Fire suppression systems

Status: Live

The organization will maintain fire suppression systems that can be activated in the event of a fire. [UCF ID 00729]

Supporting and supported controls

This control directly supports:

Maintain adequate environmental controls [UCF Control ID 00724]

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .20 § 3.1, ¶ .24 § 3.17; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-3; FFIEC IT Examination Handbook – Operations, July 2004, Pg 19, Exam Tier I Obj 7.1, Exam Tier II Obj D.1; Protection of Assets Manual, ASIS International, Pg 14-II-14, Pg 36-I-7, Revised Volume 4 Pg 1-I-9; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, PE-13; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-13, PE-13(1), PE-13(2); The Standard of Good Practice for Information Security, CI2.6.2(b), CI2.6.4(a), CI2.6.4(b), UE6.4.7; Archer Control Table, ATCS-130, ATCS-131, ATCS-132, ATCS-135, ATCS-773

Sarbanes Oxley Guidance

The organization should have fire suppression systems installed. [¶ .20 § 3.1, ¶ .24 § 3.17, AICPA Suitable Trust Services Principles and Criteria]

Banking and Finance Guidance

All facilities should be equipped with a fire suppression system, and handheld extinguishers should be in clearly marked locations that are easily accessible. [Pg C-3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should install fire suppression systems in all facilities. The fire suppression systems should allow personnel time to shut down computer systems and cover the equipment before activating. [Pg 19, Exam Tier I Obj 7.1, Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

Fire prevention and suppression systems should be considered when designing a parking structure. See the National Fire Protection Association guidelines for the requirements for fire protection for the size of aircraft hangars being used. High-rise structures should have automatic sprinkler systems installed for fire protection. [Pg 14-II-14, Pg 36-I-7, Revised Volume 4 Pg 1-I-9, Protection of Assets Manual, ASIS International]

For Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

NIST Guidance

Fire suppression devices/systems include, but are not limited to, sprinkler systems, handheld fire extinguishers, and fixed fire hoses.
PE-13(1) suggests that for medium impact systems the fire suppression devices/systems activate automatically in the event of a fire.
PE-13(2) suggests that for high impact systems the fire suppression and detection devices/systems provide automatic notification of any activation to the organization and emergency responders. [PE-13, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records, documents, and the facility should be examined to ensure fire detection and suppression systems are installed; the fire detection and suppression systems are automatically activated during a fire; tests have been performed on the fire detection and suppression system; emergency responders are automatically notified when the fire suppression and detection equipment is activated; and specific responsibilities and actions are defined for the implementation of the fire protection control. Any problems discovered during the implementation of the fire protection control should be documented and used to improve the controls.
Interviews should be conducted with personnel who maintain and test the fire detection and suppression system and with personnel who should be notified when the fire detection and suppression system is activated. [PE-13, PE-13(1), PE-13(2), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

General Guidance

All rooms housing critical IT equipment should have fire detection and suppression systems installed. Fire extinguishers should be installed in all rooms, and all personnel should be trained on how to use this equipment. [CI2.6.2(b), CI2.6.4(a), CI2.6.4(b), UE6.4.7, The Standard of Good Practice for Information Security]