Back

Design the Information Technology facility with consideration given to natural disasters and man-made disasters.


CONTROL ID
00712
CONTROL TYPE
Physical and Environmental Protection
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain facility maintenance procedures., CC ID: 00710

This Control has the following implementation support Control(s):
  • Design the Information Technology facility with a low profile., CC ID: 16140
  • Prohibit signage indicating computer room location and uses., CC ID: 06343
  • Require critical facilities to have adequate room for facility maintenance., CC ID: 06361
  • Require critical facilities to have adequate room for evacuation., CC ID: 11686
  • Build critical facilities according to applicable building codes., CC ID: 06366


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Facilities must be located in an environment that is resilient to potential risks. This is an IT general control. (App 2-1 Item Number IV.10(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • F1: The organization should not construct a computer center where it will be vulnerable to disasters, including lightning strikes, floods, tsunamis, storm surges, fires, and earthquakes, or failures resulting from air pollution, electric/magnetic disturbances, excessive salt damage, and vibration. F… (F1, F22, F22.1, F23, F52, F121, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • It is recommended to avoid setting up a computer center at a site that is likely to be subject to disasters and failures. In the case where a computer center building has already been built or must be built at a site subject to disasters or failures, appropriate measures must be taken against a disa… (F1.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • To protect the computer systems against possible failure, it is necessary to provide buildings with proper safeguards to ensure protection against the building's own weight, movable load, fallen snow, wind pressure, earthquakes and other vibrations, and impacts. (F11.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In the case of steel-frame construction, the columns, beams, and other structural members should be protected with fire resistive coverings of non-combustible materials to ensure the fire resistance of the building structure. It is recommended that the fire resistant coverings include proper provisi… (F21.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Free-access floors are installed for the laying of cables and wires needed for computer devices, and for air-conditioning, by erecting support columns on the floor of a building. Since free-access floors employ panel-type floorboards, which are easy to detach, the floors might be damaged in the case… (F36.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Seismic retrofitting for prevention of dislocation or overturning of computer equipment varies according to the weight, geometry, and installation position of the equipment. In addition, recommended construction methods vary according to manufacturers. This suggests that consultation with manufactur… (F50.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • To minimize possible impacts of earthquake on the computer systems, air-conditioning facilities should be provided with proper precautions against earthquake to remain intact in the event of earthquake. (F78.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to install it in places that are less susceptible to earthquakes, fires or flooding. Where it is unavoidable to install the power supply room and air-conditioner room in any place possibly exposed to disaster, required precautions to minimize possible damage due to various disasters … (F52.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • To ensure the uninterrupted operation of individual pieces of equipment in the power supply facilities even in the event of an earthquake, it is recommended to use earthquake-proof equipment in consideration of requirements for the installation and operation of equipment. (F66.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In accordance with the Act on Promotion of Seismic Retrofitting of Buildings, every building found to fall into a category of a specified building needs to be subject to earthquake resistant diagnosis and seismic retrofitting if required. (F86.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The central control and monitoring station (central monitoring room, disaster control center, etc.) serves as the key center of the computer center in both normal and disaster states, as well as during other emergencies. Therefore, it is necessary to take disaster prevention measures for the station… (F81.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In some cases, depending on the structure of the computer center and the operational requirements for the central control and monitoring station, the functions of the central control and monitoring station are shared by several rooms or stations such as a central monitoring room to control the power… (F81.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The organization should locate the facility in a place that provides protection from man-made threats and natural threats. (¶ 56(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • location and building facilities that provide a level of protection from natural and man-made threats. This includes diversity of access to key utility services such as power and telecommunications, as well as fall-back mechanisms where access to the key utility service has failed (e.g. generators, … (46(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • whether the location of important ICT operations/data centres (e.g. regions, countries) may expose the institution to natural disasters (e.g. flooding, earthquakes), political instability or labour conflicts and civil disturbances which can lead to a material increase of ICT availability and continu… (Title 3 3.2.1 39.g, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • CSIRTs' premises and the supporting information systems shall be located in secure sites. (ANNEX I ¶ 1(1)(b), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Define and select the physical sites for IT equipment to support the technology strategy linked to the business strategy. The selection and design of the layout of a site should take into account the risk associated with natural and man-made disasters, whilst considering relevant laws and regulation… (DS12.1 Site Selection and Layout, CobiT, Version 4.1)
  • The security profile shall contain important details about the location of the local environment, for example when the local environment is operated in a hazardous region (e.g., earthquake or hurricane zone). (CF.12.01.06c, The Standard of Good Practice for Information Security)
  • Critical facilities should be protected against natural hazards (e.g., storm and flood damage). (CF.19.03.02c-1, The Standard of Good Practice for Information Security)
  • Critical facilities should be protected against man-made hazards (e.g., fire, explosions, and building collapse). (CF.19.03.02c-2, The Standard of Good Practice for Information Security)
  • The security profile shall contain important details about the location of the local environment, for example when the local environment is operated in a hazardous region (e.g., earthquake or hurricane zone). (CF.12.01.06c, The Standard of Good Practice for Information Security, 2013)
  • Critical facilities should be protected against natural hazards (e.g., storm and flood damage). (CF.19.03.02c-1, The Standard of Good Practice for Information Security, 2013)
  • Critical facilities should be protected against man-made hazards (e.g., fire, explosions, and building collapse). (CF.19.03.02c-2, The Standard of Good Practice for Information Security, 2013)
  • Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entity’s availability commitments and system requirements. (A1.2, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Certain factors should be considered when selecting a site for a secure operating center: Buildings should be made of noncombustible materials; windows should be kept to a minimum on the ground floor; windows on the ground floor should be protected with grills, screens, or other material; the comput… (§ 2-11, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • The security structure must maintain a domain of its own to protect itself from tampering and external interference. (§ 8-613.c, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Buildings shall be suitably designed and contain enough space to perform all necessary operations, prevent mix-ups, and ensure orderly handling. (§ 820.70(f), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Operating centers located in areas less prone to environmental threats. (App A Objective 14:1c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization should consider the environmental hazard risks and the physical hazard risks when planning new facilities or reviewing existing facilities. (SG.PE-12 Requirement Enhancements 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)