The organization will control physical viewing access to information system devices that display information in order to prevent unauthorized individuals from observing the display. [UCF ID 01437]
Supporting and supported controls
This control directly supports:
• Establish and maintain physical security of distributed IT assets [UCF Control ID 00718]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
Australian Government ICT Security Manual (ACSI 33) § 3.1.41; FFIEC IT Examination Handbook – Retail Payment Systems Exam Tier II Obj 7.5; The Standard of Good Practice for Information Security CI2.8.7(c ); ISO 27001:2005, Information Security Management Systems - Requirements § A.9.2.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53 PE-5; Guide for Assessing the Security Controls in Federal Information Systems, NIST 800-53A § PE-5; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems § 3
US Federal Security Guidance
FIPS Publication 200, § 3 Specifications for Minimum Security Requirements calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
NIST Guidance
NIST 800-53, PE-5 states that the organization controls physical access to information system devices that display information to prevent unauthorized individuals from observing the display output.
§ 6.2 of Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST Special Publication 800-48 Revision 1 states that the organization should ensure APs and bridges are in locations that prevent the range from exceeding the physical perimeter of the facility.
International Standards Organization Guidance
The ISO 27001:2005 Information Security Management Systems - Requirements § A.9.2.1 states that all information processing equipment should be situated in such a position so there are no opportunities for unauthorized access to the display.
Asia and Pacific Rim Guidance
The Australian Government ICT Security Manual (ACSI 33) § 3.1.41 states that unauthorized personnel should be prevented from viewing computer displays and keyboards by positioning them appropriately..