UCF ID: 00712 |
Control Type: Process or Activity |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Establish and maintain a process to maintain the facilities. [UCF Control ID 00710]
There are no supporting controls.
Authority documents complied with:
FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-1; FFIEC IT Examination Handbook – Information Security, Pg 53; FFIEC IT Examination Handbook – Operations, July 2004, Pg 21; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-11; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-613.c; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § PE-18(1); CobiT, Version 4.1, DS12.1; The Standard of Good Practice for Information Security, CI2.8.5; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 9.1.3; ISO/IEC 27002 Code of practice for information security management, 2005, § 9.1.3; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.4.3, § 6.4.12, § 6.12.7, § 6.12.8
Banking and Finance Guidance
The organization should not publicize the locations of data centers or make them conspicuous. [Pg C-1, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]
The location of the data center should not be identified or labeled. [Pg 53, FFIEC IT Examination Handbook – Information Security]
The computer center should not be identified as a computer center. [Pg 21, FFIEC IT Examination Handbook – Operations, July 2004]
US Federal Security Guidance
Certain factors should be considered when selecting a site for a secure operating center: Buildings should be made of noncombustible materials; windows should be kept to a minimum on the ground floor; windows on the ground floor should be protected with grills, screens, or other material; the computer room should be in the center of the building; doors to the computer room should have a 1.5 hour fire rating, be made of metal or solid wood core, have hinges mounted on the inside of the door, and be equipped to permit rapid opening in the event of an emergency; the environment above, below, and next to the facility; and locations subject to flooding, such as below ground level installations, will require special design features. [§ 2-11, Army Regulation 380-19: Information Systems Security, February 27, 1998]
The security structure must maintain a domain of its own to protect itself from tampering and external interference. [§ 8-613.c, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]
NIST Guidance
The organization should plan the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. [App F § PE-18(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]
ISO Guidance
Offices, rooms, and facilities should have physical security guidelines. No obvious signs should be displayed, inside or outside, identifying the purpose of the building or identifying the presence of information processing activities. The public should not have access to directories or internal phone books identifying the locations of sensitive information. [§ 9.1.3, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]
Offices, rooms, and facilities should have physical security guidelines. No obvious signs should be displayed, inside or outside, identifying the purpose of the building or identifying the presence of information processing activities. The public should not have access to directories or internal phone books identifying the locations of sensitive information. [§ 9.1.3, ISO/IEC 27002 Code of practice for information security management, 2005]
Buildings that house recovery sites should be planned, designed, and built with security in mind. Non-dedicated buildings should implement and maintain appropriate controls to mitigate any associated security risks. Only relevant authorized personnel should have access to facility maps, telephone directories, and other documents that can identify or associate sensitive information processing facilities. Areas that house restricted facilities should not be marked as to their use. These areas should be located away from public areas; be unobtrusive from outside the building perimeter; include protection design considerations; use special grade glass that is not easily breakable or equipped with glass breaking detectors, if the glass is accessible from outside the building; have a load rating for all supporting structures with potential future load considerations in mind; placed so the equipment is not under undue concentration of heat in certain parts of the areas; and be designed with current and future requirements in mind. Areas that house restricted facilities should not be located in basement areas that are susceptible to flooding; in areas immediately below flat roofs that are susceptible to water seepage; ground floor areas facing public traffic zones that are subject to attacks, vandalism, and force majeure; and areas close to other areas used to handle or store hazardous materials. [§ 6.4.3, § 6.4.12, § 6.12.7, § 6.12.8, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]
General Guidance
The organization should define and select the physical sites for IT equipment to support the technology strategy linked to the business strategy. The selection and design of the layout of a site should take into account the risk associated with natural and man-made disasters, while considering relevant laws and regulations, such as occupational health and safety regulations. [DS12.1, CobiT, Version 4.1]
Details about critical facilities should be kept confidential. [CI2.8.5, The Standard of Good Practice for Information Security]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.