Status: Live
The organization will physically protect confidential information stored in hard copy form by using locked cabinets or other physical containers. [UCF ID 00717]
Supporting and supported controls
This control directly supports:
- • Establish and maintain physical security of distributed IT assets [UCF Control ID 00718]
This control has the following supporting controls:
- • Ensure combination protection for all cabinets, containers, and vault locks [UCF Control ID 02199]
• Establish cabinet, container, and vault repair guidelines [UCF Control ID 02200]
• Establish eavesdropping protection for vaults [UCF Control ID 02231]
Authority documents complied with:
FFIEC IT Examination Handbook – Information Security, Pg 54; FFIEC IT Examination Handbook – Operations, July 2004, Pg 37; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 13, Pg 17; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 2.3, Exam Tier II Obj 14.3; Protection of Assets Manual, ASIS International, Pg 1-I-A1, Pg 11-II-9, Pg 15-I-22, Pg 15-V-8, Pg 19-III-1, Pg 19-III-15; Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27, § 27.400(d); NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 5-301 thru § 5-304, § 5-308; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.3.6 thru § 4.3.8, § 4.3.10, § 4.7.1; The Standard of Good Practice for Information Security, SM1.2.6(a), SM4.5.4(a), CB2.6.2(a), CB4.4.4(a), CI2.8.2(b), CI3.1.5, CI3.2.6, NW3.5.4, UE6.3.5(a), UE6.4.4(a), UE6.4.5(a); Australian Government ICT Security Manual (ACSI 33), § 3.1.19, § 3.9.48; Archer Control Table, ATCS-043, ATCS-050, ATCS-082, ATCS-502, ATCS-575
Banking and Finance Guidance
The organization should use fire-resistant and burglar-resistant cabinets and vaults based on the sensitivity of the information being protected. [Pg 54, FFIEC IT Examination Handbook – Information Security]
Physical and logical access controls should be implemented to monitor and restrict access to negotiable instruments. If the organization uses a signature writer, additional controls should be implemented, and the signature plates should be kept under dual control. [Pg 37, FFIEC IT Examination Handbook – Operations, July 2004]
Work papers should be secured at all times. [Pg 13, Pg 17, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]
[Exam Tier II Obj 2.3, Exam Tier II Obj 14.3, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]
US Federal Security Guidance
Warehouses should use locked containers when feasible. Secured storage areas should be used to store technical reports and laboratory notebooks. Safes that weigh less than 750 pounds should be anchored. Safes are either designed for fire protection or designed for protection of valuables; there are some safes that have passed the requirements for both fire and protection. The organization must decide which one it needs on a case-by-case basis. For the storage of government classified information, GSA has approved 6 classes of safes. Contact the GSA for a list of the approved safes. The organization should ensure that all supplies are placed in an inventory and that the names of employees are noted when they take items out. The organization should ensure that vital records are stored in a fireproof safe or vault. [Pg 1-I-A1, Pg 11-II-9, Pg 15-I-22, Pg 15-V-8, Pg 19-III-1, Pg 19-III-15, Protection of Assets Manual, ASIS International]
Chemical-terrorism Vulnerability Information (CVI) must be stored in a secure container when not in the physical possession of a cleared individual. [§ 27.400(d), Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27]
All classified material must be stored in a GSA-approved security container, vault, or closed area. Supplemental protection is required for Top Secret and Secret material stored in a closed area. Security containers must be locked at all times when not under the supervision of an authorized person. [§ 5-301 thru § 5-304, § 5-308, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]
US Internal Revenue Guidance
Security containers should be lockable and should be tested to resist penetration. The lock on a security container should only have 2 keys. The keys must be strictly controlled. If a combination lock is used, only individuals who require access to the container should be issued the combination. Vaults and safes must be GSA-approved. Keys and combinations must be given only to individuals who require access to secure areas or information. The organization should provide remote workers with locking cabinets to store any confidential material or ensure that an adequate means of storage exists at the alternate site. [§ 4.3.6 thru § 4.3.8, § 4.3.10, § 4.7.1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]
General Guidance
Critical papers, back-up media, and storage media should be locked in a cabinet when not in use. [SM1.2.6(a), SM4.5.4(a), CB2.6.2(a), CB4.4.4(a), CI2.8.2(b), CI3.1.5, CI3.2.6, NW3.5.4, UE6.3.5(a), UE6.4.4(a), UE6.4.5(a), The Standard of Good Practice for Information Security]
Asia and Pacific Rim Guidance
All servers and communications equipment located in a server room should be stored in locked containers. Areas where cryptographic system material is used should be separated from other classified and unclassified areas and should be designated as a controlled area. [§ 3.1.19, § 3.9.48, Australian Government ICT Security Manual (ACSI 33)]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.