search:
               

Status: Live

The organization will develop, disseminate, and review: 1) a formal process to maintain adequate environmental controls that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the process. [UCF ID 00724]

Supporting and supported controls

This control directly supports:

• Physical and environmental protection [UCF Control ID 00709]

This control has the following supporting controls:

• Uninterruptible Power Supplies (UPS) and secondary power [UCF Control ID 00725]
• Duplicate telecom feeds [UCF Control ID 00726]
• HVAC equipment for temperature and humidity controls [UCF Control ID 00727]
• Extreme heat and smoke detection [UCF Control ID 00728]
• Fire suppression systems [UCF Control ID 00729]
• Water detection and damage protection [UCF Control ID 00730]
• Power equipment and cabling protection [UCF Control ID 01438]
• Emergency power shutoff [UCF Control ID 01439]
• Emergency lighting [UCF Control ID 01440]
• Placement of information system components [UCF Control ID 01623]
• Protect air intakes to the facility [UCF Control ID 02211]

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 8.2.4; AICPA Suitable Trust Services Principles and Criteria, ¶ .20 § 3.1, ¶ .24 § 3.17; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App B § III.C.1.h; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-3, Pg C-4, Exam Tier II Obj 1.3; FFIEC IT Examination Handbook – Information Security, Pg 53, Pg 54, Exam Tier II Obj E.4; FFIEC IT Examination Handbook – Operations, July 2004, Pg 17 thru Pg 19, Exam Tier I Obj 5.1, Exam Tier I Obj 7.1; System Security Plan (SSP) Procedure, Version 1.0, App A § 3.2; Protection of Assets Manual, ASIS International, Pg 5-I-6; Federal Information System Controls Audit Manual (FISCAM), February 2009, SC-2.2; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.10.2 thru § 3.10.5; CobiT 4.1, DS12.4; The Standard of Good Practice for Information Security, CI2.6.2(a), CI2.6.2(c), NW3.4.2(a); ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 15.7, § J.7; ISO 17799:2005 Code of Practice for Information Security Management, § 9.2.1; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.9.1.4; ISO/IEC 27002-2005 Code of practice for information security management, § 9.2.1; Archer Control Table, ATCS-039, ATCS-043, ATCS-120, ATCS-133, ATCS-134, ATCS-135, ATCS-142, ATCS-158, ATCS-159, ATCS-504, ATCS-761, ATCS-773, ATCS-823

Sarbanes Oxley Guidance

The organization should implement procedures to protect personal information from natural disasters and environmental hazards. [ID 8.2.4, AICPA/CICA Privacy Framework]

The organization should have procedures in place to protect the system from environmental risks that may interfere with system availability. [¶ .20 § 3.1, ¶ .24 § 3.17, AICPA Suitable Trust Services Principles and Criteria]

Banking and Finance Guidance

The facility should be made of fire-resistant materials and grounded correctly to protect against electrical hazards. If the facility is located in an area where natural hazards occur, such as earthquakes or tornadoes, responses to these scenarios should be included in the continuity plan. [App B § III.C.1.h, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

The facility should be made of fire-resistant materials and grounded correctly to protect against electrical hazards. If the facility is located in an area where natural hazards occur, such as earthquakes or tornadoes, responses to these scenarios should be included in the continuity plan. [Pg C-3, Pg C-4, Exam Tier II Obj 1.3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

Heat sensors, raised flooring, HALON gas, and smoke alarms are some devices the organization should use to reduce the risks of environmental threats. The devices should be periodically tested to ensure they are functioning correctly. The organization should implement a policy to protect equipment from ordinary contaminants, such as food, liquid, and smoke. [Pg 53, Pg 54, Exam Tier II Obj E.4, FFIEC IT Examination Handbook – Information Security]

Management should monitor and implement environmental controls to help reduce disruptions to daily operations. [Pg 17 thru Pg 19, Exam Tier I Obj 5.1, Exam Tier I Obj 7.1, FFIEC IT Examination Handbook – Operations, July 2004]

Healthcare and Life Science Guidance

Calls for the document of environmental controls, such as fire safety factors, failure of supporting utilities, water sensors, structural collapse, plumbing, raised floor access, and emergency exits. [App A § 3.2, System Security Plan (SSP) Procedure, Version 1.0]

US Federal Security Guidance

States that sensors should be designed to initiate alarms when the event being monitored for occurs, electrical power is lost, the device short circuits or grounds, the sensor fails, or the sensor's control panel is tampered with. Indoor units should operate from 32 degrees Fahrenheit to 120 degrees Fahrenheit, and outdoor units should operate from minus 30 degrees Fahrenheit to 150 degrees Fahrenheit. All sensors should operate at 90 degrees Fahrenheit and 95 percent relative humidity.
States that the calculation for this metric should be stated as the . [Pg 5-I-6, Protection of Assets Manual, ASIS International]

Says that environmental controls prevent or mitigate potential damage to facilities and interruptions in service. Examples of environmental controls include:
• fire extinguishers and fire suppression systems;
• fire alarms;
• smoke detectors;
• water detectors;
• redundancy in air cooling systems;
• backup power supplies;
• existence of shutoff valves and procedures for any building plumbing lines that may endanger processing facilities;
• processing facilities built with fire resistant materials and designed to reduce the spread of fire; and policies prohibiting eating, drinking, and smoking within computer facilities.
Environmental controls can diminish the losses from some interruptions such as fires or prevent incidents by detecting potential problems early, such as water leaks or smoke, so that they can be remedied. Also, uninterruptible or backup power supplies can carry a facility through a short power outage or provide time to back up data and perform orderly shutdown procedures during extended power outages. [SC-2.2, Federal Information System Controls Audit Manual (FISCAM), February 2009]

NIST Guidance

Addresses the need for environmental controls by listing the hazards and their accompanying dangers, but does not detail specific measures for mitigating them. [§ 3.10.2 thru § 3.10.5, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

ISO Guidance

Changing the environmental controls is an example of physical tampering. The system should have the capability to detect and determine if physical tampering has occurred. The system should be able to monitor specified devices and elements and notify a specified user when physical tampering has occurred. The system should be able to resist physical tampering by responding automatically, such as by disabling the device so the sensitive information cannot be obtained. [§ 15.7, § J.7, ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008]

Controls should be in place to reduce the likelihood of environmental threats. All buildings should have lightning protection measures. [§ 9.2.1, ISO 17799:2005 Code of Practice for Information Security Management]

The organization should have procedures in place for the physical protection of the facilities in case of a natural or manmade disaster. [Annex A.9.1.4, ISO 27001:2005, Information Security Management Systems - Requirements]

Controls should be in place to reduce the likelihood of environmental threats. All buildings should have lightning protection measures. [§ 9.2.1, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

The organization should design and implement measures for protection against environmental factors. Specialized equipment and devices to monitor and control the environment should be installed. [DS12.4, CobiT 4.1]

Computer installations and networks should be protected against environmental hazards by keeping the facility clear of fire and flood hazards and using fire resistant doors to prevent the spread of a fire. [CI2.6.2(a), CI2.6.2(c), NW3.4.2(a), The Standard of Good Practice for Information Security]

Metrics

The metrics associated with this control are as follows:

• Report on the percentage of critical assets that have been reviewed from the perspective of environmental risks [UCF Control ID 02066]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.