Back

Establish, implement, and maintain an environmental control program.


CONTROL ID
00724
CONTROL TYPE
Physical and Environmental Protection
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Physical and environmental protection, CC ID: 00709

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain environmental control procedures., CC ID: 12246
  • Establish and maintain a telecommunications equipment room, as necessary., CC ID: 06708
  • Protect power equipment and power cabling from damage or destruction., CC ID: 01438
  • Establish, implement, and maintain a battery room, as necessary., CC ID: 06706
  • Establish and maintain a generator room, as necessary., CC ID: 06704
  • Establish, implement, and maintain facility maintenance procedures., CC ID: 00710
  • Establish, implement, and maintain work environment requirements., CC ID: 06613
  • House system components in areas where the physical damage potential is minimized., CC ID: 01623
  • Establish, implement, and maintain a fire prevention and fire suppression standard., CC ID: 06695
  • Conduct fire drills, as necessary., CC ID: 13985
  • Employ environmental protections., CC ID: 12570


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • F30: The organization shall install emergency exits, guide lights, guide signs, and evacuation apparatus in the computer room. F76: The organization shall provide various automatic control units and emergency alarms for detecting unusual conditions in devices to ensure air-conditioning facilities o… (F30, F76, O77.8, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Ongoing support and maintenance controls would be needed to ensure that IT assets continue to meet business objectives. Major controls in this regard include change management controls to ensure that the business objectives continue to be met following change; configuration management controls to en… (Critical components of information security 6) (iii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should rigorously control and regulate the environment within a DC. Monitoring of environmental conditions, such as temperature and humidity, within a DC is critical in ensuring uptime and system reliability. The FI should promptly escalate any abnormality detected to management and resolve t… (§ 10.3.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The organization should implement mechanisms to monitor for and alert individuals when a compromise of service availability is detected. (¶ 56(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • environmental controls which maintain environmental conditions within acceptable parameters. Common controls include ventilation, air conditioning and fire suppressant systems; and (46(c)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • location and building facilities that provide a level of protection from natural and man-made threats. This includes diversity of access to key utility services such as power and telecommunications, as well as fall-back mechanisms where access to the key utility service has failed (e.g. generators, … (46(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Design and implement measures for protection against environmental factors. Install specialised equipment and devices to monitor and control the environment. (DS12.4 Protection Against Environmental Factors, CobiT, Version 4.1)
  • States that sensors should be designed to initiate alarms when the event being monitored for occurs, electrical power is lost, the device short circuits or grounds, the sensor fails, or the sensor's control panel is tampered with. Indoor units should operate from 32 degrees Fahrenheit to 120 degrees… (Pg 5-I-6, Protection of Assets Manual, ASIS International)
  • The impact of hazards should be minimized by protecting computer equipment (including critical infrastructure) against damage from environmental hazards (e.g., smoke, dust, vibration, chemicals, electrical interference / radiation, food, drink, and nearby industrial processes). (CF.19.03.04c, The Standard of Good Practice for Information Security)
  • The impact of hazards should be minimized by protecting computer equipment (including critical infrastructure) against damage from environmental hazards (e.g., smoke, dust, vibration, chemicals, electrical interference / radiation, food, drink, and nearby industrial processes). (CF.19.03.04c, The Standard of Good Practice for Information Security, 2013)
  • Physical protection against damage from natural causes and disasters, as well as deliberate attacks, including fire, flood, atmospheric electrical discharge, solar induced geomagnetic storm, wind, earthquake, tsunami, explosion, nuclear accident, volcanic activity, biological hazard, civil unrest, m… (BCR-05, Cloud Controls Matrix, v3.0)
  • Information security measures and redundancies shall be implemented to protect equipment from utility service outages (e.g., power failures and network disruptions). (BCR-08, Cloud Controls Matrix, v3.0)
  • Datacenter utilities services and environmental conditions (e.g., water, power, temperature and humidity controls, telecommunications,and internet connectivity) shall be secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorized… (BCR-03, Cloud Controls Matrix, v3.0)
  • Secure, monitor, maintain, and test utilities services for continual effectiveness at planned intervals. (DCS-14, Cloud Controls Matrix, v4.0)
  • ¶ 8.1.7(6)(7) Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the build… (¶ 8.1.7(6)(7), ¶ 10.3.8, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • use engineering controls; (§ 5.4 ¶ 3 Bullet 3, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • Changing the environmental controls is an example of physical tampering. The system should have the capability to detect and determine if physical tampering has occurred. The system should be able to monitor specified devices and elements and notify a specified user when physical tampering has occur… (§ 15.7, § J.7, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • Service providers should provide secure storage facilities and accessories for storing vital records, supplies, and magnetic media. Appropriate environmental controls should be in place to maintain the records during storage and transportation. Procedures and policies should be implemented to protec… (§ 6.4.7(b), § 6.6, § 6.12.2.5, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. (A.11.1.4 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Controls should be in place to reduce the likelihood of environmental threats. All buildings should have lightning protection measures. (§ 9.2.1, ISO 27002 Code of practice for information security management, 2005)
  • Physical protection against natural disasters, malicious attack or accidents should be designed and applied. (§ 11.1.4 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented. (§ 7.5 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Policy and regulations regarding the physical operating environment for organizational assets are met. (PR.IP-5, CRI Profile, v1.2)
  • The organization should implement procedures to protect personal information from natural disasters and environmental hazards. (ID 8.2.4, AICPA/CICA Privacy Framework)
  • The organization should maintain controls to protect all forms of personal information against environmental factors. (Table Ref 8.2.4, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should maintain physical safeguards and other safeguards to prevent personal information from being disclosed in case an environmental incident occurs. (Table Ref 8.2.4, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. (A1.2, Trust Services Criteria)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entity’s availability commitments and system requirements. (A1.2, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Are reasonable environmental controls present in the building or data center that contains scoped systems and data? (§ F.1.2, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • The organization must monitor and periodically test the environmental controls and evaluate the alert levels and associated guidelines. When needed, the emergency response procedures must be implemented and monitored, management must be notified of possible service and/or media lost, any damage is r… (CSR 5.1.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • § 820.70(c): A medical device manufacturer shall establish and maintain procedures for adequately controlling environmental conditions when they could have an adverse affect on product quality. The environmental control system(s) shall be inspected on a periodic basis to verify the system and equip… (§ 820.70(c), § 820.70(e), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Environmental and physical access controls. (V Action Summary ¶ 2 Bullet 9, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Appropriate security and environmental controls within the entity's infrastructure, including: (App A Objective 14:1d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Physical, logical, and environmental controls. (App A Objective 14:2c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • This examination procedure may be performed in coordination with related examination procedures in the "Business Continuity Management" booklet. Determine whether management developed, documented, and implemented environmental control policies, standards, and procedures to safeguard facilities, tech… (App A Objective 13:8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The facility should be made of fire-resistant materials and grounded correctly to protect against electrical hazards. If the facility is located in an area where natural hazards occur, such as earthquakes or tornadoes, responses to these scenarios should be included in the continuity plan. (Pg C-3, Pg C-4, Exam Tier II Obj 1.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Management should monitor and implement environmental controls to help reduce disruptions to daily operations. (Pg 17 thru Pg 19, Exam Tier I Obj 5.1, Exam Tier I Obj 7.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • Says that environmental controls prevent or mitigate potential damage to facilities and interruptions in service. Examples of environmental controls include: • fire extinguishers and fire suppression systems; • fire alarms; • smoke detectors; • water detectors; • redundancy in air cooling … (SC-2.2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Has the Credit Union implemented measures for protecting member information against destruction, loss, or damage due to potential environmental hazards? (IT - 748 Compliance Q 6h, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union Information Technology policy include environmental controls for the data center? (IT - Policy Checklist Q 3, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Part of a successful contingency planning policy is to make the system resilient to environmental failures that could cause disruptions to the system. Several methods are available; determining the appropriate method should be based on risk-informed decisions. (§ 5.1.3, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • § 4.5.5: Cryptographic modules are not required to use environmental failure protection (EFP) features or conduct environmental failure testing (EFT) for security levels 1, 2, and 3. Cryptographic modules shall use either EFP or EFT for security level 4. § 4.5.5.1: Cryptographic modules shall have… (§ 4.5.5, § 4.5.5.1, § 4.5.5.2, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
  • The physical environment is monitored to detect potential cybersecurity events (DE.CM-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Policy and regulations regarding the physical operating environment for organizational assets are met (PR.IP-5, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Addresses the need for environmental controls by listing the hazards and their accompanying dangers, but does not detail specific measures for mitigating them. (§ 3.10.2 thru § 3.10.5, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Environmental Factors. In addressing the security needs of the system and data, it is important to consider environmental factors. For example, if a site is dusty, systems should be placed in a filtered environment. This is particularly important if the dust is likely to be conductive or magnetic, a… (§ 6.2.11 ICS-specific Recommendations and Guidance ¶ 4 Bullet 4, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • If computers are readily accessible, and they have removable media drives (e.g., floppy disks, compact discs, external hard drives) or USB ports, the drives can be fitted with locks or removed from the computers and USB ports disabled. Depending on security needs and risks, it might also be prudent … (§ 6.2.11 ICS-specific Recommendations and Guidance ¶ 3, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Policy and regulations regarding the physical operating environment for organizational assets are met. (PR.PO-P4, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization must develop, disseminate, review, and update, on a predetermined frequency, a formal, documented Physical and Environmental Protection policy that addresses purpose, roles, responsibilities, scope, compliance, management commitment, and coordination among entities. (App F § PE-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, formal, documented procedures for implementing the Physical and Environmental Protection policy and its associated controls. (App F § PE-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls. (PE-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls. (PE-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls. (PE-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls. (PE-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Provide an equivalent level of protective security measures to mitigate risk during power outages, security equipment failure, or extended repair of security systems. (Table 1: Equipment Maintenance and Testing Enhanced Security Measures Cell 3, Pipeline Security Guidelines)
  • physical security and environmental controls; (§ 500.03 Cybersecurity Policy (j), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)