Access controls for displays

Status: Live

The organization will control physical viewing access to information system devices that display information in order to prevent unauthorized individuals from observing the display. [UCF ID 01437]

Supporting and supported controls

This control directly supports:

Establish and maintain physical security of distributed IT assets [UCF Control ID 00718]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier II Obj 7.5; Protection of Assets Manual, ASIS International, Pg 12-II-19, Pg 12-II-45; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 5-314.b, § 5-801.c, § 8-308; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.3.2, Exhibit 4 PE-5; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, PE-5; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-5; The Standard of Good Practice for Information Security, CI2.8.7(c); ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.9.2.1; Australian Government ICT Security Manual (ACSI 33), § 3.1.41; Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1, § 6.2

Banking and Finance Guidance

[Exam Tier II Obj 7.5, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

US Federal Security Guidance

Workstations that process data in the clear must be located to ensure that unauthorized users cannot see the monitor. [Pg 12-II-19, Pg 12-II-45, Protection of Assets Manual, ASIS International]

Control panels for gaining access to classified areas must be installed in such a way as to prevent unauthorized personnel from seeing the combinations during input. Windows that can be used to see classified information must be covered to prevent unauthorized disclosures. Computer displays must be positioned so that unauthorized personnel cannot read information from the screen. [§ 5-314.b, § 5-801.c, § 8-308, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

US Internal Revenue Guidance

Devices that display Federal Tax Information must not be located in such a position as to allow unauthorized personnel to view the information when walking by. [§ 4.3.2, Exhibit 4 PE-5, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

The organization controls physical access to information system devices that display information to prevent unauthorized individuals from observing the display output. [PE-5, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents and the facility should be examined to ensure system displays are continually protected against being viewed by unauthorized individuals and specific responsibilities and actions are defined for the implementation of the access control for display medium control. Any problems discovered during the implementation of the access control for display medium control should be documented and used to improve the controls.
Interviews should be conducted with personnel involved in protecting displays from unauthorized viewing. [PE-5, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should ensure APs and bridges are in locations that prevent the range from exceeding the physical perimeter of the facility. [§ 6.2, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1]

ISO Guidance

All information processing equipment should be situated in such a position so there are no opportunities for unauthorized access to the display. [Annex A.9.2.1, ISO 27001:2005, Information Security Management Systems - Requirements]

General Guidance

Computer equipment should be placed in such a way as to prevent a casual observer from inadvertently being able to see classified or sensitive information. [CI2.8.7(c), The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

Unauthorized personnel should be prevented from viewing computer displays and keyboards by positioning them appropriately. [§ 3.1.41, Australian Government ICT Security Manual (ACSI 33)]