Status: Live
The organization will ensure that when an employee, contractor, or third party is no longer in need of organizational assets, that those assets are properly returned to the organization’s possession. [UCF ID 04537]
Supporting and supported controls
This control directly supports:
- • Establish and maintain physical security of distributed IT assets [UCF Control ID 00718]
There are no supporting controls.
Authority documents complied with:
The Standard of Good Practice for Information Security, SM1.3.7; DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2, App B; ISO 17799:2005 Code of Practice for Information Security Management, § 8.3.2; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.8.3.2; ISO/IEC 27002-2005 Code of practice for information security management, § 8.3.2; Archer Control Table, ATCS-076, ATCS-793; Italy Personal Data Protection Code, Annex B.28
Other Configuration Guidance
Remote users must return all government-owned equipment at the end of teleworking arrangements. [App B, DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2]
ISO Guidance
When an employee, contractor, or third party user is terminated, a formal process should be in place to ensure the return of the organization's assets. This includes software, equipment, corporate documents, credit cards, and more. If the users are using their own equipment, procedures should be in place to ensure the information is transferred to the organization and is securely erased from the equipment. [§ 8.3.2, ISO 17799:2005 Code of Practice for Information Security Management]
When an employee or contractor is terminated or the agreement is completed, all organization assets should be returned to the organization. [Annex A.8.3.2, ISO 27001:2005, Information Security Management Systems - Requirements]
When an employee, contractor, or third party user is terminated, a formal process should be in place to ensure the return of the organization's assets. This includes software, equipment, corporate documents, credit cards, and more. If the users are using their own equipment, procedures should be in place to ensure the information is transferred to the organization and is securely erased from the equipment. [§ 8.3.2, ISO/IEC 27002-2005 Code of practice for information security management]
General Guidance
Upon termination, all employees and contractors should be required to return to the organization any information or property that belongs to the organization. [SM1.3.7, The Standard of Good Practice for Information Security]
Other European and African Guidance
When records and documents that contain sensitive or judicial personal data are given to persons in charge of processing in order to discharge a task, these records and documents must be kept and controlled by the persons in charge of processing until they are returned in order to prevent unauthorized entities from accessing them. They must be returned once the tasks are completed. [Annex B.28, Italy Personal Data Protection Code]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.