CONTROL ASSESSMENT

<COMPANY NAME>
DATA CENTER CONTROLS ASSESSMENT

Physical Access, Fire, Water, and Power Controls

Location:

Date:

Client Personnel:

E&Y Interviewer:

Note: document specific zones that remained in scope.

Contents

Contents________________________________________________________________________________________________________________2

CLIENT CONFIDENTIAL
1
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

Section 1 – Previous Audit Findings___________________________________________________________________________________________________3

Section 2 – Property Considerations__________________________________________________________________________________________________3
Section 4 – Perimeter Security and Monitoring_________________________________________________________________________________________4
Section 5 – Access Control Practices__________________________________________________________________________________________________5
Section 6 – Physical Security and Access Controls to Critical Operations Areas_______________________________________________________________7
Section 7 – Fire Detection and Suppression Systems_____________________________________________________________________________________9
Section 8 – Water Damage Exposure_________________________________________________________________________________________________10
Section 9 – Air Conditioning (temperature, filtration, and humidity)_______________________________________________________________________12
Section 10 – Electricity Service and Distribution_______________________________________________________________________________________13
Section 11 – Lighting______________________________________________________________________________________________________________15
Section 12 – Utility Support Systems_________________________________________________________________________________________________16
Section 13 – Critical Facilities Operations Physical Exposures____________________________________________________________________________17

CLIENT CONFIDENTIAL
2
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

Section 1 – Previous Audit Findings

Item Exposure YES NO Source Comment Control

(Y) (N) Strength
(S, NI, U)

Section 2 – Property Considerations

Item Exposure YES NO Source Comment Control

(Y) (N) Strength
(S, NI, U)

1 Do you own your properties?

2 Do you lease properties?
3 Do you have more than one property?
4 Do you outsource or co-locate your data center resources?
5 Are there other types of people and business resources and
assets that are unique and considered high risk if lost or
damaged, i.e. R&D facilities, labs, intellectual property
6 Has due diligence been performed on both leased or owned
properties prior to purchase or lease to determine risks
attendant to the property in relation to the business activity.
7 Was the results of the due diligence process communicated and
remediation steps taken, as appropriate to the requirements of
the business?
8 Are critical operations located in high-rise / multi-tenant
buildings?
9 Are these functions / activities backed-up at other locations?
10 Are sites geographically isolated (minimum safe distance)?
11 Is the building designed to current codes to resist naturally
occurring hazards, i.e., wind, hurricanes, tornado’s, lightning,
floods, earthquakes, dust storms, freezing temperatures,

CLIENT CONFIDENTIAL
3
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

excessive heat?
12 Are you aware of the property(s) physical limitations relative
to your business operations?
13 How many ways can the property(s) be accessed, i.e., street,
below grade, front, back, side, roof, utility easements, pipes,
bridges, trains, buses, garage and lobbies?
14 Is there a site security manager at every site?
15 What criteria has been established for ground floor
architectural barriers and conditioning, i.e. crash barriers,
bullet resistant glass and walls, window bars, door control,
loading dock access and control, vents and penetrations, utility
access points?
16 Is there a single point of access established for all individuals
entering the property?
17 Are emergency power-off switches clearly labeled, shielded to
prevent accidental activation, and located both inside and
outside the data center?
18 Is all building wiring placed in fire resistant panels and
conduits (prefer under fire resistant raised computer room
floor).

Section 4 – Perimeter Security and Monitoring

Item Exposure YES NO Source Comment Control

(Y) (N) Strength
(S, NI, U)

1 Is parking adjacent to the facility limited to employees only?

2 Is the parking area well lighted at night, e.g. in excess of 3 foot
candles?
3 Is the parking lot fenced and isolated from the general public
(physical barrier in place)?
4 Are employee vehicles identified with clearly visible decals and
is a card key system used to control access?
5 Are there multiple access points into the parking area(s)? How
are these controlled 24x7?
6 Is there a separate road to the loading dock area?

CLIENT CONFIDENTIAL
4
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

7 Are signs clearly posted in the parking area to advise that

unauthorized vehicles will be towed?
8 Are visitors parking spaces clearly identified?
9 Is the parking area checked by security personnel for
unauthorized personnel and vehicles on a routine basis?
10 Is the entrance to the facility protected to prevent a vehicle
entry into the building?
11 Is equipment installed external to the building (e.g. air
conditioning condensers, generators) secured to prevent access
by unauthorized personnel?
12 Are parking areas, peripheral areas and sensitive areas within
the facility monitored by CCTV equipment?
13 Is employee access to the parking lot 24x7?
14 Are signs posted advising of 24 hour video surveillance?
15 What is the distance from parked vehicles to the building?
16 Who monitors the parking lot CCTV?
17 Are there motion detectors to alert guard of activity?
18 Is the output of the surveillance camera recorded and data
stored?
19 Is overnight parking allowed?
20 Are stalls numbered and assigned?

Section 5 – Access Control Practices

Item Exposure YES NO Source Comment Control

(Y) (N) Strength
(S, NI, U)

1 Are all entrances and exits from the facility monitored by

CCTV?
2 Are all entrances and exits secured by an access control
system to record use and to prevent unauthorized entry?
3 Are all employees and visitors required to wear photo
identification badges while in the facility?
CLIENT CONFIDENTIAL
5
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

4 Are visitor badges readily distinguishable from employee

identification badges?
5 Are visitors required to be escorted at all times while within
the facility?
6 Are packages, brief cases and computer cases brought into the
facility by visitors inspected?
7 Are computers and similar equipment brought into the facility
by visitors registered upon entry and checked when the visitor
exits the facility?
8 Are visitor badges accounted for and reconciled a daily basis?
9 Is there a process in place whereby the security staff knows
how many people are in the building at any time and who has
not left the building (came in, but did not leave)?
10 Are sensitive areas within the building (e.g., communications
rooms, Data Center/ server rooms, test labs, utility areas)
identified as restricted and highly sensitive areas?
11 Is access to sensitive areas within the facility controlled by the
use of access badges? Both in and out?
12 Are procedures in place to identify sensitive materials (e.g.
engineering drawings, intellectual property, equipment, test
samples, etc…) required to be authorized before their removal
from the property by proper authority?
13 Are access control system logs analyzed to identify unusual
entry and exit patterns during off hours?
14 Are all materials being removed from the buildings where
sensitive work is being done checked to ensure that only
authorized materials are being removed (front door and
loading dock)?
15 Are other points of access, i.e. utility spaces, pipes,
communications entrances secured and monitored, as well as
requiring approval to access on a 24 x 7 basis?
16 Is all sensitive equipment (e.g., test equipment, PC Units,
VDT’s) secured to desktops or floor or similar objects to
preclude damage from movement and falling during an
earthquake.
17 Are there protective roll-up grills or doors that can be closed
to secure the entrance and elevator lobby in the event of an
emergency?
18 Is there an elevator control function that will prevent elevators

CLIENT CONFIDENTIAL
6
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

from going below the 2nd floor (or to the data center) in the
event of a “Code Red” condition?
19 Is there a lock all doors mode that will secure doors to exterior
of sensitive areas (generally not allowed by fire codes)?
20 Have the doors, hardware, monitoring devices been specified
and designed to a recognized industry standard?
21 How often are these features tested?
22 Are bolting door lock keys stamped “do not duplicate”, issued
to only authorized personnel, and issuance logs reviewed?
23 Are combination door lock combinations regularly changed or
whenever an employee with access is transferred or
terminated?
24 Evaluate proper security of physical entry points:
 All entry doors
 Glass windows and walls
 Movable walls and modular cubicles
 Above suspended ceilings and beneath raised floors
 Ventilation systems
 Over a curtain, fake wall.

Section 6 – Physical Security and Access Controls to Critical Operations Areas

Item Exposure YES NO Source Comment Control

(Y) (N) Strength
(S, NI, U)

1 Is the critical operations area a likely target for vandals or

terrorists?
2 Are guards stationed at all entrances?
3 Does entrance to these areas require positive identification
(e.g., a photo badge, Personnel Identification Number (PIN)
number, biometric identification)?
4 Is access to those authorized only to individuals whose job
performance requires access?
5 Is limited access to these areas enforced on a 24x7 days per
week?
6 Are keys, cipher locks, badge readers, or other security devices
CLIENT CONFIDENTIAL
7
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

used to control access?

7 Are personnel trained to challenge improperly identified
individuals seeking access?
8 Are controls, such as a visitors' log or escort procedure, in
place for visitors?
9 Is advertising or signage identifying critical operations areas/
location discouraged?
10 Is each entrance to the protected area necessary?
11 Is the purpose of each entrance to the critical areas clearly
defined (including clean room access points)?
12 Are doors that are necessary to provide ventilation and light
protected by a gate or screen when open?
13 Are all doors entering and leaving critical areas, including fire
exit doors protected by exit alarms? Are these alarms centrally
monitored and recorded?
14 Are doors, locks, bolts, hinges, frames, and other building
apparatus designed and constructed to reduce the probability
of unauthorized entry?
15 If access to theses areas electronically controlled, are
alternative methods of access and security provided in the
event of a power failure?
16 Is access to the support facilities (e.g., electrical vault, cooling
towers, or forms storage) monitored?
17 If telecommunications processing equipment is located within
the Data Center/Server Room, is it physically and
environmentally secure?
18 Are security and operations personnel briefed on how to react
to civil disturbances?
19 Are personnel trained to handle bomb threats?
20 Does a liaison program exist with local law enforcement
agencies?
21 Are areas Identified to allow rapid response to an emergency
situation?

Section 7 – Fire Detection and Suppression Systems

Item Exposure YES NO Source Comment Control

CLIENT CONFIDENTIAL
8
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

(Y) (N) Strength

(S, NI, U)

1 Is the building equipped with a fire suppression system e.g. ,

sprinklers (charged with water or dry pipe), Co2, HALON,
Intergen, FM 200 or other suppressant?
2 Is the equipment inspected by the fire department (at least
annually) and serviced on a regular basis? (acquire recent
inspection report)
3 Do test plans include evaluation of fire suppression zone
integrity?
4 Do fireproof walls have at least a two-hour resistance rating?

5 Are electrical surge protectors on sensitive and expensive

computer equipment present?
6 Do triggered fire alarms automatically trigger other
mechanisms to localize fire such as closing fire doors,
notifying the fire department, closing off ventilation ducts and
shutting down nonessential electrical equipment?
7 Is the system segmented so a fire in one part of the facility
does not activate the entire system?
8 Are alarm panels located such that location of all smoke or
heat alarms can readily be identified?
9 Are manual fire alarms strategically located throughout the
facility? Is the resulting audible alarm linked to a monitored
guard station?
10 Are fire alarm control panels located in weatherproof boxes
and situated in a controlled room to prevent access by
unauthorized personnel?
11 Are fire alarm control panels allocated power from a dedicated
and separate circuit?
12 Are alarm control panels able to control or disable separate
zones within the facility?
13 Are fire alarm control panels in accordance with temperature
requirements set by the manufacturer?
14 Are the fire alarms readily identifiable?
15 Is the fire alarm control panel separated from burglar or
security systems and notify local fire authorities (direct
connection or third party)?
CLIENT CONFIDENTIAL
9
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

16 Is the fire alarm accessible to fire department personnel at all

times?
17 Are hand held fire extinguishers strategically located
throughout the facility with prominently located markers?
18 Are the hand held fire extinguishers inspected on a regular
basis (should be clearly indicated on Tag)?
19 Are personnel trained to use hand held fire extinguishers for A-
B-C Class fires?
20 Are smoke detectors installed above and below the ceiling tiles
throughout the facility? Are they marked for easy
identification and access?
21 Do smoke detectors produce an audible alarm when activated
and linked to a monitored station (in-house or fire
department)?

Section 8 – Water Damage Exposure

Item Exposure YES NO Source Comment Control

(Y) (N) Strength
(S, NI, U)

1 Are labs, manufacturing and computers and related support

equipment located above grade?
2 Are retention ponds equipped with proper drainage?
3 Are overhead water and steam pipes, except sprinklers,
excluded from the critical operations areas?
4 Is adequate drainage provided under raised floors and in other
areas of these areas?
5 Are water detectors placed under raised floors and near drain
holes?
6 Are zoned water detectors installed below the raised flooring?
Are they tested regularly?
7 Is there adequate drainage on the floor above to prevent ceiling
water leakage to floors below?
8 Is adequate drainage provided in areas adjacent to the critical
operations areas?
9 Are all electrical junction boxes under raised floors isolated
CLIENT CONFIDENTIAL
10
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

from the slab to prevent water damage?

10 Are exterior doors and windows watertight?
11 Is protection provided against accumulated rainwater or leaks
in the roof and rooftop cooling towers?
12 Is vegetation cut back away from the building roof line?
13 Is the roof, flashing and roof drains maintained at a level
consistent with the use of the property?
14 Are drains free of blockage?
15 Have pre-cautions been taken to prevent freeze damage?
16 Has snow load (accumulation) been considered? Potential for
collapse if water or snow accumulates beyond design limits.
17 Where does roof water drain to?
18 Do restrooms have floor drains?
19 Have you surveyed all sources of water intrusion? Potentially
there are 20-30 sources of water in a commercial property.
20 Are there other sources of “liquid” that can migrate through
the building (including chemicals)?
21 Are there sufficient “Wet Vacs”, tarps, floor fans and pumps to
begin immediate emergency measures or clean-up?
22 Are unattended equipment storage facilities equipped with
tested and functioning water detectors?
23 Are water detection alarm control panels separated from
burglar or security systems located on the premises?
24 Are water detection alarm control panels located in
weatherproof boxes and situated in a controlled room to
prevent access by unauthorized personnel?
25 Are water detection alarm control panels allocated power from
a dedicated and separate circuit?
26 Are water-intensive facilities, such as restrooms or kitchens,
located directly above data center or technology equipment
storage facilities?

Section 9 – Air Conditioning (temperature, filtration, and humidity)

CLIENT CONFIDENTIAL
11
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

Item Exposure YES NO Source Comment Control

(Y) (N) Strength
(S, NI, U)

1 Is the HVAC system exclusively used for the critical

operations area, i.e. Data Center, Research Labs,
Manufacturing, Storage, etc…?
2 Are these areas equipped with temperature and humidity
recording equipment? Are these remotely monitored?
3 Are duct linings and filters noncombustible?
4 Are fire dampers provided? Are they operable?
5 Are the air conditioning compressors remote from the critical
operations area?
6 Is the cooling tower adequately protected (exposed in parking
lot, garage or roof)?
7 Is back-up air-conditioning capacity available? Is there a
secure hook-up for a portable cooling plant (truck mounted)?
8 Are air intakes:
 Covered with protective screening
 Located above street level
 Located to prevent intake of pollutants or other debris
9 Is there a separate power source for the HVAC for the critical
operations areas and critical offices if commercial power is
lost?
10 Is there a program to monitor “Indoor Air Quality” (IAQ)?
11 Has consideration been given to have the means to detect
Biological or other environmental hazards?
12 Are all HVAC pipes braced for earthquake as well as vibration
mounts to prevent breakage or leakage?
13 Have HVAC pipes been routed away from critical operations
areas?
14 Have all mechanical equipment areas been provided with
“dams” around the perimeter?
15 Have floor drains been installed?
16 Are there water detection sensors in the HVAC spaces?
17 Are all critical performance measurements monitored on the
HVAC equipment and monitored and recorded at a central
CLIENT CONFIDENTIAL
12
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

location (Building Management System)?

18 Are HVAC risers separated from electrical and
telecommunications risers?
19 What HVAC equipment must be on emergency power? Is there
a criticality to the time HVAC can be off e.g., 5 minutes, 10
minutes, no down time.

Section 10 – Electricity Service and Distribution

Item Exposure YES NO Source Comment Control

(Y) (N) Strength
(S, NI, U)

1 Is the local Utility Company power supply reliable?

2 Is the line voltage continually monitored with a voltmeter that
displays and records voltage and current transients?
3 If the line voltage is unreliable, have alternative measures been
investigated?
4 If the criticality of the systems within the operations areas is
high, have uninterrupted power supplies (UPS) been
investigated?
5 Is there a stand alone UPS for emergency lighting?
6 Is there surge protection for Research Lab equipment, Process
Control Systems, Data Center, PC’s, file servers, and
terminals (including connected telecommunications and
telephone lines?
7 Does all wiring in the property conform to accepted local and
national electrical codes? Including CAT 4 and 5 Telecom
connectivity in walls, under floor, cable ladders, risers, chases.
8 Are there policies to control use of electrical appliances in
office cubicles (e.g., electric space heaters or hot plates)
9 Is there a formal “Change Management” process in place to
assure that the building systems are maintained and
sustainable?
10 Is the electrical system and equipment tested periodically by an
Independent Testing Service firm (IEEE/ NECA guidelines)?
Testing frequency should be no more than every three years,
CLIENT CONFIDENTIAL
13
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

“best practice” every two years.

11 Have all panels and electrical service appliances been labeled
correctly in a clear and professional manner?
12 Has the UPS battery plant be up-graded to include battery
monitoring and conditioning technology?
13 Is testing performed with off line “load banks”?
14 Are logs maintained for load demands, capacity and profiles?
15 Has load monitoring points been installed at each of the
critical power supply services and are they remotely monitored
and recorded?
16 Is there a separate certified grounding system, unique from the
building ground for all critical operations equipment?
17 Are there known single point failures in the electrical
distribution system?
18 Are power receptacles “color coded” to prevent plugging in
non-IT or noise generating equipment, i.e. vacuum cleaners,
drill motors, construction equipment?
19 What is the current duration of the emergency fuel supply
system? Typically 24-36 hours minimum
20 What level of redundancy is designed into the emergency
power plant? N+1/ N+2 or no redundancy.
21 Has a load coordination study been performed to assure that
the system is not overloaded?
22 How often is the emergency power system tested under loaded
conditions (building testing, not independent)?
23 Are essential spare parts maintained on site, i.e. fuses, filters,
control boards, batteries, indicator lights, etc…

Section 11 – Lighting

Item Exposure YES NO Source Comment Control

(Y) (N) Strength
(S, NI, U)

1 Is the property equipped with battery powered emergency

lighting?

CLIENT CONFIDENTIAL
14
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

2 Is the lighting positioned and adequate to enable personnel to

navigate safely and quickly to an exit in an emergency?
3 Is the emergency lighting and exit sign lighting tested at least
once a year?
4 Does exterior lighting provide minimally acceptable light to
allow effective video surveillance (3-5 foot candle)?
5 Are exterior lights all weather and vandal proof?
6 How are lights controlled (day and night)? Who is responsible
for the time settings?
7 Are the lighting fixtures in use correct for optimum night time
CCTV surveillance?
8 Are the lights frequently checked and maintained?
9 Are light poles numbered to assure timely maintenance or
response to an incident (also to help guards identify locations
on the CCTV monitors)?
10 Is there adequate lighting in areas close to the building, in
back, utility sub-station?
11 Are exterior lights on emergency power circuits?
12 Are all critical interior lights on emergency power?
13 Does the emergency power generator have adequate capacity
to sustain lighting?

Section 12 – Utility Support Systems

Item Exposure YES NO Source Comment Control

(Y) (N) Strength
(S, NI, U)

1 Does the building have its own separate power feed?

2 Is the building serviced by more than 1 power feed and, if yes,
is the routing from more than 1 power sub-station?
3 Is the routing of the utility power services physically
separated?
4 Is all power entering the building filtered to prevent surges to

CLIENT CONFIDENTIAL
15
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

connected equipment and individual office cubicles?

5 Is there an Uninterruptible Power Supply (UPS) installed?
What is its estimated time of operation during a power outage?
How often is it tested?
6 Does the UPS support a Research Lab, Data Center, Server
Room, Telecommunications or manufacturing area?
7 Does the UPS support Telephone Communications for the
property?
8 Does the UPS support the environmental equipment?
9 Does the UPS provide power to individual work stations?
10 Is there a backup generator installed? Is it N+1 or higher
configuration?
11 Is the backup generator load tested on a regular basis?
12 Are all communication circuits routed through a single room
and riser in the building?
13 Is the PBX system supported by a UPS?
14 Is the PBX system supported by an emergency generator?
15 Is the fiber optic communications link supported by a UPS on-
site (POE and POP)?
16 Are Wireless communications resources also backed up on
UPS and Emergency power circuits?

Section 13 – Critical Facilities Operations Physical Exposures

Item Exposure YES NO Source Comment Control

(Y) (N) Strength
(S, NI, U)

1 Are the Labs, Data Center, Server Rooms, Vaults,

Manufacturing or other critical areas separated from adjacent
areas by noncombustible or fire-resistant partitions and/or
walls that go from true floor to true ceiling, floors, and doors,
and is it isolated from other hazardous occupancies?
2 Are the critical operations housed in a building that is fire
resistant or noncombustible?
3 Are raised floors and hung ceilings (including support
CLIENT CONFIDENTIAL
16
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

hardware and insulation) noncombustible?

4 Are carpets, furniture, and window coverings noncombustible?
5 Are paper and other combustible supplies stored outside the
critical operations areas?
6 Is smoking restricted in these areas?
7 Are IT operations personnel trained in fire-fighting techniques
and assigned individual responsibilities in case of fire?
8 When was the last time IT personnel last trained in the use of
fire extinguishers? Was training “Hands On”?
9 Have operating personnel been given proper safety training?
Including the means to abort fire suppression release.
10 Are portable fire extinguishers strategically placed in the
business critical areas with prominent location markers?
11 Are raised floor pullers located at each fire extinguisher
location?
12 Are Emergency Power Off controls easily accessible at exits
(EPO switches)?
13 Does Emergency Power Off control heating, ventilation, and
air-conditioning? Is there an established “Off and On”
sequence to protect sensitive equipment or research tests in
progress
14 Is a shutdown sequence checklist used?
15 Do personnel have instructions on the emergency shutdown of
equipment such as "Red" power disconnects and when and
how to use them?
16 Are emergency teams familiar with the property and it’s fire
prevention and mitigation resources and construction?

17 Are smoke and ionization detectors installed in: Various Data

Center zones? Ceilings? Raised floors? Return air ducts?
18 Do smoke and ionization detection activate emergency power
shutoff?
19 Are detectors regularly tested?
20 Are fire drills conducted regularly?
21 Is an adequate supply of fire-fighting water available?

CLIENT CONFIDENTIAL
17
 THREAT AND RISK ASSESSMENT QUESTIONNAIRE & TARGET CONTROLS

22 Is there an adequate number of fire alarms “Pull Stations”

located throughout the critical business areas?
23 Does activation of the fire alarm sound in the: Local area?
Guard and security location? Central fire-alarm station? Fire
department?
24 Are flammable materials used in computer maintenance?
25 Can emergency teams / crews gain access to the data center
without delay? What is process?
26 Is there adequate emergency lighting throughout the critical
operations area to allow shutdown, repair, security and egress?
27 Is the facility equipped with “Early Warning Smoke Detection”
sensors?

CLIENT CONFIDENTIAL
18