Establish offsite physical and logical controls for all distributed assets.

UCF ID: 04539

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain physical security of distributed IT assets. [UCF Control ID 00718]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier II Obj 4.6; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-24.c; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.6, Exhibit 4 PE-17; DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2, § 3.3, § 6.3; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 9.2.5; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.9.2.5; ISO/IEC 27002 Code of practice for information security management, 2005, § 9.2.5; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.5.5

Banking and Finance Guidance

[Exam Tier II Obj 4.6, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

US Federal Security Guidance

Remote terminal equipment should be protected to ensure only authorized individuals can use the equipment. [§ 2-24.c, Army Regulation 380-19: Information Systems Security, February 27, 1998]

US Internal Revenue Guidance

For remote equipment or office work sites that process Federal Tax Information where a secure area with restricted access cannot be maintained, the highest level of protection that can be implemented should be used. [§ 4.6, Exhibit 4 PE-17, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

Other Configuration Guidance

The physical security requirements for remote devices listed in the Computing Services Security Handbook must be implemented by the remote user. All Type 1 encryption devices must be in the user's possession or stored according to the applicable guidelines. [§ 3.3, § 6.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2]

ISO Guidance

Equipment located off site should be protected. The use of equipment off site should be approved by management, regardless of ownership. Any equipment taken off site should not be left unattended in public places, should be protected according to the manufacturer’s instructions, and should have suitable controls in place. These guidelines apply to computers, phones, smart cards, paper, or other forms of data storage used for working at home or off site in other environments, if permissible. [§ 9.2.5, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

All equipment that is used offsite should be protected with appropriate security controls. The risks associated with working offsite are different and should be taken into consideration. [Annex A.9.2.5, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Equipment located off site should be protected. The use of equipment off site should be approved by management, regardless of ownership. Any equipment taken off site should not be left unattended in public places, should be protected according to the manufacturer’s instructions, and should have suitable controls in place. These guidelines apply to computers, phones, smart cards, paper, or other forms of data storage used for working at home or off site in other environments, if permissible. [§ 9.2.5, ISO/IEC 27002 Code of practice for information security management, 2005]

The service provider should make provisions for organizations to place their computing equipment in a secure environment to prevent unauthorized physical access, alteration, or removal. [§ 6.5.5, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]