The organization will maintain fire suppression systems that can be activated in the event of a fire. [UCF ID 00729]
Supporting and supported controls
This control directly supports:
• Maintain adequate environmental controls [UCF Control ID 00724]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
FFIEC IT Examination Handbook – Business Continuity Planning Pg C-3; FFIEC IT Examination Handbook – Operations Pg 19, Exam Tier I Obj 7.1, Exam Tier II Obj D.1; The Standard of Good Practice for Information Security CI2.6.2(b), CI2.6.4(a), CI2.6.4(b), UE6.4.7; Recommended Security Controls for Federal Information Systems, NIST SP 800-53 PE-13; Guide for Assessing the Security Controls in Federal Information Systems, NIST 800-53A § PE-13, PE-13(1), PE-13(2); AICPA Suitable Trust Services Criteria ¶ .20 § 3.1, ¶ .24 § 3.17; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems § 3
Sarbanes Oxley Guidance
¶ .20 § 3.1, ¶ .24 § 3.17 of AICPA Suitable Trust Services Criteria states that the organization should have fire suppression systems installed.
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Business Continuity Planning Pg C-3 states that all facilities should be equipped with a fire suppression system, and handheld extinguishers should be in clearly marked locations that are easily accessible.
US Federal Security Guidance
FIPS Publication 200, § 3 Specifications for Minimum Security Requirements calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
NIST Guidance
NIST 800-53, PE-13 states that fire suppression devices/systems include, but are not limited to, sprinkler systems, handheld fire extinguishers, and fixed fire hoses.
For medium impact systems, PE-13(1) suggests the fire suppression devices/systems activate automatically in the event of a fire.
For high impact systems, PE-13(2) suggests the fire suppression and detection devices/systems provide automatic notification of any activation to the organization and emergency responders.