Establish and maintain heat and smoke detection devices.

UCF ID: 00728

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain adequate environmental controls and processes. [UCF Control ID 00724]

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .20 § 3.1, ¶ .24 § 3.17; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-3; FFIEC IT Examination Handbook – Operations, July 2004, Pg 19, Exam Tier I Obj 7.1, Exam Tier II Obj D.1; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Federal Information System Controls Audit Manual (FISCAM), February 2009, SC-2.2; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § PE-13; The Standard of Good Practice for Information Security, CI2.6.3; DoD Instruction 8500.2 Information Assurance (IA) Implementation, PEFD-1; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.12.4

Banking and Finance Guidance

All facilities should have smoke and heat detectors in the ceilings, under raised flooring, and in exhaust ducts. [Pg C-3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should install heat and smoke detectors on the ceiling, in exhaust ducts, and under raised flooring. [Pg 19, Exam Tier I Obj 7.1, Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

For Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

For Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [SC-2.2, Federal Information System Controls Audit Manual (FISCAM), February 2009]

Battery-operated or electric stand-alone smoke detectors are installed in the facility. [PEFD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

NIST Guidance

The organization must implement and maintain fire suppression and detection devices/systems for the information system that have an independent power source. [App F § PE-13, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

ISO Guidance

Service providers should ensure sufficient fire breaks have been installed to prevent heat radiation, fire, smoke, and fumes from spreading. Separate fire and smoke protection zones may need to be developed for different parts of the recovery site. [§ 6.12.4, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

The organization should have heat and smoke detectors installed. [¶ .20 § 3.1, ¶ .24 § 3.17, AICPA Suitable Trust Services Principles and Criteria]

All facilities should have fire alarms that are tested regularly and maintained in accordance with the manufacturer's recommendations. [CI2.6.3, The Standard of Good Practice for Information Security]