Back

Protect power equipment and power cabling from damage or destruction.


CONTROL ID
01438
CONTROL TYPE
Physical and Environmental Protection
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an environmental control program., CC ID: 00724

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • F9: The organization should protect communications and power lines at the site against breakage and the spread of fire to prevent service(s) provided by a computer system from being interrupted. F40: The organization shall make cables in the computer and data storage rooms flame retardant and resist… (F9, F40, F47, F60, F79, F83-1, F84, F97, F97.1, F98, F105, F107, F133, F134, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • deployment of power equipment, such as uninterruptable power sources, backup diesel generators with fuel tanks; and (§ 8.5.2(b), Technology Risk Management Guidelines, January 2021)
  • Top secret facilities should have the power distribution board in a top secret area and a feed from an Uninterruptible Power Supply in order to power all of the equipment. (Control: 1123, Australian Government Information Security Manual: Controls)
  • Top secret facilities must have the power distribution board in a top secret area and a feed from an Uninterruptible Power Supply in order to power all of the equipment in facilities where the facility is shared by government organizations and non-government organizations. (Control: 1135, Australian Government Information Security Manual: Controls)
  • Does the organization use automatic voltage control to protect Information Technology assets? (Table Row II.65, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Inside communications wiring should be placed in conduit and outside communications wiring should be underground. For highly vulnerable facilities, the cable should not be taken from the nearest pole; by taking it from a farther pole, it will help in preventing an attacker from knowing the actual co… (Pg 6-I-21, Pg 7-I-16, Pg 15-IV-24, Revised Volume 4 Pg 1-I-23, Revised Volume 4 Pg 1-I-25, Protection of Assets Manual, ASIS International)
  • Telecommunications cables (i.e., network and telephone cables) should be protected by concealing the installation of cabling. (CF.09.02.01b, The Standard of Good Practice for Information Security)
  • Telecommunications cables (i.e., network and telephone cables) should be protected by using armored conduit. (CF.09.02.01c, The Standard of Good Practice for Information Security)
  • Telecommunications cables (i.e., network and telephone cables) should be protected by providing alternative feeds or routing. (CF.09.02.01e, The Standard of Good Practice for Information Security)
  • Telecommunications cables (i.e., network and telephone cables) should be protected by avoiding routes through publicly accessible areas. (CF.09.02.01f, The Standard of Good Practice for Information Security)
  • Power cables to critical facilities (including locations that house computer systems, such as data centers, networks, telecommunication equipment, sensitive physical material, and other important assets) should be protected by locked inspection / termination points. (CF.19.02.01c, The Standard of Good Practice for Information Security)
  • Power cables to critical facilities (including locations that house computer systems, such as data centers, networks, telecommunication equipment, sensitive physical material, and other important assets) should be protected by avoidance of routes through public areas. (CF.19.02.01e, The Standard of Good Practice for Information Security)
  • Telecommunications cables (i.e., network and telephone cables) should be protected by concealing the installation of cabling. (CF.09.02.01b, The Standard of Good Practice for Information Security, 2013)
  • Telecommunications cables (i.e., network and telephone cables) should be protected by using armored conduit. (CF.09.02.01c, The Standard of Good Practice for Information Security, 2013)
  • Telecommunications cables (i.e., network and telephone cables) should be protected by providing alternative feeds or routing. (CF.09.02.01e, The Standard of Good Practice for Information Security, 2013)
  • Telecommunications cables (i.e., network and telephone cables) should be protected by avoiding routes through publicly accessible areas. (CF.09.02.01f, The Standard of Good Practice for Information Security, 2013)
  • Power cables to critical facilities (including locations that house computer systems, such as data centers, networks, telecommunication equipment, sensitive physical material, and other important assets) should be protected by locked inspection / termination points. (CF.19.02.01c, The Standard of Good Practice for Information Security, 2013)
  • Power cables to critical facilities (including locations that house computer systems, such as data centers, networks, telecommunication equipment, sensitive physical material, and other important assets) should be protected by avoidance of routes through public areas. (CF.19.02.01e, The Standard of Good Practice for Information Security, 2013)
  • Define, implement and evaluate processes, procedures and technical measures that ensure a risk-based protection of power and telecommunication cables from a threat of interception, interference or damage at all facilities, offices and rooms. (DCS-12, Cloud Controls Matrix, v4.0)
  • Security mechanisms and redundancies shall be implemented to protect equipment from utility service outages (e.g., power failures, network disruptions, etc.). (RS-07, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building is consider… (¶ 8.1.7(6)(7), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • All telecommunications cabling supporting data/information and/or voice and video services located in the premises should be protected from interception, interference, or damage by segregating power and telecommunications cables, segregating fiber telecommunications cabling, avoiding placing cabling… (§ 6.7.4, § 6.9, § 6.12.2.4, § 7.6.8, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. (A.11.2.3 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. (A.11.2.2 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Cabling should be protected from interception or damage by using conduit and avoiding routes through public areas; communications and power cables should be segregated; and all cables should be clearly marked. (§ 9.2.3, ISO 27002 Code of practice for information security management, 2005)
  • Power and telecommunications cabling carrying data or supporting information services should be protected from interception, interference or damage. (§ 11.2.3 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities. (§ 11.2.2 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • CSR 5.1.4: The organization must protect the information system's power cabling and power equipment from damage and destruction. CSR 5.1.9: The organization must use power surge protection for all computer equipment. (CSR 5.1.4, CSR 5.1.9, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The facility must have an automatic voltage control installed for all key Information Technology assets. (PEVR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Install voltage control mechanisms between the building power and the asset if there is no ups attached to the asset. (PEVR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The wiring and the switches for security lighting should be protected, controlled, and properly located. Switches should not be accessible from outside the perimeter. (Protective Lighting, DOT Physical Security Survey Checklist)
  • Power issues mitigation, including: (App A Objective 13:9d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Use of smoke, water, and power detection and mitigation devices and systems, as well as fire suppression systems. (App A Objective 14:1d Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Steps to protect computing equipment from inconsistent and dirty power sources. (App A Objective 13:9d Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Methods to monitor, condition, or stabilize the electricity source voltage and minimize effects of power fluctuations. (App A Objective 13:9d Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The power entering the computer room should be regulated to prevent power surges. (Pg C-6, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The computing equipment should be protected from power surges by monitoring for power fluctuations. All cables should be physically secured to prevent accidental or malicious cutting or disconnection. (Pg 18, Exam Tier I Obj 7.1, Exam Tier I Obj 8.2, Exam Tier II Obj D.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization protects power equipment and power cabling for the information system from damage and destruction. (PE-9 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization protects power equipment and power cabling for the information system from damage and destruction. (PE-9 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Protect power equipment and power cabling for the system from damage and destruction. (PE-9 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Protect power equipment and power cabling for the system from damage and destruction. (PE-9 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • § 4.5.5.1: Cryptographic modules shall have environmental failure protection features to protect against unusual environmental fluctuations or conditions that can compromise the modules' security. The module shall monitor and respond to fluctuations in temperature and voltage outside the normal ran… (§ 4.5.5.1, § 4.5.5.2, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
  • Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporti… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records, documents, and the facility should be examined to ensure power cables and equipment are protected from damage and destruction, redundant and parallel cabling paths are used by the organization, and specific responsibilities and actions are defined for the implementation of th… (PE-9, PE-9(1), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization protects power equipment and power cabling for the information system from damage and destruction. (PE-9 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization protects power equipment and power cabling for the information system from damage and destruction. (PE-9 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must protect power equipment and power cabling from damage and destruction. (App F § PE-9, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use automatic voltage controls for a predefined list of critical components. (App F § PE-9(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization protects power equipment and power cabling for the information system from damage and destruction. (PE-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs automatic voltage controls for {organizationally documented critical information system components}. (PE-9(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization protects power equipment and power cabling for the information system from damage and destruction. (PE-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization protects power equipment and power cabling for the information system from damage and destruction. (PE-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization protects power equipment and power cabling for the information system from damage and destruction. (PE-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization protects power equipment and power cabling for the information system from damage and destruction. (PE-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization protects power equipment and power cabling for the information system from damage and destruction. (PE-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs automatic voltage controls for [Assignment: organization-defined critical information system components]. (PE-9(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Protect power equipment and power cabling for the system from damage and destruction. (PE-9 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ automatic voltage controls for [Assignment: organization-defined critical system components]. (PE-9(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)