Install uninterruptible power supplies (UPSs) and secondary power supplies on all key systems.

UCF ID: 00725
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .20 § 3.1, ¶ .24 § 3.17; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-6, Exam Tier II Obj 1.3; FFIEC IT Examination Handbook – Operations, July 2004, Pg 17, Pg 18, Exam Tier II Obj D.1; Protection of Assets Manual, ASIS International, Pg 6-I-20 thru Pg 6-I-23, Pg 19-IV-6; C-TPAT Supply Chain Security Best Practices Catalog, Pg 47; DOT Physical Security Survey Checklist, Protective Lighting, Protective Alarms; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § PE-11, App F § PE-11(1), App F § PE-11(2); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-11, PE-11(1), PE-11(2); The Standard of Good Practice for Information Security, CB4.2.4, CB4.2.5, CI2.7.2, CI2.7.3, NW3.4.2(b), NW5.2.1(c), NW5.2.2(e), UE6.4.8, UE6.4.9; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 9.2.2; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.9.2.2; ISO/IEC 27002 Code of practice for information security management, 2005, § 9.2.2; DoD Instruction 8500.2 Information Assurance (IA) Implementation, COPS-1; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.8.1, § 6.8.2, § 6.8.3, § 6.8.4; PAS 77 IT Service Continuity Management. Code of Practice, 2006, Annex E.2.1; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.7(6), ¶ 10.3.8

Banking and Finance Guidance

An alternate power supply, such as an uninterruptible power supply (UPS), should be installed at all facilities. The UPS should have enough capacity to shut down the system in an orderly manner. If systems need continuous power supplies, the organization should implement power generators. [Pg C-6, Exam Tier II Obj 1.3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

All computing equipment should have a continuous power supply. The equipment should be wired to automatically switch power sources if the main power source is disrupted. When an uninterruptible power supply (UPS) is used, it should be configured to provide enough power until the back-up generator takes over or provide enough power for an orderly shutdown. [Pg 17, Pg 18, Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

The organization will use Uninterruptible Power Supplies (UPS) for power surges or failures. [Pg 47, C-TPAT Supply Chain Security Best Practices Catalog]

The lighting system and alarm system should have a secondary power supply that is protected and starts automatically when the power fails. [Protective Lighting, Protective Alarms, DOT Physical Security Survey Checklist]

The document calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Electrical power is restored to key IT assets by manually activated power generators upon loss of electrical power from the primary source. [COPS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

NIST Guidance

App F § PE-11 The organization must establish and maintain emergency power policies and procedures to provide a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.
App F § PE-11(1) The organization should provide a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.
App F § PE-11(2) The organization should provide a long-term alternate power supply for the information system that is self-contained and not reliant on external power generation. [App F § PE-11, App F § PE-11(1), App F § PE-11(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records, documents, and the facility should be examined to ensure an Uninterruptible Power Supply (UPS) has been installed to provide for the shutting down of the system when power is lost; tests have been performed on the UPS to ensure it functions; a secondary power system is available for long-term power failures to meet the minimum operational capabilities; the secondary power source is self-contained and not reliant on external power generation; tests are accomplished on the secondary power source; and specific responsibilities and actions are defined for the implementation of the emergency power control. Any problems discovered during the implementation of the emergency power control should be documented and used to improve the controls.
Interviews should be conducted with personnel who maintain the Uninterruptible Power Supply (UPS) and secondary power supply and with personnel who test the alternate power supplies. [PE-11, PE-11(1), PE-11(2), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

To protect the equipment from power failures, an uninterruptible power supply (UPS) should be used to provide enough power to shut down the system in an orderly fashion. [§ 9.2.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

All information processing systems and equipment should have an Uninterruptible Power Supply (UPS) installed to prevent potential damage from a power failure. [Annex A.9.2.2, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

To protect the equipment from power failures, an uninterruptible power supply (UPS) should be used to provide enough power to shut down the system in an orderly fashion. [§ 9.2.2, ISO/IEC 27002 Code of practice for information security management, 2005]

Service providers should ensure procedures and policies have been implemented to provide an adequate supply of electrical power is always available. Procedures should be implemented to ensure the power supply meets the minimum redundancy, reliability, security, and quality standards, including monitoring the incoming power supply and resolving outstanding problems. Power supply single points of failure should be minimized by having an alternate power source when failure occurs, including generators and Uninterruptible Power Supply (UPS) facilities and equipment. If possible, service providers should have the incoming power supply to the recovery site from independent, different, and non-shared facilities and lines. Procedures should be developed and the necessary facilities installed to isolate and protect all equipment operating in the premise against damage due to power increases and/or surges, lightning, or other unforeseen circumstances. The power failure types that protection is needed for include blackouts, brownouts, spikes, and surges. Consideration also should be given to potential electrical noise and its impact on sensitive equipment. [§ 6.8.1, § 6.8.2, § 6.8.3, § 6.8.4, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

¶ 8.1.7(6) Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building is considered. Safeguards in this area are listed below.
6. Power and Air-conditioning
All IT equipment should be protected from power failures, if necessary. A suitable power supply should be provided, and an uninterruptible power supply should be introduced, if necessary. Another aim of protection should be to ensure admissible temperature and humidity.
¶ 10.3.8 Supply failure (power, air conditioning). An organization should implement safeguards to prevent supply failures, which can cause integrity problems, if, because of them, other failures are caused. For example, supply failures can lead to hardware failures, technical failures or to problems with storage media. Safeguards against supply failures are listed below.
• Power and air conditioning: Suitable power supply and air conditioning related safeguards, e.g. power surge protection, should be used where necessary to avoid any problems resulting from supply failure.
• Back-ups: Back-ups should be used to restore any information that has been damaged. [¶ 8.1.7(6), ¶ 10.3.8, ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

General Guidance

The organization should have Uninterruptible Power Supplies (UPS) and secondary sources of power to protect the system against a power failure. [¶ .20 § 3.1, ¶ .24 § 3.17, AICPA Suitable Trust Services Principles and Criteria]

Security systems should have an emergency power system to ensure a continuous power supply. A standby emergency power source (usually a power generator) is the most effective method of providing power in the event of an outage. An Uninterruptible Power Supply (UPS) provides continuous power to the system, even when normal power is available. Lighting for highly sensitive areas and safety areas should have a back-up power supply. [Pg 6-I-20 thru Pg 6-I-23, Pg 19-IV-6, Protection of Assets Manual, ASIS International]

Critical computer equipment and telephone exchanges should be protected by an Uninterruptible Power Supply (UPS). Another source of power, such as a generator, should be available in case of an extended power outage. All UPSes should be tested regularly and serviced in accordance with manufacturer recommendations. [CB4.2.4, CB4.2.5, CI2.7.2, CI2.7.3, NW3.4.2(b), NW5.2.1(c), NW5.2.2(e), UE6.4.8, UE6.4.9, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

The data center should have some form of backup uninterruptible power supply (UPS). It should be sized according to the number of systems it will need to support and how long it needs to keep the systems running after a power failure. [Annex E.2.1, PAS 77 IT Service Continuity Management. Code of Practice, 2006]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.