Placement of information system components

Status: Live

The organization will ensure that the placement of information systems components within the facility is designed to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. [UCF ID 01623]

Supporting and supported controls

This control directly supports:

Maintain adequate environmental controls [UCF Control ID 00724]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-4; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 29; FFIEC IT Examination Handbook – Information Security, Pg 54, Pg 55; Protection of Assets Manual, ASIS International, Pg 1-I-A1; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.3.2, Exhibit 4 PE-18; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-18, PE-19; The Standard of Good Practice for Information Security, CI2.6.1, CI2.6.4(c), CI2.8.5, CI2.8.7(c); ISO 17799:2005 Code of Practice for Information Security Management, § 9.2.1; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.9.2.1; ISO/IEC 27002-2005 Code of practice for information security management, § 9.2.1; Archer Control Table, ATCS-082, ATCS-145, ATCS-150, ATCS-761, ATCS-773, ATCS-847

Banking and Finance Guidance

The organization should determine the types of products being produced near the facility, what risks they pose, and how to mitigate the risks. [Pg C-4, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

Servers and network devices should be placed in areas where unauthorized personnel cannot gain access to them. [Pg 29, FFIEC IT Examination Handbook – E-Banking, August 2003]

For PCs located in or near public areas, the workstations should be secured; disk drives and unnecessary physical ports should be locked or removed; and automatic time outs and screensaver passwords should be used. [Pg 54, Pg 55, FFIEC IT Examination Handbook – Information Security]

US Federal Security Guidance

The organization should ensure there is appropriate separation between work and display areas. [Pg 1-I-A1, Protection of Assets Manual, ASIS International]

US Internal Revenue Guidance

The information system components for systems that process Federal Tax Information (FTI) must be placed in such a way as to minimize potential damage from environmental and physical hazards and to minimize the opportunity for unauthorized individuals to view any FTI. [§ 4.3.2, Exhibit 4 PE-18, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

Organizational records, documents, and the facility should be examined to ensure the system components are in locations that minimize environmental hazards and are located to prevent possible unauthorized access and that specific responsibilities and actions are defined for the implementation of the information system components control and the information leakage control. Any problems discovered during the implementation of the information system components control and the information leakage control should be documented and used to improve the controls.
Interviews should be conducted with personnel who decide where components are placed, personnel who use any system components, and personnel who test for information leakage. [PE-18, PE-19, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Equipment that handles sensitive information should be positioned so that the information cannot be seen by unauthorized personnel walking by. [§ 9.2.1, ISO 17799:2005 Code of Practice for Information Security Management]

All information processing equipment should be placed in areas where the risks from environmental hazards are reduced. [Annex A.9.2.1, ISO 27001:2005, Information Security Management Systems - Requirements]

Equipment that handles sensitive information should be positioned so that the information cannot be seen by unauthorized personnel walking by. [§ 9.2.1, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

The computer installation (facility) should be in a building that is at low risk of fire, flood, and other disasters. Computer equipment should be protected by placing it away from smoke, dust, vibration, food, drinks, and other hazards. Critical equipment should be located away from public areas, and details of what goes on in the space should be kept confidential. [CI2.6.1, CI2.6.4(c), CI2.8.5, CI2.8.7(c), The Standard of Good Practice for Information Security]