House information system components in areas of the facility where the potential for damage will be minimized.

UCF ID: 01623
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-4; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 29; FFIEC IT Examination Handbook – Information Security, Pg 54, Pg 55; Protection of Assets Manual, ASIS International, Pg 1-I-A1; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.3.2, Exhibit 4 PE-18; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-18, PE-19; The Standard of Good Practice for Information Security, CI2.6.1, CI2.6.4(c), CI2.8.5, CI2.8.7(c); ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 9.2.1; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.9.2.1; ISO/IEC 27002 Code of practice for information security management, 2005, § 9.2.1; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.7(1)(5), ¶ 10.2.9

Banking and Finance Guidance

The organization should determine the types of products being produced near the facility, what risks they pose, and how to mitigate the risks. [Pg C-4, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

Servers and network devices should be placed in areas where unauthorized personnel cannot gain access to them. [Pg 29, FFIEC IT Examination Handbook – E-Banking, August 2003]

For PCs located in or near public areas, the workstations should be secured; disk drives and unnecessary physical ports should be locked or removed; and automatic time outs and screensaver passwords should be used. [Pg 54, Pg 55, FFIEC IT Examination Handbook – Information Security]

US Internal Revenue Guidance

The information system components for systems that process Federal Tax Information (FTI) must be placed in such a way as to minimize potential damage from environmental and physical hazards and to minimize the opportunity for unauthorized individuals to view any FTI. [§ 4.3.2, Exhibit 4 PE-18, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

Organizational records, documents, and the facility should be examined to ensure the system components are in locations that minimize environmental hazards and are located to prevent possible unauthorized access and that specific responsibilities and actions are defined for the implementation of the information system components control and the information leakage control. Any problems discovered during the implementation of the information system components control and the information leakage control should be documented and used to improve the controls.
Interviews should be conducted with personnel who decide where components are placed, personnel who use any system components, and personnel who test for information leakage. [PE-18, PE-19, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Equipment that handles sensitive information should be positioned so that the information cannot be seen by unauthorized personnel walking by. [§ 9.2.1, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

All information processing equipment should be placed in areas where the risks from environmental hazards are reduced. [Annex A.9.2.1, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Equipment that handles sensitive information should be positioned so that the information cannot be seen by unauthorized personnel walking by. [§ 9.2.1, ISO/IEC 27002 Code of practice for information security management, 2005]

¶ 8.1.7(1)(5) Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building is considered. Safeguards in this area are listed below.
1. Material Protection
Physical safeguards to protect a building may include fences, physical access control, strong walls, doors, and windows. Secure areas within a building should be protected from unauthorized access by physical access controls, guards, etc. Secure areas might be necessary for IT equipment, such as servers, and associated software and data, supporting important business activities. Access to such secure areas should be limited to the minimum number of personnel necessary, and details recorded in a log. All diagnostic and control equipment should be securely stored and the use should be strictly controlled.
5. Protection against Theft
To achieve stock control, all items of equipment should be uniquely identifiable and an inventory maintained. Security guards/receptionists should be encouraged to check for equipment or media leaving rooms/areas or the building without authorization. Sensitive information and proprietary software held on portable media (e.g. floppy discs) should be protected appropriately.
¶ 10.2.9 Unauthorized access to storage media. An organization should implement safeguards to prevent the unauthorized access and use of storage media, which can endanger confidentiality if any confidential material is stored on that media. Safeguards to protect confidentiality are listed below.
• Operational issues: Media controls can be applied to provide, for example, physical protection and accountability for the media and assured storage deletion guarantees that nobody can obtain confidential material from a previously deleted medium. Special care should be taken to protect easily removable media, such as floppy discs, back-up tapes and paper.
• Physical security: The appropriate protection of rooms (strong walls and windows as well as physical access control) and security furniture can protect against unauthorized access.
• Data confidentiality protection: Additional protection for sensitive material on storage media can be achieved by encrypting the material. A key management system should be implemented to apply encryption. [¶ 8.1.7(1)(5), ¶ 10.2.9, ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

General Guidance

The organization should ensure there is appropriate separation between work and display areas. [Pg 1-I-A1, Protection of Assets Manual, ASIS International]

The computer installation (facility) should be in a building that is at low risk of fire, flood, and other disasters. Computer equipment should be protected by placing it away from smoke, dust, vibration, food, drinks, and other hazards. Critical equipment should be located away from public areas, and details of what goes on in the space should be kept confidential. [CI2.6.1, CI2.6.4(c), CI2.8.5, CI2.8.7(c), The Standard of Good Practice for Information Security]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.