The organization will ensure that there is a proper policy and set of procedures for authorizing the removal of IT assets from the facility. [UCF ID 04540]
Supporting and supported controls
This control directly supports:
• Establish and maintain physical security of distributed IT assets [UCF Control ID 00718]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
FFIEC IT Examination Handbook – Information Security Pg 53; FFIEC IT Examination Handbook – Operations Pg 21, Exam Tier II Obj E.1; The Standard of Good Practice for Information Security CI2.8.4; ISO 17799:2005 Code of Practice for Information Security Management § 9.2.7; ISO 27001:2005, Information Security Management Systems - Requirements § A.9.2.7; ISO/IEC 27002-2005 Code of practice for information security management § 9.2.7; Guide for Assessing the Security Controls in Federal Information Systems, NIST 800-53A § PE-16
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Operations Pg 21, Exam Tier II Obj E.1 states that the organization should develop procedures for the removal of laptops and personal digital assistants from the facility.
International Standards Organization Guidance
The ISO/IEC 27002-2005 Code of practice for information security management § 9.2.7 states that personnel should not have the authority to take equipment, information, or software off the premises without proper authorization. Employees who have the authority to permit personnel to take equipment off site should be clearly identified. A log should be kept tracking what equipment has been removed and recording when it has been returned.
The ISO 27001:2005 Information Security Management Systems - Requirements § A.9.2.7 states that approval should be gained from appointed personnel before any equipment, information, or software is removed from the site.
The ISO 17799:2005 Code of Practice for Information Security Management § 9.2.7 states that personnel should not have the authority to take equipment, information, or software off the premises without proper authorization. Employees who have the authority to permit personnel to take equipment off site should be clearly identified. A log should be kept tracking what equipment has been removed and recording when it has been returned.