Control the delivery and removal of assets through entry and exit areas.

UCF ID: 01441
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 40; Protection of Assets Manual, ASIS International, Pg 19-I-14; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 5-103; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.3.2, Exhibit 4 PE-16; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § PE-16; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-16; The Standard of Good Practice for Information Security, CI2.8.7(d); ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 9.1.6; ISO/IEC 27002 Code of practice for information security management, 2005, § 9.1.6; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.4.13, § 6.5.3, § 6.5.4

Banking and Finance Guidance

All cards disbursed from the storage area should be under accountability controls and delivered only to the mail room or be destroyed. [Pg 40, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

US Federal Security Guidance

Facilities that store classified information must maintain a system to prevent or detect the introduction and removal of classified information from the facility without proper authority. Personnel who have a need to transport and/or remove classified material from the facility must have the appropriate authorization. [§ 5-103, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

US Internal Revenue Guidance

System-related items in any way used for information technology systems that contain Federal Tax Information (FTI) and their entrance and exit must be authorized and controlled by the organization. Appropriate records of the items must be maintained. [§ 4.3.2, Exhibit 4 PE-16, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

The organization must establish and maintain delivery and removal policies and procedures to authorize, monitor, and control specified system component that enter and exit the facility and maintain records for those items [App F § PE-16, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure all hardware, software, and firmware entering and exiting the facility is controlled, a log is maintained of all material entering and exiting the facility, and specific responsibilities and actions are defined for the implementation of the delivery and removal control. Any problems discovered during the implementation of the delivery and removal control should be documented and used to improve the controls.
Interviews should be conducted with personnel who receive or send hardware, software, or firmware to ensure they are documented and approved for receipt and/or removal. [PE-16, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Delivery and loading areas should be protected. If possible, they should be located away from the processing facility to prevent unauthorized access. The following guidelines should be considered when securing delivery and loading areas: Access should be restricted to authorized personnel; delivery personnel should not be able to gain access to other parts of the building; doors should be secured; incoming material should be inspected for potential threats; and incoming and outgoing shipments should be segregated. [§ 9.1.6, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

Delivery and loading areas should be protected. If possible, they should be located away from the processing facility to prevent unauthorized access. The following guidelines should be considered when securing delivery and loading areas: Access should be restricted to authorized personnel; delivery personnel should not be able to gain access to other parts of the building; doors should be secured; incoming material should be inspected for potential threats; and incoming and outgoing shipments should be segregated. [§ 9.1.6, ISO/IEC 27002 Code of practice for information security management, 2005]

Incoming and outgoing materials should be inspected for potential hazards and security incidents. Holding areas should be provided to load, unload, and inspect organizational computers and related equipment. Procedures and policies should be developed to govern the movement of the organizational equipment and for dealing with exceptions and irregularities. Staging areas should have adequate power supplies to test computer and related equipment. The power should be isolated to the staging area to prevent tripping the circuits during the testing. If networking will be tested, consideration should be given to isolating the network in the staging area. Procedures and policies should be developed to govern the movement of the organizational equipment and for dealing with exceptions and irregularities. [§ 6.4.13, § 6.5.3, § 6.5.4, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

The site layout should consider the location of the shipping and receiving areas. The shipping and receiving areas should be separated from the rest of the facility, and the material that is being sent and received should be physically separated from each other. [Pg 19-I-14, Protection of Assets Manual, ASIS International]

The space used for deliveries should be separated from other parts of the installation. [CI2.8.7(d), The Standard of Good Practice for Information Security]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.