Establish and maintain fire suppression systems.

UCF ID: 00729

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain adequate environmental controls and processes. [UCF Control ID 00724]

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .20 § 3.1, ¶ .24 § 3.17; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-3; FFIEC IT Examination Handbook – Operations, July 2004, Pg 19, Exam Tier I Obj 7.1, Exam Tier II Obj D.1; Protection of Assets Manual, ASIS International, Pg 14-II-14, Pg 36-I-7, Revised Volume 4 Pg 1-I-9; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § PE-13, App F § PE-13(1), App F § PE-13(2); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-13, PE-13(1), PE-13(2); The Standard of Good Practice for Information Security, CI2.6.2(b), CI2.6.4(a), CI2.6.4(b), UE6.4.7; DoD Instruction 8500.2 Information Assurance (IA) Implementation, PEFS-1; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.10; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.7(2)

Banking and Finance Guidance

All facilities should be equipped with a fire suppression system, and handheld extinguishers should be in clearly marked locations that are easily accessible. [Pg C-3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should install fire suppression systems in all facilities. The fire suppression systems should allow personnel time to shut down computer systems and cover the equipment before activating. [Pg 19, Exam Tier I Obj 7.1, Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

For Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Handheld fire extinguishers or fixed fire hoses are available should an alarm be sounded or a fire be detected. [PEFS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

NIST Guidance

App F § PE-13 The organization must implement and maintain fire suppression and detection devices/systems for the information system that have an independent power source.
App F § PE-13(1) The organization should implement and maintain fire suppression and detection devices/systems for the information system that activate automatically and notify the organization and emergency responders in the event of a fire.
App F § PE-13(2) The organization should implement and maintain fire suppression and detection devices/systems for the information system that provide automatic notification of any activation to the organization and emergency responders. [App F § PE-13, App F § PE-13(1), App F § PE-13(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records, documents, and the facility should be examined to ensure fire detection and suppression systems are installed; the fire detection and suppression systems are automatically activated during a fire; tests have been performed on the fire detection and suppression system; emergency responders are automatically notified when the fire suppression and detection equipment is activated; and specific responsibilities and actions are defined for the implementation of the fire protection control. Any problems discovered during the implementation of the fire protection control should be documented and used to improve the controls.
Interviews should be conducted with personnel who maintain and test the fire detection and suppression system and with personnel who should be notified when the fire detection and suppression system is activated. [PE-13, PE-13(1), PE-13(2), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Appropriate fire detection and suppression systems should be implemented to protect personnel and computing equipment. The system capacity should be in proportion to the area size and the required protection level. Fire and safety regulations and requirements should be complied with. Fire escape routes should be planned, documented, and communicated to all staff members and the routes should be clearly marked with illuminated exit signs and not be obstructed. Fire exit doors should not be able to be opened from the outside, but should not be locked from the inside. All staff members should be briefed on fire escape routes when they arrive at the recovery site for disaster recovery testing or a plan activation. Procedures and plans should be developed to deal with fire and smoke outbreaks, that include procedures for different fire and smoke scenarios, evacuation plans for the different parts of the site, assembly areas, details on how to notify emergency services, reporting and the chain of command, procedures for shortcomings uncovered by tests, and procedures to deal with personnel who do not comply. Evacuation drills should be conducted periodically to test different aspects of these plans and procedures. Water supply points should be clearly marked. Service providers should ensure hand-held fire extinguishers are located in all areas that require protection; hand-held fire extinguishers can be easily reached, taken down, and activated; staff and long-term on-site contractors are trained on how to use hand-held fire extinguishers; the appropriate type of fire extinguisher is selected for the type of equipment located in the area; the fire extinguishers are clearly visible and have signs to find them; and the fire extinguishers should be properly maintained. [§ 6.10, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building is considered. Safeguards in this area are listed below.
2. Fire Protection
Equipment and surrounding areas, including access to them, should be protected against the spread of fire from elsewhere in the building or adjacent buildings. Fire hazards in the vicinity of rooms/areas containing equipment should be minimized. There also should be protection against fires starting within and/or affecting all rooms/areas containing key equipment. Safeguards should include fire and smoke detection, alarms and suppression. Care should be taken that the fire protection does not lead to damage of IT systems from water or other extinguishing means. [¶ 8.1.7(2), ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

General Guidance

The organization should have fire suppression systems installed. [¶ .20 § 3.1, ¶ .24 § 3.17, AICPA Suitable Trust Services Principles and Criteria]

Fire prevention and suppression systems should be considered when designing a parking structure. See the National Fire Protection Association guidelines for the requirements for fire protection for the size of aircraft hangars being used. High-rise structures should have automatic sprinkler systems installed for fire protection. [Pg 14-II-14, Pg 36-I-7, Revised Volume 4 Pg 1-I-9, Protection of Assets Manual, ASIS International]

All rooms housing critical IT equipment should have fire detection and suppression systems installed. Fire extinguishers should be installed in all rooms, and all personnel should be trained on how to use this equipment. [CI2.6.2(b), CI2.6.4(a), CI2.6.4(b), UE6.4.7, The Standard of Good Practice for Information Security]