UCF ID: 04537 |
Control Type: Process or Activity |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Establish and maintain physical security of distributed IT assets. [UCF Control ID 00718]
There are no supporting controls.
Authority documents complied with:
The Standard of Good Practice for Information Security, SM1.3.7; DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2, App B; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 8.3.2; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.8.3.2; ISO/IEC 27002 Code of practice for information security management, 2005, § 8.3.2; Italy Personal Data Protection Code, Annex B.28; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 5.3.3 ¶ 3
Other Configuration Guidance
Remote users must return all government-owned equipment at the end of teleworking arrangements. [App B, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2]
ISO Guidance
When an employee, contractor, or third party user is terminated, a formal process should be in place to ensure the return of the organization's assets. This includes software, equipment, corporate documents, credit cards, and more. If the users are using their own equipment, procedures should be in place to ensure the information is transferred to the organization and is securely erased from the equipment. [§ 8.3.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]
When an employee or contractor is terminated or the agreement is completed, all organization assets should be returned to the organization. [Annex A.8.3.2, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]
When an employee, contractor, or third party user is terminated, a formal process should be in place to ensure the return of the organization's assets. This includes software, equipment, corporate documents, credit cards, and more. If the users are using their own equipment, procedures should be in place to ensure the information is transferred to the organization and is securely erased from the equipment. [§ 8.3.2, ISO/IEC 27002 Code of practice for information security management, 2005]
Outsourced service providers should ensure that when assets are relocated, the organization is informed; assets are retrieved and returned in an agreed upon timeframe when the organization requests the return; and the organization is forewarned and assets are returned before any seizures or stoppages. [§ 5.3.3 ¶ 3, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]
General Guidance
Upon termination, all employees and contractors should be required to return to the organization any information or property that belongs to the organization. [SM1.3.7, The Standard of Good Practice for Information Security]
Other European and African Guidance
When records and documents that contain sensitive or judicial personal data are given to persons in charge of processing in order to discharge a task, these records and documents must be kept and controlled by the persons in charge of processing until they are returned in order to prevent unauthorized entities from accessing them. They must be returned once the tasks are completed. [Annex B.28, Italy Personal Data Protection Code]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.