Physically separate systems that store or process sensitive data from those that don't

Status: Live

The organization will physically separate systems that store sensitive data from those that don't. [UCF ID 00722]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.3.1, § 5.3; The Standard of Good Practice for Information Security, SM4.1.7(f), CI2.1.4, CI2.8.5; The Center for Internet Security Wireless Networking Benchmark version 1.0, v1.0 April 2005, § 2.2 (2.2.080), § 2.2 (2.2.100); DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2, § 2.1 (WIR0225); DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3, § 2.1 (WIR0225); DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2, § 6.3; DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4, § 2.1 (WIR0225); DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2, § 2 (WIR0225); ISO 17799:2005 Code of Practice for Information Security Management, § 11.6.2; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.11.6.2; ISO/IEC 27002-2005 Code of practice for information security management, § 11.6.2; Archer Control Table, ATCS-096; Multi-Function Device (MFD)and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3, MFD07.001

US Internal Revenue Guidance

Restricted areas must be identified with signs and must have physical barriers to separate them from non-restricted areas. Federal Tax Information (FTI) must be kept separate from other information, if possible, to avoid inadvertent disclosures. If the FTI cannot be kept separate, the file(s) must be appropriately labeled. [§ 4.3.1, § 5.3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

Other Configuration Guidance

If possible, WLAN devices should not be allowed to be used within close proximity of highly sensitive data, because signals may radiate further than expected or may be picked up by other devices that were not intended to process sensitive data. RF and IR signals should be disabled on unauthorized wireless devices before they are brought into an area processing sensitive data. [§ 2.2 (2.2.080), § 2.2 (2.2.100), The Center for Internet Security Wireless Networking Benchmark version 1.0, v1.0 April 2005]

Wireless PEDs should not be used or permitted in areas that processes classified data, unless these devices have been approved for use by the Designated Approving Authority (DAA) in consultation with the Certified TEMPEST Technical Authority (CTTA) or the equipment is separated by a predetermined distance from the classified equipment and appropriate countermeasures are implemented, as determined by the CTTA. [§ 2.1 (WIR0225), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2]

Wireless PEDs should not be used or permitted in areas that processes classified data, unless these devices have been approved for use by the Designated Approving Authority (DAA) in consultation with the Certified TEMPEST Technical Authority (CTTA) or the equipment is separated by a predetermined distance from the classified equipment and appropriate countermeasures are implemented, as determined by the CTTA. [§ 2.1 (WIR0225), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3]

[§ 6.3, DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2]

Wireless PEDs should not be used or permitted in areas that processes classified data, unless these devices have been approved for use by the Designated Approving Authority (DAA) in consultation with the Certified TEMPEST Technical Authority (CTTA) or the equipment is separated by a predetermined distance from the classified equipment and appropriate countermeasures are implemented, as determined by the CTTA. [§ 2.1 (WIR0225), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4]

Wireless devices should not be used in areas that process, store, or transmit classified data electronically, unless these devices have been approved for use by the Designated Approving Authority in consultation with the Certified TEMPEST Technical Authority (CTTA) or the equipment is separated by a predetermined distance from the classified equipment and appropriate countermeasures are implemented, as determined by the CTTA.
If classified information is processed, stored, or transmitted at the site, examine the organization's documentation to ensure the CTTA was consulted about the placement and operation of wireless devices, a separation policy exists for each classified area, and users are trained on the proper use of wireless devices in classified areas. [§ 2 (WIR0225), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2]

MFDs with copy, scan or fax capabilities are not allowed on classified networks unless approved by a Designated Approving Authority (DAA). [MFD07.001, Multi-Function Device (MFD)and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3]

ISO Guidance

Systems that store sensitive information should have their own dedicated environment. This isolation of the system can be accomplished by physical or logical methods. [§ 11.6.2, ISO 17799:2005 Code of Practice for Information Security Management]

Systems that process sensitive information should have a dedicated or isolated environment. [Annex A.11.6.2, ISO 27001:2005, Information Security Management Systems - Requirements]

Systems that store sensitive information should have their own dedicated environment. This isolation of the system can be accomplished by physical or logical methods. [§ 11.6.2, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

Systems with different security requirements should be segregated. [SM4.1.7(f), CI2.1.4, CI2.8.5, The Standard of Good Practice for Information Security]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.