search:
               

Status: Live

The organization will 1) establish usage restrictions and implementation guidance for mobile devices; 2) document, monitor, and control device access to organizational networks, and 3) authorize the use of mobile devices. [UCF ID 00719]

Supporting and supported controls

This control directly supports:

• Establish and maintain physical security of distributed IT assets [UCF Control ID 00718]

This control has the following supporting controls:

• Cable personal computers to desks [UCF Control ID 04724]

Authority documents complied with:

FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 30; FFIEC IT Examination Handbook – Information Security, Exam Tier II Obj B.17, Exam Tier II Obj D.4; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 17; Introductory Resource Guide for HIPAA NIST Special Publication 800-66, § 4.11, § 4.12; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-10.f, § 2-13.c, § 2-24.c; Protection of Assets Manual, ASIS International, Pg 12-II-24, Pg 12-II-40, Pg 12-II-45; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.6, § 4.7.1; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.10.7; The Center for Internet Security Wireless Networking Benchmark version 1.0, v1.0 April 2005, § 2.2 (2.2.090), § 2.3.2 (2.3.2.010), § 2.3.2 (2.3.2.050), § 2.3.2 (2.3.2.080); Australian Government ICT Security Manual (ACSI 33), § 3.1.27, § 3.1.28, § 3.4.59, § 3.4.61; Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1, § 6.3.4; Archer Control Table, ATCS-082, ATCS-095

Banking and Finance Guidance

Computers used for remote access should meet the security and configuration requirements of the organization. [Pg 30, FFIEC IT Examination Handbook – E-Banking, August 2003]

[Exam Tier II Obj B.17, Exam Tier II Obj D.4, FFIEC IT Examination Handbook – Information Security]

The organization should implement physical controls to limit access to the payment messaging system to only authorized staff members. [Pg 17, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Healthcare and Life Science Guidance

The organization should implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. [§ 4.11, § 4.12, Introductory Resource Guide for HIPAA NIST Special Publication 800-66]

US Federal Security Guidance

Systems that process classified information should be declassified before leaving them unattended, unless they are located in a secure area or a container that has been approved for the storage of classified material. Remote terminal areas should be locked or secured when an authorized individual is not present. [§ 2-10.f, § 2-13.c, § 2-24.c, Army Regulation 380-19: Information Systems Security, February 27, 1998]

Locking devices should be used to ensure the security of desktop computers. Computers should not be left unattended when a user is logged on to the system. Standalone PCs should be stored in an appropriate security container when not in use. [Pg 12-II-24, Pg 12-II-40, Pg 12-II-45, Protection of Assets Manual, ASIS International]

Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

US Internal Revenue Guidance

Computer operations should be in a secure area whenever possible. The organization should provide hardware to lock down the IT equipment to large objects. [§ 4.6, § 4.7.1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.10.7, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

Client devices should have wireless radios disabled by default. Radios should be disabled by users when they are not being used. Client devices should be configured to not automatically connect to WLANs or connect to more than one network interface simultaneously. [§ 6.3.4, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1]

Other Configuration Guidance

Embedded/unremovable wireless NICs should not be allowed, if possible, in any wireless device that is not authorized to process highly sensitive information, any wireless device used in areas that process highly sensitive information, or any wireless device that connects to wired or wireless networks that process or store highly sensitive information. WLAN client devices used in highly sensitive areas should have their recording capabilities disabled and should have their WLAN receivers and transmitters turned off. The default value of the WLAN NIC radio should be set to "OFF" for all mobile clients to ensure users are aware of when they are communicating wirelessly. This setting controls the status of the NIC radio upon boot up.
Verify the organization requires client devices, such as PDAs, to have the ability to disable their recording capability or requires users to turn off the devices or physically disable the IR and RD ports. Prior to purchase, verify it is possible, using software, to turn off WLAN client device transmitters and receivers. [§ 2.2 (2.2.090), § 2.3.2 (2.3.2.010), § 2.3.2 (2.3.2.050), § 2.3.2 (2.3.2.080), The Center for Internet Security Wireless Networking Benchmark version 1.0, v1.0 April 2005]

Asia and Pacific Rim Guidance

Any workstation storing official information during non-working hours should be stored and protected according to the classification of the information. Portable computers and personal electronic devices should be protected according to the classification of the information stored on them. Portable computers and personal electronic devices containing classified material should be operated in physically protected areas, under direct supervision when in use, and stored appropriately when not in use. [§ 3.1.27, § 3.1.28, § 3.4.59, § 3.4.61, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

• Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms [UCF Control ID 02117]
• Report on the percentage of mobile computing devices using encryption for critical information assets in accordance with policy [UCF Control ID 02118]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.