search:
               

UCF ID: 00722

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

• Establish and maintain physical security of distributed IT assets. [UCF Control ID 00718]

There are no supporting controls.

Authority documents complied with:

IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.3.1, § 5.3; The Standard of Good Practice for Information Security, SM4.1.7(f), CI2.1.4, CI2.8.5; The Center for Internet Security Wireless Networking Benchmark, Version 1.0 April 2005, § 2.2 (2.2.080), § 2.2 (2.2.100); DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2, § 2.1 (WIR0225); DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2, § 6.3; DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4, § 2.1 (WIR0225); DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2, § 2 (WIR0225); ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 11.6.2; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.11.6.2; ISO/IEC 27002 Code of practice for information security management, 2005, § 11.6.2; Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3, MFD07.001; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.4.11; DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3, $ 2.1 (WIR0225); ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.7(1)(5)

US Internal Revenue Guidance

Restricted areas must be identified with signs and must have physical barriers to separate them from non-restricted areas. Federal Tax Information (FTI) must be kept separate from other information, if possible, to avoid inadvertent disclosures. If the FTI cannot be kept separate, the file(s) must be appropriately labeled. [§ 4.3.1, § 5.3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

Other Configuration Guidance

§ 2.2 (2.2.080) If possible, WLAN devices should not be allowed to be used within close proximity of highly sensitive data, because signals may radiate further than expected or may be picked up by other devices that were not intended to process sensitive data.
§ 2.2 (2.2.100) RF and IR signals should be disabled on unauthorized wireless devices before they are brought into an area processing sensitive data. [§ 2.2 (2.2.080), § 2.2 (2.2.100), The Center for Internet Security Wireless Networking Benchmark, Version 1.0 April 2005]

Wireless PEDs should not be used or permitted in areas that processes classified data, unless these devices have been approved for use by the Designated Approving Authority (DAA) in consultation with the Certified TEMPEST Technical Authority (CTTA) or the equipment is separated by a predetermined distance from the classified equipment and appropriate countermeasures are implemented, as determined by the CTTA. [§ 2.1 (WIR0225), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2]

[§ 6.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2]

Wireless PEDs (Personal Electronic Devices) should not be used or permitted in areas that process classified data, unless these devices have been approved for use by the Designated Approving Authority (DAA) in consultation with the Certified TEMPEST Technical Authority (CTTA); or the equipment is separated by a predetermined distance from the classified equipment and appropriate countermeasures are implemented, as determined by the CTTA. [§ 2.1 (WIR0225), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4]

Wireless devices should not be used in areas that process, store, or transmit classified data electronically, unless these devices have been approved for use by the Designated Approving Authority in consultation with the Certified TEMPEST Technical Authority (CTTA) or the equipment is separated by a predetermined distance from the classified equipment and appropriate countermeasures are implemented, as determined by the CTTA.
If classified information is processed, stored, or transmitted at the site, examine the organization's documentation to ensure the CTTA was consulted about the placement and operation of wireless devices, a separation policy exists for each classified area, and users are trained on the proper use of wireless devices in classified areas. [§ 2 (WIR0225), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2]

MFDs with copy, scan, or fax capabilities are not allowed on classified networks, unless approved by a Designated Approving Authority (DAA). [MFD07.001, Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3]

The IAO will ensure wireless devices are not operated in areas where classified information is electronically stored, processed, or transmitted unless:
− Approved by the DAA in consultation with the Certified TEMPEST Technical Authority (CTTA).
− The wireless equipment is separated from the classified data equipment the distance determined by the CTTA and appropriate countermeasures, as determined by the CTTA, are implemented. [$ 2.1 (WIR0225), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3]

ISO Guidance

Systems that store sensitive information should have their own dedicated environment. This isolation of the system can be accomplished by physical or logical methods. [§ 11.6.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

Systems that process sensitive information should have a dedicated or isolated environment. [Annex A.11.6.2, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Systems that store sensitive information should have their own dedicated environment. This isolation of the system can be accomplished by physical or logical methods. [§ 11.6.2, ISO/IEC 27002 Code of practice for information security management, 2005]

Portable equipment should not be brought into areas that house sensitive facilities, unless they are under the control of authorized service provider and/or organization staff. [§ 6.4.11, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

¶ 8.1.7(1)(5) Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building is considered. Safeguards in this area are listed below.
1. Material Protection
Physical safeguards to protect a building may include fences, physical access control, strong walls, doors, and windows. Secure areas within a building should be protected from unauthorized access by physical access controls, guards, etc. Secure areas might be necessary for IT equipment, such as servers, and associated software and data, supporting important business activities. Access to such secure areas should be limited to the minimum number of personnel necessary, and details recorded in a log. All diagnostic and control equipment should be securely stored and the use should be strictly controlled.
5. Protection against Theft
To achieve stock control, all items of equipment should be uniquely identifiable and an inventory maintained. Security guards/receptionists should be encouraged to check for equipment or media leaving rooms/areas or the building without authorization. Sensitive information and proprietary software held on portable media (e.g. floppy discs) should be protected appropriately. [¶ 8.1.7(1)(5), ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

General Guidance

Systems with different security requirements should be segregated. [SM4.1.7(f), CI2.1.4, CI2.8.5, The Standard of Good Practice for Information Security]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.