Delivery and removal of assets will be properly controlled through entry and exit areas

Status: Live

The organization will control where information system-related items (i.e., hardware, media, software) enter and exit the facility and maintain appropriate records of those items entering and exiting the facility. [UCF ID 01441]

Supporting and supported controls

This control directly supports:

Establish and maintain physical security of distributed IT assets [UCF Control ID 00718]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 40; Protection of Assets Manual, ASIS International, Pg 19-I-14; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 5-103; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.3.2, Exhibit 4 PE-16; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, PE-16; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-16; The Standard of Good Practice for Information Security, CI2.8.7(d); ISO 17799:2005 Code of Practice for Information Security Management, § 9.1.6; ISO/IEC 27002-2005 Code of practice for information security management, § 9.1.6; Archer Control Table, ATCS-093, ATCS-094, ATCS-773

Banking and Finance Guidance

All cards disbursed from the storage area should be under accountability controls and delivered only to the mail room or be destroyed. [Pg 40, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

US Federal Security Guidance

The site layout should consider the location of the shipping and receiving areas. The shipping and receiving areas should be separated from the rest of the facility, and the material that is being sent and received should be physically separated from each other. [Pg 19-I-14, Protection of Assets Manual, ASIS International]

Facilities that store classified information must maintain a system to prevent or detect the introduction and removal of classified information from the facility without proper authority. Personnel who have a need to transport and/or remove classified material from the facility must have the appropriate authorization. [§ 5-103, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

US Internal Revenue Guidance

System-related items in any way used for information technology systems that contain Federal Tax Information (FTI) and their entrance and exit must be authorized and controlled by the organization. Appropriate records of the items must be maintained. [§ 4.3.2, Exhibit 4 PE-16, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

The organization must control delivery areas and, if possible, isolate the areas from the information system and media libraries to avoid unauthorized access. Appropriate organizational officials should authorize the delivery or removal of information system-related items belonging to the organization. [PE-16, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure all hardware, software, and firmware entering and exiting the facility is controlled, a log is maintained of all material entering and exiting the facility, and specific responsibilities and actions are defined for the implementation of the delivery and removal control. Any problems discovered during the implementation of the delivery and removal control should be documented and used to improve the controls.
Interviews should be conducted with personnel who receive or send hardware, software, or firmware to ensure they are documented and approved for receipt and/or removal. [PE-16, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Delivery and loading areas should be protected. If possible, they should be located away from the processing facility to prevent unauthorized access. The following guidelines should be considered when securing delivery and loading areas: Access should be restricted to authorized personnel; delivery personnel should not be able to gain access to other parts of the building; doors should be secured; incoming material should be inspected for potential threats; and incoming and outgoing shipments should be segregated. [§ 9.1.6, ISO 17799:2005 Code of Practice for Information Security Management]

Delivery and loading areas should be protected. If possible, they should be located away from the processing facility to prevent unauthorized access. The following guidelines should be considered when securing delivery and loading areas: Access should be restricted to authorized personnel; delivery personnel should not be able to gain access to other parts of the building; doors should be secured; incoming material should be inspected for potential threats; and incoming and outgoing shipments should be segregated. [§ 9.1.6, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

The space used for deliveries should be separated from other parts of the installation. [CI2.8.7(d), The Standard of Good Practice for Information Security]