Uninterruptible Power Supplies (UPS) and secondary power

Status: Live

The organization will employ a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss. [UCF ID 00725]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .20 § 3.1, ¶ .24 § 3.17; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-6, Exam Tier II Obj 1.3; FFIEC IT Examination Handbook – Operations, July 2004, Pg 17, Pg 18, Exam Tier II Obj D.1; Protection of Assets Manual, ASIS International, Pg 6-I-20 thru Pg 6-I-23, Pg 19-IV-6; C-TPAT Supply Chain Security Best Practices Catalog, Pg 47; DOT Physical Security Survey Checklist, Protective Lighting, Protective Alarms; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, PE-11; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-11, PE-11(1), PE-11(2); The Standard of Good Practice for Information Security, CB4.2.4, CB4.2.5, CI2.7.2, CI2.7.3, NW3.4.2(b), NW5.2.1(c), NW5.2.2(e), UE6.4.8, UE6.4.9; ISO 17799:2005 Code of Practice for Information Security Management, § 9.2.2; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.9.2.2; ISO/IEC 27002-2005 Code of practice for information security management, § 9.2.2; Archer Control Table, ATCS-101, ATCS-102, ATCS-152, ATCS-153

Sarbanes Oxley Guidance

The organization should have Uninterruptible Power Supplies (UPS) and secondary sources of power to protect the system against a power failure. [¶ .20 § 3.1, ¶ .24 § 3.17, AICPA Suitable Trust Services Principles and Criteria]

Banking and Finance Guidance

An alternate power supply, such as an uninterruptible power supply (UPS), should be installed at all facilities. The UPS should have enough capacity to shut down the system in an orderly manner. If systems need continuous power supplies, the organization should implement power generators. [Pg C-6, Exam Tier II Obj 1.3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

All computing equipment should have a continuous power supply. The equipment should be wired to automatically switch power sources if the main power source is disrupted. When an uninterruptible power supply (UPS) is used, it should be configured to provide enough power until the back-up generator takes over or provide enough power for an orderly shutdown. [Pg 17, Pg 18, Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

Security systems should have an emergency power system to ensure a continuous power supply. A standby emergency power source (usually a power generator) is the most effective method of providing power in the event of an outage. An Uninterruptible Power Supply (UPS) provides continuous power to the system, even when normal power is available. Lighting for highly sensitive areas and safety areas should have a back-up power supply. [Pg 6-I-20 thru Pg 6-I-23, Pg 19-IV-6, Protection of Assets Manual, ASIS International]

The organization will use Uninterruptible Power Supplies (UPS) for power surges or failures. [Pg 47, C-TPAT Supply Chain Security Best Practices Catalog]

The lighting system and alarm system should have a secondary power supply that is protected and starts automatically when the power fails. [Protective Lighting, Protective Alarms, DOT Physical Security Survey Checklist]

The document calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

NIST Guidance

The organization provide a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.
PE-11(1) suggests that for high impact systems the organization provide a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.
PE-11(2) suggests the organization provide a long-term alternate power supply for the information system that is self-contained and not reliant on external power generation. [PE-11, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records, documents, and the facility should be examined to ensure an Uninterruptible Power Supply (UPS) has been installed to provide for the shutting down of the system when power is lost; tests have been performed on the UPS to ensure it functions; a secondary power system is available for long-term power failures to meet the minimum operational capabilities; the secondary power source is self-contained and not reliant on external power generation; tests are accomplished on the secondary power source; and specific responsibilities and actions are defined for the implementation of the emergency power control. Any problems discovered during the implementation of the emergency power control should be documented and used to improve the controls.
Interviews should be conducted with personnel who maintain the Uninterruptible Power Supply (UPS) and secondary power supply and with personnel who test the alternate power supplies. [PE-11, PE-11(1), PE-11(2), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

To protect the equipment from power failures, an uninterruptible power supply (UPS) should be used to provide enough power to shut down the system in an orderly fashion. [§ 9.2.2, ISO 17799:2005 Code of Practice for Information Security Management]

All information processing systems and equipment should have an Uninterruptible Power Supply (UPS) installed to prevent potential damage from a power failure. [Annex A.9.2.2, ISO 27001:2005, Information Security Management Systems - Requirements]

To protect the equipment from power failures, an uninterruptible power supply (UPS) should be used to provide enough power to shut down the system in an orderly fashion. [§ 9.2.2, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

Critical computer equipment and telephone exchanges should be protected by an Uninterruptible Power Supply (UPS). Another source of power, such as a generator, should be available in case of an extended power outage. All UPSes should be tested regularly and serviced in accordance with manufacturer recommendations. [CB4.2.4, CB4.2.5, CI2.7.2, CI2.7.3, NW3.4.2(b), NW5.2.1(c), NW5.2.2(e), UE6.4.8, UE6.4.9, The Standard of Good Practice for Information Security]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.