers, it is necessary to in… (F132.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Air-conditioning facilities in the computer room are required to have the function of maintaining the temperature and humidity in a certain range appropriate for the computer equipment. For this reason, it is necessary to avoid sharing the air-conditioning facilities, other than the heat source manu… (F74.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The water supplying for air-conditioning facilities should be of high quality, and proper water treatment device should be installed if necessary to treat any deteriorated water quality discovered by water quality tests carried out on a regular basis. (F73.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • To prevent freezing of the water circulating in the cooling tower in cold climate areas or in the winter season, electric heaters operating on predetermined temperature settings in response to detected water temperature, if installed, should be provided with proper precautions against possible overh… (F73.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In cases where air-conditioning is essential for the installed environments of terminal device and/or the type of terminal devices, a proper air-conditioning facilities should be installed for the number of pieces of terminal devices installed. (F110.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • To protect the terminal devices against a possible failure due to water leakage, dust particles, smoke, or other factors, it is recommended to use waterproof and dust-proof covers and/or install required air-conditioning facilities while the terminal device operation is suspended. (F120.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Heat distribution of air-conditioning facilities should be flexible enough to accommodate the changing room layouts and varying air-conditioning conditions. (F72.1. ¶ 2(3), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In the head offices and branch offices located in areas exposed to larger differences between daytime maximum temperature and the minimum nighttime temperature, terminal devices may malfunction due to condensation in the terminal devices resulting from the sharp temperature changes. Thus, careful co… (F110.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The drain trap for air-conditioning facilities is a U-shaped tube for water sealing to prevent the possible entry of offensive odors and contaminated air and drain water outside due to the pressure difference between the air-conditioning facilities and the outside. To ensure stable air-conditioning,… (F73.6., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The air-conditioning facilities need to be provided with various automatic control devices for stable operation. (F76.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Installing proper airflow controllers and pressure regulators for the air-cooling air- conditioning facilities to prevent deterioration in capability due to the lower outdoor temperatures. (F73.5. ¶ 1(2), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In preparation for possible failure in any automatic control unit, proper provisions should be made to switch automatic operation to manual and ensure the continuous operation without interrupting the air-conditioning facilities. (F76.4., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In order to automatically control cooling water temperature and pressure, refrigerant pressure, and other factors in the air-conditioning facilities, as well as to check the operating conditions, it is necessary to provide pumps, heat sources, and heat exchangers with pressure gages and thermometers… (F76.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Install a proper automatic opening/closing system to shut off any ducts which can deteriorate the fire extinguishing power before the release of fire-extinguishing agent. (F39.3. ¶ 1(3) ¶ 1 4), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • implementation of redundant cooling equipment (e.g. cooling towers, chilled water supply and computer room air conditioning units) to control the temperature and humidity levels in the DC and prevent fluctuations potentially harmful to systems. (§ 8.5.2(c), Technology Risk Management Guidelines, January 2021)
  • The organization should implement mechanisms to monitor for and alert individuals when a compromise of the temperature control is detected. (¶ 56(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • environmental controls which maintain environmental conditions within acceptable parameters. Common controls include ventilation, air conditioning and fire suppressant systems; and (46(c)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • The data center should have adequate cooling to dissipate the heat generated by the equipment. (Annex E.2.2, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • The impact of hazards should be minimized by monitoring and controlling the temperature and humidity of data centers, computer rooms, or equivalent, in accordance with equipment manufacturer recommendations. (CF.19.03.04d, The Standard of Good Practice for Information Security)
  • The impact of hazards should be minimized by monitoring and controlling the temperature and humidity of data centers, computer rooms, or equivalent, in accordance with equipment manufacturer recommendations. (CF.19.03.04d, The Standard of Good Practice for Information Security, 2013)
  • Implement and maintain data center environmental control systems that monitor, maintain and test for continual effectiveness the temperature and humidity conditions within accepted industry standards. (DCS-13, Cloud Controls Matrix, v4.0)
  • Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building is consider… (¶ 8.1.7(6), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • The building should provide fire protection, a suitable range and stability of temperature and humidity levels, safety measures, water damage protection, contaminant protection, controlled access to storage areas, protection against damage by insects or vermin, and detection systems for unauthorized… (§ 4.3.7.2 ¶ 1(b), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Service providers should ensure humidity and temperatures are measured in areas that house restricted facilities to check for the proper operation of the A/C systems, measurements are taken throughout the day at different times, and the A/C system is capable of maintaining the temperature and humidi… (§ 6.12.3, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The environmental should be monitored for conditions that could adversely affect the equipment. (§ 9.2.1, ISO 27002 Code of practice for information security management, 2005)
  • Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Do the physical security and environmental controls present in the building / data centers that contain scoped systems and data include Heating Ventilation and Air Conditioning system? (§ F.1.2.18, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • Does the data center that contains scoped systems and data have air conditioning? (§ F.2.3, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • The air cooling system must have redundancy built in. The organization must maintain and monitor the temperature and humidity levels and monitor specific control alarms. The organization must evaluate the alert levels and the guidelines for each level. When needed, management must be notified of pos… (CSR 5.1.6, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The facility must have temperature controls (manual or automatic) installed that sound an alarm when there are fluctuations that are potentially harmful to equipment operation or personnel. (PETC-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The facility must have automatic temperature controls installed in order to prevent harmful temperature fluctuations. (PETC-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • HVAC controls, including: (App A Objective 13:9a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Maintaining appropriate temperature and humidity levels. (App A Objective 13:9a Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: ▪ Environmental controls - the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechani… (Exam Tier II Obj 1.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should have heating, ventilation, and air conditioning (HVAC) systems installed and operational in its computer rooms in accordance with the requirements for the installed computers. (Pg 18, Exam Tier I Obj 7.1, Exam Tier II Obj D.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • Maintains temperature and humidity levels within the facility where the information system resides at [FedRAMP Assignment: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments]; and (PE-14a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Maintains temperature and humidity levels within the facility where the information system resides at [FedRAMP Assignment: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments]; and (PE-14a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Maintains temperature and humidity levels within the facility where the information system resides at [FedRAMP Assignment: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments]; and (PE-14a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Maintain [FedRAMP Assignment: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments]] levels within the facility where the system resides at [Assignment: organization-defined acceptable… (PE-14a., FedRAMP Security Controls High Baseline, Version 5)
  • Maintain [FedRAMP Assignment: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments]] levels within the facility where the system resides at [Assignment: organization-defined acceptable… (PE-14a., FedRAMP Security Controls Low Baseline, Version 5)
  • Maintain [FedRAMP Assignment: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments]] levels within the facility where the system resides at [Assignment: organization-defined acceptable… (PE-14a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Is the computer room climate adequately controlled? (IT - General Q 10, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • § 4.5.5.1: Cryptographic modules shall have environmental failure protection features to protect against unusual environmental fluctuations or conditions that can compromise the modules' security. The module shall monitor and respond to fluctuations in temperature and voltage outside the normal ran… (§ 4.5.5.1, § 4.5.5.2, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
  • For Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supp… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records, documents, and the facility should be examined to ensure the temperature and humidity of the facility is continuously monitored and maintained, they function properly, and specific responsibilities and actions are defined for the implementation of the temperature and humidity… (PE-14, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Environmental Factors. In addressing the security needs of the system and data, it is important to consider environmental factors. For example, if a site is dusty, systems should be placed in a filtered environment. This is particularly important if the dust is likely to be conductive or magnetic, a… (§ 6.2.11 ICS-specific Recommendations and Guidance ¶ 4 Bullet 4, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must maintain the temperature and humidity inside acceptable levels. (App F § PE-14.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use automatic temperature and humidity controls to prevent fluctuations that could potentially harm the system. (App F § PE-14(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization maintains temperature and humidity levels within the facility where the information system resides at {organizationally documented acceptable levels}. (PE-14a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization monitors temperature and humidity levels {organizationally documented frequency}. (PE-14b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system. (PE-14(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization maintains temperature and humidity levels within the facility where the information system resides at {organizationally documented acceptable levels}. (PE-14a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization monitors temperature and humidity levels {organizationally documented frequency}. (PE-14b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization maintains temperature and humidity levels within the facility where the information system resides at {organizationally documented acceptable levels}. (PE-14a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization monitors temperature and humidity levels {organizationally documented frequency}. (PE-14b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization maintains temperature and humidity levels within the facility where the information system resides at {organizationally documented acceptable levels}. (PE-14a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization monitors temperature and humidity levels {organizationally documented frequency}. (PE-14b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system. (PE-14(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Maintains temperature and humidity levels within the facility where the information system resides at [TX-RAMP Assignment: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments]; and (PE-14a., TX-RAMP Security Controls Baseline Level 1)
  • Maintains temperature and humidity levels within the facility where the information system resides at [TX-RAMP Assignment: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments]; and (PE-14a., TX-RAMP Security Controls Baseline Level 2)