Maintain adequate environmental controls

The organization will develop, disseminate, and review: 1) a formal process to maintain adequate environmental controls that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the process. [UCF ID 00724]

Supporting and supported controls

This control directly supports:

• Physical and environmental protection [UCF Common Control ID 00709]

This control has the following supporting controls:

• Uninterruptible Power Supplies (UPS) and secondary power [UCF Common Control ID 00725]
• Duplicate telecom feeds [UCF Common Control ID 00726]
• HVAC equipment for temperature and humidity controls [UCF Common Control ID 00727]
• Extreme heat and smoke detection [UCF Common Control ID 00728]
• Fire suppression systems [UCF Common Control ID 00729]
• Water detection and damage protection [UCF Common Control ID 00730]
• Power equipment and cabling protection [UCF Common Control ID 01438]
• Emergency power shutoff [UCF Common Control ID 01439]
• Emergency lighting [UCF Common Control ID 01440]
• Placement of information system components [UCF Common Control ID 01623]

Authority documents complied with:

Safety and Soundness Standards, Appendix of OCC 12 CFR 30 App B-III.C.1.h; FFIEC IT Examination Handbook – Information Security Pg 53, Pg 54, Exam Tier II Obj E.4; FFIEC IT Examination Handbook – Business Continuity Planning Pg C-3, Pg C-4, Exam Tier II Obj 1.3; FFIEC IT Examination Handbook – Operations Pg 17-19, Exam Tier I Obj 5.1, Exam Tier I Obj 7.1; CobiT 4.1 DS12.4; The Standard of Good Practice for Information Security CI2.6.2(a), CI2.6.2(c ), NW3.4.2(a); SYSTEM SECURITY PLANS (SSP) METHODOLOGY Appendix A, § 3.2; ISO 17799:2000, Code of Practice for Information Security Management § 7.2.1; ISO 17799:2005 Code of Practice for Information Security Management § 9.2.1; ISO 27001:2005, Information Security Management Systems - Requirements § A.9.1.4; ISO/IEC 15408-2:2005 Common Criteria for Information Technology Security Evaluation Part 2 § 15.7, J.7; ISO/IEC 27002-2005 Code of practice for information security management § 9.2.1; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 § 3.10.2-5; AICPA/CICA Privacy Framework § 8.2.4; AICPA Suitable Trust Services Criteria ¶ .20 § 3.1, ¶ .24 § 3.17

Sarbanes Oxley Guidance

§ 8.2.4 of AICPA/CICA Privacy Framework states that the organization should implement procedures to protect personal information from natural disasters and environmental hazards.

¶ .20 § 3.1, ¶ .24 § 3.17 of AICPA Suitable Trust Services Criteria states that the organization should have procedures in place to protect the system from environmental risks that may interfere with system availability.

Banking and Finance Guidance

The FFIEC IT Examination Handbook – Business Continuity Planning Pg C-3, Pg C-4, Exam Tier II Obj 1.3 states that the facility should be made of fire-resistant materials and grounded correctly to protect against electrical hazards. If the facililty is located in an area where natural hazards occur, such as earthquakes or tornadoes, responses to these scenarios should be included in the continuity plan.

Healthcare and Life Science Guidance

Appendix A, § 3.2 of The CMS Systems Security Plan Methodology calls for the document of environmental controls, such as fire safety factors, failure of supporting utilities, water sensors, structural collapse, plumbing, raised floor access, and emergency exits.

US Federal Security Guidance

FISCAM SC-2.2 says that environmental controls prevent or mitigate potential damage to facilities and interruptions in service. Examples of environmental controls include:

• fire extinguishers and fire suppression systems;

• fire alarms;

• smoke detectors;

• water detectors;

• redundancy in air cooling systems;

• backup power supplies;

• existence of shut-off valves and procedures for any building plumbing lines that may endanger processing facilities;

• processing facilities built with fire resistant materials and designed to reduce the spread of fire; and policies prohibiting eating, drinking, and smoking within computer facilities.

Environmental controls can diminish the losses from some interruptions such as fires or prevent incidents by detecting potential problems early, such as water leaks or smoke, so that they can be remedied. Also, uninterruptible or backup power supplies can carry a facility through a short power outage or provide time to back up data and perform orderly shut-down procedures during extended power outages.

National Strategy to Secure Cyberspace I.A.4(a) requires that the organization create processes to coordinate the voluntary development of national public-private continuity and contingency plans.

NIST Guidance

NIST 800-14 addresses the need for environmental controls by listing the hazards and their accompanying dangers, but does not detail specific measures for mitigating them.

NIST 800-53 calls for agencies to employ and maintain emergency power solutions, fire suppression and detection systems, temperature and humidity controls, and water detection systems. The standard also calls for personnel to be trained in environmental controls and that controls should be tested and test records retained. NIST also calls for organizations to employ and maintain a master power or emergency cut-off switch at critical locations such as data centers, server rooms, and mainframe rooms.

International Standards Organization Guidance

ISO 17799:2000 § 7.2.1 says equipment should be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. The following controls should be considered.

a) Equipment should be sited to minimize unnecessary access into work areas.

b) Information processing and storage facilities handling sensitive data should be positioned to reduce the risk of overlooking during their use.

c) Items requiring special protection should be isolated to reduce the general level of

protection required.

d) Controls should be adopted to minimize the risk of potential threats including:

1) theft;

2) fire;

3) explosives;

4) smoke;

5) water (or supply failure);

6) dust;

7) vibration;

8) chemical effects;

9) electrical supply interference;

10) electromagnetic radiation.

e) An organization should consider its policy towards eating, drinking and smoking on in proximity to information processing facilities.

f) Environmental conditions should be monitored for conditions which could adversely affect the operation of information processing facilities.

g) The use of special protection methods, such as keyboard membranes, should be considered for equipment in industrial environments.

h) The impact of a disaster happening in nearby premises, e.g. a fire in a neighboring building, water leaking from the roof or in floors below ground level or an explosion in the street should be considered.

The ISO/IEC 27002-2005 Code of practice for information security management § 9.2.1 states that controls should be in place to reduce the likelihood of environmental threats. All buildings should have lightning protection measures.

The ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 2 § 15.7, J.7 states that changing the environmental controls is an example of physical tampering. The system should have the capability to detect and determine if physical tampering has occurred. The system should be able to monitor specified devices and elements and notify a specified user when physical tampering has occurred. The system should be able to resist physical tampering by responding automatically, such as by disabling the device so the sensitive information cannot be obtained.

The ISO 27001:2005 Information Security Management Systems - Requirements § A.9.1.4 states that the organization should have procedures in place for the physical protection of the facilities in case of a natural or manmade disaster.

The ISO 17799:2005 Code of Practice for Information Security Management § 9.2.1 states that controls should be in place to reduce the likelihood of environmental threats. All buildings should have lightning protection measures.

Metrics

The metrics associated with this control are as follows:

• Report on the percentage of critical assets that have been reviewed from the perspective of environmental risks [UCF Common Control ID 02066]