External and environmental threats can cause unexpected damage to information assets, as well as the facilities in which they reside.

Appropriate environmental threat protection controls are necessary to limit the impact that either human-made or environmental threats may have on an organization’s operations, systems, personnel, or data availability.

If not appropriately addressed, the lack of these controls can have a negative impact on an organization’s ability to maintain the delivery of their products or services. These controls and threat protections are the focus of pitfall #42 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.

Physical protection against the damage from fires, floods, earthquakes, explosions, civil unrest, and other forms of environmental or human-made disasters should be implemented to protect your organization. These protective controls are generally defined and documented in a Physical Security Policy that is made available to all appropriate personnel. Once defined, these controls can be used to not only protect information systems and personnel, but also address the risk treatment or risk mitigation of findings identified by your organization’s risk assessment.

Smoke or heat activated fire detectors and alarms should be installed. Your organization should ensure these detectors and alarms are continuously operating effectively. Detectors should not be located near air conditioning vents or intake ducts that can disperse smoke, thus preventing the triggering of alarms. Fire authorities should be automatically notified when a fire alarm is activated.

Appropriate fire suppression systems, such as sprinklers, should be implemented throughout your facilities and within secure areas containing information systems.  These suppression systems should be automated for any facilities or areas that are not staffed continuously. Fire suppression and detection devices or systems that are supported by independent energy sources should be implemented and maintained.  Maintenance logs should be kept up to date to demonstrate these physical security devices are regularly maintained.

Water or moisture detection devices should be located in dropped ceilings and within raised floors to detect water leaks or possible flooding. Information systems should be protected from damage resulting from water leaks by ensuring that master shutoff valves are installed, accessible, and working properly. Master shutoff valves should be clearly marked, and their location should be known by all key personnel.