Back

Employ environmental protections.


CONTROL ID
12570
CONTROL TYPE
Process or Activity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an environmental control program., CC ID: 00724

This Control has the following implementation support Control(s):
  • Monitor and review environmental protections., CC ID: 12571
  • Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets., CC ID: 16472
  • Install and maintain seismic detectors in critical facilities., CC ID: 06364
  • Protect physical assets against static electricity, as necessary., CC ID: 06363
  • Install and maintain emergency lighting for use in a power failure., CC ID: 01440
  • Install and maintain lightning protection mechanisms in critical facilities., CC ID: 06367
  • Establish, implement, and maintain pest control systems in organizational facilities., CC ID: 16139
  • Establish, implement, and maintain a Heating Ventilation and Air Conditioning system., CC ID: 00727
  • Protect physical assets from water damage., CC ID: 00730


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • A bank needs to deploy the following environmental controls: (Critical components of information security 8) (iii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Suitable preventive mechanisms for various threats indicated above (Critical components of information security 8) (iii) Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • There should be secure storage of media. Controls could include physical and environmental controls such as fire and flood protection, limiting access by means like physical locks, keypad, passwords, biometrics, etc., labelling, and logged access. Management should establish access controls to limit… (Critical components of information security 15) v., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • physical measures to both protect the institution's critical ICT infrastructure (e.g. data centres) from environmental risks (e.g. flooding and other natural disasters) and ensure an appropriate operating environment for ICT systems (e.g. air conditioning); (Title 3 3.3.4(a) 54.b(v), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Structural, technical and organisational safeguards are taken to protect premises or buildings which house sensitive or critical information, information systems or other network infrastructure against fire, water, earthquakes, explosions, civil disturbances and other forms of natural threats and th… (Section 5.5 PS-03 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Technical safeguards: (Section 5.5 PS-03 Basic requirement ¶ 3, Cloud Computing Compliance Controls Catalogue (C5))
  • The supply of the computing centres (e. g. water, electricity, temperature and moisture control, telecommunications and Internet connection) is secured, monitored and is maintained and tested at regular intervals in order to guarantee continuous effectiveness. It has been designed with automatic fai… (Section 5.14 BCM-05 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Design and implement measures for protection against environmental factors. Install specialised equipment and devices to monitor and control the environment. (DS12.4 Protection Against Environmental Factors, CobiT, Version 4.1)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Management implements and maintains environmental protection mechanisms to prevent and mitigate environmental events. (A1.2 ¶ 2 Bullet 3 Implements and Maintains Environmental Protection Mechanisms, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Management implements and maintains environmental protection mechanisms to prevent and mitigate against environmental events. (A1.2 Implements and Maintains Environmental Protection Mechanisms, Trust Services Criteria)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. (A1.2, Trust Services Criteria)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Management implements and maintains environmental protection mechanisms to prevent and mitigate environmental events. (A1.2 ¶ 2 Bullet 3 Implements and Maintains Environmental Protection Mechanisms, Trust Services Criteria, (includes March 2020 updates))
  • Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entity’s availability commitments and system requirements. (A1.2, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Implement measures to protect against destruction, loss, or damage of Nonpublic Information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures; and (Section 4.D ¶ 1(2)(j), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures. (§ III.C(1)(h), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Environmental Control Systems. Heating, ventilation, and air conditioning (HVAC) systems for control rooms must support plant personnel during normal operation and emergency situations, which could include the release of toxic substances. Fire systems must be carefully designed to avoid causing more… (§ 6.2.11 ICS-specific Recommendations and Guidance ¶ 4 Bullet 5, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Environmental Factors. In addressing the security needs of the system and data, it is important to consider environmental factors. For example, if a site is dusty, systems should be placed in a filtered environment. This is particularly important if the dust is likely to be conductive or magnetic, a… (§ 6.2.11 ICS-specific Recommendations and Guidance ¶ 4 Bullet 4, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: [Assignment: organization-defined automatic environmental controls]. (PE-14(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ [Assignment: organization-defined protective measures] against electromagnetic pulse damage for [Assignment: organization-defined systems and system components]. (PE-21 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: [Assignment: organization-defined automatic environmental controls]. (PE-14(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and (PE-14a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employ [Assignment: organization-defined protective measures] against electromagnetic pulse damage for [Assignment: organization-defined systems and system components]. (PE-21 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization's technology assets are protected from environmental threats (PR.IR-02, The NIST Cybersecurity Framework, v2.0)
  • Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures. (§ III. C. 1.(h), Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures. (Section 27-62-4(d)(2) j., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Implementation of measures to protect against the destruction, loss or damage of nonpublic information due to environmental hazards, including, but not limited to, fire and water, or other catastrophes or technological failures; and (Part VI(c)(4)(B)(x), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Implement measures to protect against the destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage, other catastrophes, or technological failures. (§ 8604.(d)(2) j., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures; and (§431:3B-203(2)(J), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Implementing measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures. (Sec. 18.(2)(J), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Implement measures to protect against the destruction, loss, or damage of nonpublic information due to environmental hazards, natural disasters, catastrophes, or technological failures. (507F.4 4.b.(10), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures. (§2504.D.(2)(j), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Implement measures to protect against destruction, loss or damage of nonpublic information due to environmental hazards, such as fire and water damage, or other catastrophes or technological failures; and (§2264 4.B.(10), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Implementing measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures. (Sec. 555.(4)(b)(xi), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage, other catastrophes, or technological failures; and (§ 60A.9851 Subdivision 4(2)(x), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures; and (§ 83-5-807 (4)(b)(x), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures. (§ 420-P:4 IV.(b)(10), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, including fire and water damage or other catastrophes or technological failures; and (26.1-02.2-03. 4.b.(10), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures; (Section 3965.02 (D)(2)(j), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • implementing measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards such as fire and water damage or other catastrophes or technological failures; and (SECTION 38-99-20. (D)(2)(j), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage, technological failures, or other catastrophic events; and (§ 56-2-1004 (4)(B)(x), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures; (§ 38.2-623.C.5., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • Implement measures to protect against the destruction, loss, or damage of nonpublic information due to environmental hazards, natural and other disasters, and technological failures. (§ 601.952(3)(b)10., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)