CSA CCM DCS-13
Environmental Systems | Plerion

Data centers are complex environments that require careful monitoring and control of temperature and humidity to ensure optimal performance of IT equipment. The Cloud Controls Matrix (CCM) Control DCS-13 focuses on implementing and maintaining environmental control systems to keep data center conditions within accepted industry standards. Regular testing helps ensure these critical systems remain effective over time.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full CCM from https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4 to learn more. The CCM provides a cybersecurity control framework for cloud computing. It is aligned with industry-accepted security standards, regulations, and control frameworks like ISO 27001/27002, ISACA COBIT, PCI DSS, NIST SP 800-53, HIPAA, and AICPA TSC.

Who should care?

This control is relevant for:

  • Data center managers responsible for maintaining optimal environmental conditions
  • IT operations teams who rely on a stable data center environment for uptime and reliability
  • Compliance officers who must ensure adherence to industry standards and regulations
  • Business leaders concerned about the financial and reputational risks of data center outages

What is the risk?

Failure to properly monitor and control data center environmental conditions can lead to:

  • Equipment overheating causing unexpected shutdowns and data loss
  • Reduced equipment lifespan due to excessive wear from high temperatures
  • Electrostatic discharge damage to components from low humidity
  • Mold growth and corrosion of equipment from high humidity
  • Fire hazards from faulty detection and suppression systems

Implementing DCS-13 helps mitigate these risks through proactive monitoring, maintaining optimal conditions, and regular testing of environmental control systems. However, it cannot completely eliminate the possibility of failures.

What's the care factor?

Maintaining proper data center environmental conditions should be a top priority for any organization that relies on IT infrastructure for critical business functions. Even brief outages can result in significant financial losses from lost productivity, transactions, and data. Extended downtime can irreparably damage a company's reputation.

Investing in robust environmental control systems and adhering to DCS-13 best practices is well worth the cost compared to the steep price of uncontrolled conditions. That said, smaller organizations with less complex environments may be able to implement more streamlined monitoring processes.

When is it relevant?

DCS-13 is highly relevant for:

  • Enterprise data centers with strict uptime requirements
  • Colocation facilities housing infrastructure for multiple customers
  • Environments with high-density computing equipment
  • Data centers in locations with extreme climate conditions
  • Organizations subject to industry regulations like HIPAA or PCI DSS

It may be less critical for:

  • Small server rooms with few devices
  • Fully cloud-based deployments with no physical infrastructure
  • Dev/test environments that can tolerate occasional downtime
  • Locations with temperate climates and stable power

What are the trade-offs?

Implementing DCS-13 requires investing in specialized monitoring equipment, backup power and cooling, and personnel to manage these systems. This means:

  • Upfront costs for procurement and installation
  • Ongoing expenses for maintenance, repair and upgrades
  • Added complexity to manage versus a simple server room setup
  • Training time for staff to properly operate the systems
  • Potentially reduced flexibility for equipment placement in the data center

However, for most production environments, the benefits of maximizing uptime, protecting expensive assets, and meeting customer SLAs outweigh these costs. Modular, scalable approaches can help growing organizations implement DCS-13 gradually.

How to make it happen?

  1. Evaluate standards like ASHRAE, TIA-942 and Uptime Institute Tiers
  2. Determine required redundancy levels for power and cooling based on business needs
  3. Select monitoring system with sensors for temperature, humidity, air pressure, water leaks etc.
  4. Install sensors according to manufacturer specs, covering critical areas
  5. Implement backup power (e.g. generators, UPS) and cooling (e.g. chillers, CRACs)
  6. Configure monitoring dashboards and alerts with appropriate thresholds
  7. Integrate fire detection and suppression per NFPA standards
  8. Train staff on monitoring procedures and incident response
  9. Schedule regular PM and testing of power, cooling and fire safety systems
  10. Conduct annual risk assessments and audits against DCS-13 checklist

What are some gotchas?

  • Monitoring systems require reliable network connectivity, plan for redundancy
  • Sensors may need re-calibration over time to remain accurate
  • Backup generator startup sequences can be complex, regularly test under load
  • Fire suppression agent weights must be checked to ensure effectiveness
  • High availability power requires transfer switches and multiple feeds

Making DCS-13 changes in a live environment requires careful planning to avoid unintended downtime. Schedule maintenance windows and use a system like ITIL Change Management.

What are the alternatives?

For small deployments, heuristic monitoring using manual checks may suffice instead of a full BMS. Lower tier data centers may rely on portable cooling units versus central plants. Power redundancy can be achieved with multiple utility feeds rather than generators.

Virtualization and cloud computing allow for easier workload mobility in the event of localized data center issues. Disaster recovery sites enable rapid failover when a primary DC is down.

Explore further

This control maps to CIS Controls 11 and 12 which cover data recovery and network infrastructure protection respectively. Proper environmental conditions are foundational to enabling higher-level capabilities.

Blog

Learn cloud security with our research blog