Emergency power shutoff

Status: Live

The organization will provide the capability of shutting off power to any information system component that may be malfunctioning or threatened. [UCF ID 01439]

Supporting and supported controls

This control directly supports:

Maintain adequate environmental controls [UCF Control ID 00724]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-3; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, PE-10; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-10; The Standard of Good Practice for Information Security, CI2.7.2(d); ISO 17799:2005 Code of Practice for Information Security Management, § 9.2.2; ISO/IEC 27002-2005 Code of practice for information security management, § 9.2.2; Archer Control Table, ATCS-161, ATCS-162

Banking and Finance Guidance

The data center should have emergency power shutoff switches that are unobstructed and clearly visible. The shutoff switches also should turn off the air conditioning system. [Pg C-3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

US Federal Security Guidance

Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

NIST Guidance

For specific locations within a facility containing concentrations of information system resources (e.g., data centers, server rooms, mainframe rooms), the organization provides the capability of shutting off power to any information technology component that may be malfunctioning (e.g., due to an electrical fire) or threatened (e.g., due to a water leak) without endangering personnel by requiring them to approach the equipment. [PE-10, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records, documents, and the facility should be examined to ensure an emergency shutoff is available and functioning to remove power from any components that are threatened or malfunctioning and specific responsibilities and actions are defined for the implementation of the emergency shutoff control. Any problems discovered during the implementation of the emergency shutoff control should be documented and used to improve the controls.
Interviews should be conducted with personnel who work in data centers, server rooms, and/or mainframe rooms to ensure a power shutoff button exists and the personnel know where it is located. [PE-10, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Emergency power off switches should be located near all emergency exits to allow for a fast shutdown of the equipment in case of an emergency. [§ 9.2.2, ISO 17799:2005 Code of Practice for Information Security Management]

Emergency power off switches should be located near all emergency exits to allow for a fast shutdown of the equipment in case of an emergency. [§ 9.2.2, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

Emergency power off switches should be placed near emergency exits. [CI2.7.2(d), The Standard of Good Practice for Information Security]