Back

Establish, implement, and maintain facility maintenance procedures.


CONTROL ID
00710
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an environmental control program., CC ID: 00724

This Control has the following implementation support Control(s):
  • Design the Information Technology facility with consideration given to natural disasters and man-made disasters., CC ID: 00712
  • Monitor operational conditions at unmanned facilities., CC ID: 06327
  • Remotely control operational conditions at unmanned facilities., CC ID: 11680
  • Inspect and maintain the facility and supporting assets., CC ID: 06345
  • Define selection criteria for facility locations., CC ID: 06351
  • Establish, implement, and maintain facility demolition procedures., CC ID: 16133


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • App 2-1 Item Number IV.10(3): The organization must verify that facilities are being properly operated. This is an IT general control. App 2-1 Item Number IV.10(4): Periodic maintenance must be conducted on all facilities. This is an IT general control. (App 2-1 Item Number IV.10(3), App 2-1 Item Number IV.10(4), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • F10: The organization shall ensure that buildings that house computer centers are fire-resistant, in accordance with the Building Standard Law. F11: The organization shall ensure the safety of the structure of buildings that house computer centers, in accordance with the Building Standard Law. F13: … (F10, F11, F13, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • To restart operation of any facilities after a long period of suspension, maintenance and inspection should be implemented for the facilities. (P54.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to define regulations for the maintenance of disaster prevention facilities and to conduct regular inspections. (P54.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • When conducting the maintenance and inspection of facilities such as power supply, air- conditioning, water supply and drainage, disaster prevention, crime prevention, monitoring, and communication lines related to computer systems (including terminal devices), it is necessary to define facilities s… (P54.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is recommended to install lines and power cables to terminal devices in under-floor cabling pits, low free-access floor, or other proper locations to eliminate possible damage and wire breakage and facilitate maintenance. (F97.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The supply of the computing centres (e. g. water, electricity, temperature and moisture control, telecommunications and Internet connection) is secured, monitored and is maintained and tested at regular intervals in order to guarantee continuous effectiveness. It has been designed with automatic fai… (Section 5.14 BCM-05 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The organization must consider the following factors to ensure the appropriate physical security controls have been implemented: the impact of losing the site or asset; the threat level; the vulnerability; the value; the amount of the asset being held; the protective marking; and the location, envir… (Security Policy No. 5 ¶ 4, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must develop plans and procedures to deal with and intercept intruders or unauthorized visitors. the plans must include the ability to systematically search the facility. (Mandatory Requirement 57, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must ensure the rooms that hold sensitive assets or protectively marked material have doors, windows, locks, and entry controls that meet the appropriate security standards. (Mandatory Requirement 53, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must be ready to implement or remove the counter-terrorist physical security measures immediately when there is a change in the response level and ensure all employees are aware of the current response level. (Mandatory Requirement 65, HMG Security Policy Framework, Version 6.0 May 2011)
  • (§ 4.2.3.2, OGC ITIL: Security Management)
  • Are physical parameters and security measures implemented? (Table Row II.41, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Manage facilities, including power and communications equipment, in line with laws and regulations, technical and business requirements, vendor specifications, and health and safety guidelines. (DS12.5 Physical Facilities Management, CobiT, Version 4.1)
  • During a strike, the number of entrances to the facility should be kept to the minimum number required for the organization's operations. (Pg 13-I-18, Protection of Assets Manual, ASIS International)
  • The organization shall determine, provide, and maintain buildings, workspace, utilities, hardware, software, and supporting services to achieve product requirement conformity. (§ 6.3 ¶ 1, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • Recovery facility buildings should be periodically inspected and the inspection should include entrances and exits; the areas that immediately surround the perimeter; perimeter fences and/or walls; unused side entrances; and goods lifts. Service providers should continuously ensure that physical fac… (§ 6.4.3.3, § 6.14.1, § 6.14.2, § 6.14.3, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Management must determine the container, space, and other security needs, based on the local circumstances, for the individual facilities to meet or exceed the minimum protection requirements for the CMS Level 3 – High Sensitivity security designation. (CSR 2.2.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • All facilities eligible to possess classified material must be granted a Facility Clearance. If the organization consists of multiple sites, the home office must have a Facility Clearance at the same level or higher than any of the satellite facilities. (§ 2-100, § 2-108, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Policies and procedures shall be implemented to document all repairs and modifications to security-related physical components of a facility, such as walls, doors, and locks. The covered entity shall assess these policies and procedures to determine if it is a reasonable and appropriate safeguard in… (§ 164.310(a)(2)(iv), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Procedures for appropriate site maintenance. (App A Objective 14:1d Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management periodically reviews individual sites providing retail EFT/POS and bankcard services to ensure policies, procedures, security measures, and equipment maintenance requirements are appropriate. (App A Tier 2 Objectives and Procedures A.2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • § 4.10.1 Bullet 3: Determine which facility, to include data centers, peripheral equipment locations, IT staff offices, and workstations, requires access controls to safeguard ePHI. § 4.10.2 Bullet 2: Establish and maintain policies and procedures to ensure that repairs, upgrades, and/or modificat… (§ 4.10.1 Bullet 3, § 4.10.2 Bullet 2, § 4.10.3 Bullet 3, § 4.10.6 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. (PM-8, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Each United States airport must establish a Federal Security Manager position to oversee the screening of passengers and property. (§ 103, Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001)