Server Room Environmental and Physical Security
This is a short check list of things to consider when planning your server room/data center. A formal risk analysis should be done to determine what exactly are the risks and what controls are needed and at what level and cost. Obviously small organization will not be able to take all of these preventative measures and they may decide that the cost is out weighed by the benefit. The decision on what risks to accept and which ones to mitigate should be done by senior management because they are ultimately responsible.
Filtered air - dust reduces heat transfer and can cause heat damage to circuits
Maintain a constant temperature be between 70-74F (21-23C)
Maintain a constant humidity between 45-60% - High humidity causes corrosion and low humidity causes static electricity.
Positive air pressure – air flow out of the room
Protected air vents - possible entry point
Positive flow water drains – protect from the risk of flooding
Shielding from electromagnetic interference (EMI) and radio frequency interference (RFI)
Uninterruptible power supplies (UPS) and surge suppressors
Generators may be needed depending on the amount of tolerable downtime for your organization
Doors, Windows and Walls
No more than two doors
Locks, or electronic door locks
Who has been assigned keys should be logged
Strike-plates on doors
Tamper-resistant hinges on doors
Resistant to forcible entry
Fire rated doors and walls
No windows or doors to the outside of the building
Internal windows should be small and shatter or bullet proof
Walls should extend beyond any false or drop ceilings
Security Mesh to help stop break-ins through gypsum walls
For highly sensitive areas you may need tempest shielding
Location of the server room or data center
Should not be on the top floor
Should not be in the basement
Should not be on the first floor
Should not be located near stairs, bathrooms, water pipes, elevators or EMI emissions
It should be located at the center of the facility to help mitigate any external threats.
Access to the server room
Access should be limited to Information Systems (Technologies) staff member who need access to perform their duties.
Access to the server room be logged - records who had access when to the server room and when (Audit Trail).
Escort non-IT staff while they are in the server room. Untrained individuals should be watched while they are in the server room. This helps mitigate the risk of an accident or malicious actions.
Additional access controls such as smart cards, biometrics, or electronic combination locks
Guards – for highly sensitive areas
Mantraps – for highly sensitive areas
Intrusion detection - alarms
At a minimum it is recommended to have class c fire extinguishers installed within 50 feet, clearly marked, in an unobstructed view, easily reachable and inspected quarterly. Halon and water are not advisable fire retardants; consider FM-200 (HFC-227) or other non-conductive dry chemicals. If a water sprinkler system is used it should be a Pre-action or dry pipe system which give a delay before releasing water giving the systems time to shut down. A wet pipe system does not have such a delay. It is recommended that fire detection equipment be placed on and above suspended ceilings, below raised floors and in air ducts. Remember human life should be the priority. For further information contact the National Fire Protection Association (NFPA http://www.nfpa.org).