Water detection and damage protection

Status: Live

The organization will protect information systems from water damage resulting from broken plumbing lines or other sources of water leakage through employing water detection devices/systems and ensuring that master shutoff valves are in working order. [UCF ID 00730]

Supporting and supported controls

This control directly supports:

Maintain adequate environmental controls [UCF Control ID 00724]

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .20 § 3.1, ¶ .24 § 3.17; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-3, Pg C-4; FFIEC IT Examination Handbook – Operations, July 2004, Pg 19, Exam Tier I Obj 7.1, Exam Tier II Obj D.1; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, PE-15; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-15, PE-15(1); The Standard of Good Practice for Information Security, UE6.4.7; Archer Control Table, ATCS-143, ATCS-144, ATCS-146, ATCS-147, ATCS-148, ATCS-150

Sarbanes Oxley Guidance

The organization should have water detection and protection devices installed. [¶ .20 § 3.1, ¶ .24 § 3.17, AICPA Suitable Trust Services Principles and Criteria]

Banking and Finance Guidance

All facilities should use raised flooring, should elevate wiring and servers above the floor to limit or prevent water damage, and should have water detectors installed. Critical records and equipment should be located on upper floors to limit the possibility of water damage. [Pg C-3, Pg C-4, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should install water detectors under raised flooring and possibly floor drains. Waterproof covers should be available to cover equipment in the event of a water leak. [Pg 19, Exam Tier I Obj 7.1, Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

For Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

NIST Guidance

The organization should protect information systems from water damage resulting from broken plumbing lines or other sources of water leakage by ensuring that master shutoff valves are accessible, working properly, and known to key personnel.
PE-5(1) suggests that for high impact systems the organization employ automated mechanisms to automatically close shutoff valves in the event of a significant water leak. [PE-15, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records, documents, and the facility should be examined to ensure a master shutoff valve for the water pipes is present and working properly; personnel know where the master shutoff valve is located; automated mechanisms are used to close the shutoff valve automatically when a major leak is occurring; and specific responsibilities and actions are defined for the implementation of the water damage protection control. Any problems discovered during the implementation of the water damage protection control should be documented and used to improve the controls.
Interviews should be conducted with personnel who work in the facility to see if they know the location of the water shutoff valve and with personnel who maintain the automatic mechanism for shutting the valve to ensure it is functioning correctly. [PE-15, PE-15(1), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

General Guidance

A flood warning system should be installed to protect the end user environment from water damage. [UE6.4.7, The Standard of Good Practice for Information Security]