You are a security consultant who has been employed by First Singaporean, a large bank based in Singapore, to examine the adequacy of security controls over a new site that it established nine months ago to house its mainframe computer facilities.

At first glance, the new facilities seem impressive. The bank has purchased an old warehouse. To disguise the purpose of the warehouse, its wooden facade remains, but internally it has been extensively refurbished in an attempt to set up a secure facility. The location of the warehouse and its purpose are known to only a small number of people who are employees of the bank. These persons have signed a secrecy agreement in relation to the operations and location of the warehouse.

As part of your review of physical controls, you examine the adequacy of controls to prevent and detect fire. When you tour the computer room, you notice that there are no hand-held fire extinguishers placed at strategic locations throughout the room. You question the operations manager about this apparent weakness. He assures you that this is not a control weakness. He informs you that a sophisticated heat-detection system has been set up in the computer room that will detect even the smallest fire. As soon as a fire is detected, an extinguisher system will dump a gas suppressant into the room after a 30 -second delay. Operators have been instructed to clear the room immediately when the alarm sounds because the suppressant is somewhat toxic. Consequently, he argues, hand-held extinguishers are not needed. Indeed, he contends they would be dangerous as they might cause operators to delay their exit from the computer room when the alarm sounds.

When you interview several operators about the fire evacuation procedures outlined by the operations manager, it is clear they are familiar with the procedures and that they are practiced regularly. One operations supervisor also points out that six months ago there was an electrical fire in the computer room. The evacuation procedures worked smoothly, and the fire alarm and suppressant system worked perfectly. Only minor damage was incurred as a result of the fire, and no one was injured.

Required. At this stage, what are your conclusions about the adequacy of the controls described by the operations manager? How will you now proceed in terms of your investigation of fire prevention and detection controls for the computer room?