Power equipment and cabling protection

Status: Live

The organization will protect power equipment and power cabling for the information systems from damage and destruction, employing redundant power and cabling when necessary. [UCF ID 01438]

Supporting and supported controls

This control directly supports:

Maintain adequate environmental controls [UCF Control ID 00724]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-6; FFIEC IT Examination Handbook – Information Security, Pg 55; FFIEC IT Examination Handbook – Operations, July 2004, Pg 18, Exam Tier I Obj 7.1, Exam Tier I Obj 8.2, Exam Tier II Obj D.1; Protection of Assets Manual, ASIS International, Pg 6-I-21, Pg 7-I-16, Pg 15-IV-24, Revised Volume 4 Pg 1-I-23, Revised Volume 4 Pg 1-I-25; DOT Physical Security Survey Checklist, Protective Lighting; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, PE-9; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-9, PE-9(1); The Standard of Good Practice for Information Security, CI2.7.1, NW3.4.3, NW5.2.5; ISO 17799:2005 Code of Practice for Information Security Management, § 9.2.3; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.9.2.3; ISO/IEC 27002-2005 Code of practice for information security management, § 9.2.3; Archer Control Table, ATCS-099, ATCS-100, ATCS-151, ATCS-503, ATCS-773

Banking and Finance Guidance

The power entering the computer room should be regulated to prevent power surges. [Pg C-6, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should use surge protectors to protect the equipment from electrical surges and static electricity. Network wiring runs should be protected. [Pg 55, FFIEC IT Examination Handbook – Information Security]

The computing equipment should be protected from power surges by monitoring for power fluctuations. All cables should be physically secured to prevent accidental or malicious cutting or disconnection. [Pg 18, Exam Tier I Obj 7.1, Exam Tier I Obj 8.2, Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

Inside communications wiring should be placed in conduit and outside communications wiring should be underground. For highly vulnerable facilities, the cable should not be taken from the nearest pole; by taking it from a farther pole, it will help in preventing an attacker from knowing the actual communications path. To reduce the vulnerability of the telephone room and distribution closets, the rooms should be locked and alarmed. All unused wires should be removed. Access to mechanical rooms and floors, elevator machine rooms, and elevator pits should be controlled and have intrusion alarms installed on them. [Pg 6-I-21, Pg 7-I-16, Pg 15-IV-24, Revised Volume 4 Pg 1-I-23, Revised Volume 4 Pg 1-I-25, Protection of Assets Manual, ASIS International]

The wiring and the switches for security lighting should be protected, controlled, and properly located. Switches should not be accessible from outside the perimeter. [Protective Lighting, DOT Physical Security Survey Checklist]

Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

NIST Guidance

The organization needs to protect power equipment and power cabling for the information systems from damage and destruction.
The organization is suggested to employ redundant and parallel power cabling paths. [PE-9, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records, documents, and the facility should be examined to ensure power cables and equipment are protected from damage and destruction, redundant and parallel cabling paths are used by the organization, and specific responsibilities and actions are defined for the implementation of the power equipment and power cabling control. Any problems discovered during the implementation of the power equipment and power cabling control should be documented and used to improve the controls.
Interviews should be conducted with personnel involved in protecting power cables and power equipment. [PE-9, PE-9(1), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Cabling should be protected from interception or damage by using conduit and avoiding routes through public areas; communications and power cables should be segregated; and all cables should be clearly marked. [§ 9.2.3, ISO 17799:2005 Code of Practice for Information Security Management]

All cables that carry sensitive information should be protected against interception and damage. [Annex A.9.2.3, ISO 27001:2005, Information Security Management Systems - Requirements]

Cabling should be protected from interception or damage by using conduit and avoiding routes through public areas; communications and power cables should be segregated; and all cables should be clearly marked. [§ 9.2.3, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

The computer installation should protect all power and telephone cables by segregating them from communications cables, concealing their locations, not routing them through public areas, locking inspection points, and having alternative routing routes. [CI2.7.1, NW3.4.3, NW5.2.5, The Standard of Good Practice for Information Security]