Establish and maintain water detection devices, and protect equipment and systems from water damage.

UCF ID: 00730

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain adequate environmental controls and processes. [UCF Control ID 00724]

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .20 § 3.1, ¶ .24 § 3.17; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-3, Pg C-4; FFIEC IT Examination Handbook – Operations, July 2004, Pg 19, Exam Tier I Obj 7.1, Exam Tier II Obj D.1; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § PE-15, App F § PE-15(1); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-15, PE-15(1); The Standard of Good Practice for Information Security, UE6.4.7; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.7(3)

Banking and Finance Guidance

All facilities should use raised flooring, should elevate wiring and servers above the floor to limit or prevent water damage, and should have water detectors installed. Critical records and equipment should be located on upper floors to limit the possibility of water damage. [Pg C-3, Pg C-4, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should install water detectors under raised flooring and possibly floor drains. Waterproof covers should be available to cover equipment in the event of a water leak. [Pg 19, Exam Tier I Obj 7.1, Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

For Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

NIST Guidance

App F § PE-15 The organization must establish and maintain water damage protection policies and procedures to protect the information system from water damage resulting from water leakage by ensuring that master shutoff valves are accessible, working properly, and known to key personnel.
App F § PE-15(1) The organization should provide automated mechanisms to close shutoff valves in the event of a significant water leak. [App F § PE-15, App F § PE-15(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records, documents, and the facility should be examined to ensure a master shutoff valve for the water pipes is present and working properly; personnel know where the master shutoff valve is located; automated mechanisms are used to close the shutoff valve automatically when a major leak is occurring; and specific responsibilities and actions are defined for the implementation of the water damage protection control. Any problems discovered during the implementation of the water damage protection control should be documented and used to improve the controls.
Interviews should be conducted with personnel who work in the facility to see if they know the location of the water shutoff valve and with personnel who maintain the automatic mechanism for shutting the valve to ensure it is functioning correctly. [PE-15, PE-15(1), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building is considered. Safeguards in this area are listed below.
3. Water/Liquid Protection
Essential facilities should not be sited in any area where serious flooding or water, or other liquid, leakage is likely to occur. Appropriate protection should be provided where a significant threat of flooding exists. [¶ 8.1.7(3), ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

General Guidance

The organization should have water detection and protection devices installed. [¶ .20 § 3.1, ¶ .24 § 3.17, AICPA Suitable Trust Services Principles and Criteria]

A flood warning system should be installed to protect the end user environment from water damage. [UE6.4.7, The Standard of Good Practice for Information Security]