Back

Define selection criteria for facility locations.


CONTROL ID
06351
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain facility maintenance procedures., CC ID: 00710

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should consider fully the environmental threats (e.g. proximity to dangerous factories) when selecting the locations of their data centres. Moreover, physical and environmental controls should be implemented to monitor environmental conditions which could affect adversely the operation of inform… (3.6.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • O92: Head and branch offices shall define the selection criteria for in-store branch locations. O93: The organization shall define the criteria for selecting convenience stores and location area in the stores for ATMs. (O92, O93, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • In-store branches offer features different from those in the operation of conventional head offices and branch offices, such as an open layout, and operation by a small number of staff members. In order to ensure the security of in-store branches, it is necessary to define the guidelines for the sel… (P125.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The selection of location for an in-store branch must also take into account the condition of facilities in the store. (P125.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is recommended to avoid setting up a computer center at a site that is likely to be subject to disasters and failures. In the case where a computer center building has already been built or must be built at a site subject to disasters or failures, appropriate measures must be taken against a disa… (F1.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • When determining a location for a computer system, it is recommended to refer to published data on the number of thunder/rainy days per year. (F1.3. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to define store location area and convenience store selection guidelines in order to assure the security of convenience store ATMs and their users. (P126.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Organizations that operate sites outside of australia should contact the department of foreign affairs and trade to determine the physical security requirements for the facility. (Control: 1214, Australian Government Information Security Manual: Controls)
  • the CSIRTs' premises and the supporting information systems shall be located at secure sites; (Article 11 1 ¶ 1(b), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Define and select the physical sites for IT equipment to support the technology strategy linked to the business strategy. The selection and design of the layout of a site should take into account the risk associated with natural and man-made disasters, whilst considering relevant laws and regulation… (DS12.1 Site Selection and Layout, CobiT, Version 4.1)
  • The security profile shall contain important details about the location of the local environment, for example when the local environment involves co-sharing with one or more other organisations (e.g., in a business park). (CF.12.01.06b, The Standard of Good Practice for Information Security)
  • The security profile shall contain important details about the location of the local environment, for example when the local environment involves co-sharing with one or more other organisations (e.g., in a business park). (CF.12.01.06b, The Standard of Good Practice for Information Security, 2013)
  • The storage facility should be easily accessible and not be in a known external risk area in order to ensure that the records are adequately stored and protected. (§ 4.3.7.2 ¶ 1(a), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Plan the location or site of the facility where the system resides considering physical and environmental hazards; and (PE-23a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Plan the location or site of the facility where the system resides considering physical and environmental hazards; and (PE-23a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Plan the location or site of the facility where the system resides considering physical and environmental hazards; and (PE-23a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • There are obvious cost and ready-time differences among the options. In these examples, the mirrored site is the most expensive choice, but it ensures virtually 100 percent availability. Cold sites are the least expensive to maintain, although they may require substantial time to acquire and install… (§ 3.4.3 ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Table summarizes the criteria that can be employed to determine which type of alternate site meets the organization's requirements. Sites should be analyzed further by the organization, including considerations given to business impacts and downtime defined in the BIA. As sites are evaluated, the IS… (§ 3.4.3 ¶ 6, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • During a serious situation, addressing personnel and family matters often takes priority over resuming business. Planning for such matters may involve pre-identification of temporary housing, work space, and staffing. In some situations, the organization may need to use personnel from associated org… (Appendix D Subsection 3 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization should plan the location or site of the facility where the Information System resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. (App F § PE-18(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. (PE-18(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. (PE-18(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Plan the location or site of the facility where the system resides considering physical and environmental hazards; and (PE-23a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Plan the location or site of the facility where the system resides considering physical and environmental hazards; and (PE-23a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)