The organization will protect power equipment and power cabling for the information systems from damage and destruction, employing redundant power and cabling when necessary. [UCF ID 01438]
Supporting and supported controls
This control directly supports:
• Maintain adequate environmental controls [UCF Control ID 00724]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
FFIEC IT Examination Handbook – Information Security Pg 55; FFIEC IT Examination Handbook – Business Continuity Planning Pg C-6; FFIEC IT Examination Handbook – Operations Pg 18, Exam Tier I Obj 7.1, Exam Tier I Obj 8.2, Exam Tier II Obj D.1; The Standard of Good Practice for Information Security CI2.7.1, NW3.4.3, NW5.2.5; ISO 17799:2005 Code of Practice for Information Security Management § 9.2.3; ISO 27001:2005, Information Security Management Systems - Requirements § A.9.2.3; ISO/IEC 27002-2005 Code of practice for information security management § 9.2.3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53 PE-9; Guide for Assessing the Security Controls in Federal Information Systems, NIST 800-53A § PE-9, PE-9(1); FIPS 200, Minimum Security Requirements for Federal Information and Information Systems § 3
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Business Continuity Planning Pg C-6 states that the power entering the computer room should be regulated to prevent power surges. .
US Federal Security Guidance
FIPS Publication 200, § 3 Specifications for Minimum Security Requirements calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
NIST Guidance
NIST 800-53, PE-9, states that the organization needs to protect power equipment and power cabling for the information systems from damage and destruction.
In addition, PE-9(1) suggests the organization employ redundant and parallel power cabling paths.
International Standards Organization Guidance
The ISO/IEC 27002-2005 Code of practice for information security management § 9.2.3 states that cabling should be protected from interception or damage by using conduit and avoiding routes through public areas; communications and power cables should be segregated; and all cables should be clearly marked.
The ISO 27001:2005 Information Security Management Systems - Requirements § A.9.2.3 states that all cables that carry sensitive information should be protected against interception and damage.
The ISO 17799:2005 Code of Practice for Information Security Management § 9.2.3 states that cabling should be protected from interception or damage by using conduit and avoiding routes through public areas; communications and power cables should be segregated; and all cables should be clearly marked.