Low profile of the IT site

Status: Live

The organization will ensure that the design of the layout of a site should take into account the risk associated with natural and man-made disasters, while considering relevant laws and regulations, such as occupational health and safety regulations. [UCF ID 00712]

Supporting and supported controls

This control directly supports:

Manage the facilities [UCF Control ID 00710]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-1; FFIEC IT Examination Handbook – Information Security, Pg 53; FFIEC IT Examination Handbook – Operations, July 2004, Pg 21; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-11; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-613.c; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, PE-18(1); CobiT 4.1, DS12.1; The Standard of Good Practice for Information Security, CI2.8.5; ISO 17799:2005 Code of Practice for Information Security Management, § 9.1.3; ISO/IEC 27002-2005 Code of practice for information security management, § 9.1.3; Archer Control Table, ATCS-082, ATCS-104, ATCS-571, ATCS-821

Banking and Finance Guidance

The organization should not publicize the locations of data centers or make them conspicuous. [Pg C-1, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The location of the data center should not be identified or labeled. [Pg 53, FFIEC IT Examination Handbook – Information Security]

The computer center should not be identified as a computer center. [Pg 21, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

Certain factors should be considered when selecting a site for a secure operating center: Buildings should be made of noncombustible materials; windows should be kept to a minimum on the ground floor; windows on the ground floor should be protected with grills, screens, or other material; the computer room should be in the center of the building; doors to the computer room should have a 1.5 hour fire rating, be made of metal or solid wood core, have hinges mounted on the inside of the door, and be equipped to permit rapid opening in the event of an emergency; the environment above, below, and next to the facility; and locations subject to flooding, such as below ground level installations, will require special design features. [§ 2-11, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The security structure must maintain a domain of its own to protect itself from tampering and external interference. [§ 8-613.c, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

NIST Guidance

For high security systems, the organization must plan the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. [PE-18(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

ISO Guidance

Offices, rooms, and facilities should have physical security guidelines. No obvious signs should be displayed, inside or outside, identifying the purpose of the building or identifying the presence of information processing activities. The public should not have access to directories or internal phone books identifying the locations of sensitive information. [§ 9.1.3, ISO 17799:2005 Code of Practice for Information Security Management]

Offices, rooms, and facilities should have physical security guidelines. No obvious signs should be displayed, inside or outside, identifying the purpose of the building or identifying the presence of information processing activities. The public should not have access to directories or internal phone books identifying the locations of sensitive information. [§ 9.1.3, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

The organization should define and select the physical sites for IT equipment to support the technology strategy linked to the business strategy. The selection and design of the layout of a site should take into account the risk associated with natural and man-made disasters, while considering relevant laws and regulations, such as occupational health and safety regulations. [DS12.1, CobiT 4.1]

Details about critical facilities should be kept confidential. [CI2.8.5, The Standard of Good Practice for Information Security]