Back

House system components in areas where the physical damage potential is minimized.


CONTROL ID
01623
CONTROL TYPE
Physical and Environmental Protection
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an environmental control program., CC ID: 00724

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization shall ensure the computer system is protected against possible failure by ensuring exterior walls, roofs, and others structures are water resistant. (F12, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • In a building, the computer room and data storage room should be installed in proper locations that are less susceptible to earthquake, fire, flooding, and other disasters to protect the computer systems against possible impact. When it is unavoidable to install the computer room and data storage ro… (F22.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to install it in places that are less susceptible to earthquakes, fires or flooding. Where it is unavoidable to install the power supply room and air-conditioner room in any place possibly exposed to disaster, required precautions to minimize possible damage due to various disasters … (F52.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Storage battery systems should be fixed to the floor, wall, or other structural members with reinforced base to prevent possible overturning and damage in the event of earthquake. (F66.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In order to protect computer systems from adverse effects, it is recommended to install servers in the zones of buildings that are less likely to suffer from earthquake, fire, floods, etc. (F121.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • To protect servers against invasion, breakage, and leakage of confidential information, it is recommended to install servers in zones that are hard to access from outside by avoiding spots near the entrance of buildings or at places that are not directly accessible through elevators or stairs. (F122.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • location and housing that provide a level of protection from natural and man-made threats; (¶ 56(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Locating sensitive equipment, data, and applications away from environmental hazards is a typical environmental and physical control. (§ 5.3.4 ¶ 2, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • The organization should ensure there is appropriate separation between work and display areas. (Pg 1-I-A1, Protection of Assets Manual, ASIS International)
  • Critical facilities should be located in a safe environment and in rooms protected from Natural and man-made hazards (e.g., in an area with low risk of flooding, storms, fire, explosion, civil unrest, or damage from neighboring activities). (CF.19.03.01, The Standard of Good Practice for Information Security)
  • Physical servers that are used to host Virtual Servers should be protected by locating them in physically secure environments (e.g., data centres or equivalent). (CF.07.03.03a, The Standard of Good Practice for Information Security)
  • Critical facilities should be located in a safe environment and in rooms protected from Natural and man-made hazards (e.g., in an area with low risk of flooding, storms, fire, explosion, civil unrest, or damage from neighboring activities). (CF.19.03.01, The Standard of Good Practice for Information Security, 2013)
  • Physical servers that are used to host Virtual Servers should be protected by locating them in physically secure environments (e.g., data centres or equivalent). (CF.07.03.03a, The Standard of Good Practice for Information Security, 2013)
  • Keep business-critical equipment away from locations subject to high probability for environmental risk events. (DCS-15, Cloud Controls Matrix, v4.0)
  • ¶ 8.1.7(1)(5) Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the build… (¶ 8.1.7(1)(5), ¶ 10.2.9, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. (A.11.2.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Equipment that handles sensitive information should be positioned so that the information cannot be seen by unauthorized personnel walking by. (§ 9.2.1, ISO 27002 Code of practice for information security management, 2005)
  • Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. (§ 11.2.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Equipment should be sited securely and protected. (§ 7.8 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access (PE-18 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should determine the types of products being produced near the facility, what risks they pose, and how to mitigate the risks. (Pg C-4, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Servers and network devices should be placed in areas where unauthorized personnel cannot gain access to them. (Pg 29, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization positions information system components within the facility to minimize potential damage from [FedRAMP Assignment: physical and environmental hazards identified during threat assessment] and to minimize the opportunity for unauthorized access. (PE-18 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Position system components within the facility to minimize potential damage from [FedRAMP Assignment: physical and environmental hazards identified during threat assessment] and to minimize the opportunity for unauthorized access. (PE-18 Control, FedRAMP Security Controls High Baseline, Version 5)
  • The information system components for systems that process Federal Tax Information (FTI) must be placed in such a way as to minimize potential damage from environmental and physical hazards and to minimize the opportunity for unauthorized individuals to view any FTI. (§ 4.3.2, Exhibit 4 PE-18, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Organizational records, documents, and the facility should be examined to ensure the system components are in locations that minimize environmental hazards and are located to prevent possible unauthorized access and that specific responsibilities and actions are defined for the implementation of the… (PE-18, PE-19, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must locate the smart grid Information System components in a place that minimizes any potential damage from environmental hazards and physical hazards. (SG.PE-12 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must place system components in a way to minimize potential damage from environmental and physical hazards and to minimize the potential for unauthorized access. (App F § PE-18, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization positions information system components within the facility to minimize potential damage from {organizationally documented physical and environmental hazards} and to minimize the opportunity for unauthorized access. (PE-18 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization positions information system components within the facility to minimize potential damage from {organizationally documented physical and environmental hazards} and to minimize the opportunity for unauthorized access. (PE-18 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access (PE-18 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access (PE-18 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)