Protect power equipment and cabling from damage and/or destruction.

UCF ID: 01438

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain adequate environmental controls and processes. [UCF Control ID 00724]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-6; FFIEC IT Examination Handbook – Information Security, Pg 55; FFIEC IT Examination Handbook – Operations, July 2004, Pg 18, Exam Tier I Obj 7.1, Exam Tier I Obj 8.2, Exam Tier II Obj D.1; Protection of Assets Manual, ASIS International, Pg 6-I-21, Pg 7-I-16, Pg 15-IV-24, Revised Volume 4 Pg 1-I-23, Revised Volume 4 Pg 1-I-25; DOT Physical Security Survey Checklist, Protective Lighting; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § PE-9; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-9, PE-9(1); The Standard of Good Practice for Information Security, CI2.7.1, NW3.4.3, NW5.2.5; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 9.2.3; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.9.2.3; ISO/IEC 27002 Code of practice for information security management, 2005, § 9.2.3; DoD Instruction 8500.2 Information Assurance (IA) Implementation, PEVR-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, PEVR-1; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.7.4, § 6.9, § 6.12.2.4, § 7.6.8; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.7(6)(7)

Banking and Finance Guidance

The power entering the computer room should be regulated to prevent power surges. [Pg C-6, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should use surge protectors to protect the equipment from electrical surges and static electricity. Network wiring runs should be protected. [Pg 55, FFIEC IT Examination Handbook – Information Security]

The computing equipment should be protected from power surges by monitoring for power fluctuations. All cables should be physically secured to prevent accidental or malicious cutting or disconnection. [Pg 18, Exam Tier I Obj 7.1, Exam Tier I Obj 8.2, Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

The wiring and the switches for security lighting should be protected, controlled, and properly located. Switches should not be accessible from outside the perimeter. [Protective Lighting, DOT Physical Security Survey Checklist]

Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Install voltage control mechanisms between the building power and the asset if there is no UPS attached to the asset. [PEVR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Install voltage control mechanisms between the building power and the asset if there is no UPS attached to the asset. [PEVR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

NIST Guidance

The organization must establish and maintain power cabling and equipment policies and procedures to protect power equipment and power cabling from damage and destruction. [App F § PE-9, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records, documents, and the facility should be examined to ensure power cables and equipment are protected from damage and destruction, redundant and parallel cabling paths are used by the organization, and specific responsibilities and actions are defined for the implementation of the power equipment and power cabling control. Any problems discovered during the implementation of the power equipment and power cabling control should be documented and used to improve the controls.
Interviews should be conducted with personnel involved in protecting power cables and power equipment. [PE-9, PE-9(1), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Cabling should be protected from interception or damage by using conduit and avoiding routes through public areas; communications and power cables should be segregated; and all cables should be clearly marked. [§ 9.2.3, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

All cables that carry sensitive information should be protected against interception and damage. [Annex A.9.2.3, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Cabling should be protected from interception or damage by using conduit and avoiding routes through public areas; communications and power cables should be segregated; and all cables should be clearly marked. [§ 9.2.3, ISO/IEC 27002 Code of practice for information security management, 2005]

All telecommunications cabling supporting data/information and/or voice and video services located in the premises should be protected from interception, interference, or damage by segregating power and telecommunications cables, segregating fiber telecommunications cabling, avoiding placing cabling in public areas, and providing conduits and/or trays that have the material strength to protect cables from physical damage. Steps should be taken to ensure cables are protected from external damage and interference, including well-planned design, careful installation, production and maintenance of quality documentation, and maintenance of the installed cables. Procedures and facilities should be implemented to isolate and protect all cabling, including isolating telecommunications and power cables, protecting cables that run through public areas or unguarded areas in conduits, selecting cables based on the external environment and transmission requirements, and periodically checking cabling, cabling trays, and ducts for damage, unauthorized modification, wiretapping, or other potential risk areas. Precise and up-to-date location plans should be kept for all cabling. Individual detailed routing plans should be kept for telecommunications/networking (data), telecommunications/networking (voice), telecommunications/networking (data/voice/video), and power supply. The general cabling plans should be developed and maintained and contain details of physical routing across different portions of the recovery sites, generic cable types, and markings to identify specific cable usage. Areas that house restricted facilities should have a separate and isolated electrical supply from the rest of the building with separate power distribution boards and associated circuit breakers and the power distribution boards are properly enclosed. All computing and related equipment should be protected against electrical overvoltage surge, where practicable. This surge can be caused by cross coupling, lightning strikes, and switching operations. Protection should include the following: installing overvoltage protection devices; inspecting and periodically checking overvoltage protection devices, checking after an incident, and replacing if it is damaged; and potential equalization for all computing and related equipment that is protected by overvoltage protection. [§ 6.7.4, § 6.9, § 6.12.2.4, § 7.6.8, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building is considered. Safeguards in this area are listed below.
6. Power and Air-conditioning
All IT equipment should be protected from power failures, if necessary. A suitable power supply should be provided, and an uninterruptible power supply should be introduced, if necessary. Ensure admissible temperature and humidity.
7. Cabling
Power and communication cabling carrying data or supporting IT services should be protected from interception, damage and overloading. Cabling should be physically protected against accidental or deliberate damage, and selected and laid appropriate for its purpose; planning take into account future developments. Cables should be protected against wiretapping. [¶ 8.1.7(6)(7), ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

General Guidance

Inside communications wiring should be placed in conduit and outside communications wiring should be underground. For highly vulnerable facilities, the cable should not be taken from the nearest pole; by taking it from a farther pole, it will help in preventing an attacker from knowing the actual communications path. To reduce the vulnerability of the telephone room and distribution closets, the rooms should be locked and alarmed. All unused wires should be removed. Access to mechanical rooms and floors, elevator machine rooms, and elevator pits should be controlled and have intrusion alarms installed on them. [Pg 6-I-21, Pg 7-I-16, Pg 15-IV-24, Revised Volume 4 Pg 1-I-23, Revised Volume 4 Pg 1-I-25, Protection of Assets Manual, ASIS International]

The computer installation should protect all power and telephone cables by segregating them from communications cables, concealing their locations, not routing them through public areas, locking inspection points, and having alternative routing routes. [CI2.7.1, NW3.4.3, NW5.2.5, The Standard of Good Practice for Information Security]