UCF ID: 04540 |
Control Type: Process or Activity |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Establish and maintain physical security of distributed IT assets. [UCF Control ID 00718]
There are no supporting controls.
Authority documents complied with:
FFIEC IT Examination Handbook – Information Security, Pg 53; FFIEC IT Examination Handbook – Operations, July 2004, Pg 21, Exam Tier II Obj E.1; Protection of Assets Manual, ASIS International, Pg 11-III-8, Pg 11-III-9, Pg 12-II-41; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-16; The Standard of Good Practice for Information Security, CI2.8.4; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 9.2.7; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.9.2.7; ISO/IEC 27002 Code of practice for information security management, 2005, § 9.2.7; Italy Personal Data Protection Code, Annex B.24
Banking and Finance Guidance
Hardware and software should have authorization before being removed from the site. [Pg 53, FFIEC IT Examination Handbook – Information Security]
The organization should develop procedures for the removal of laptops and personal digital assistants from the facility. [Pg 21, Exam Tier II Obj E.1, FFIEC IT Examination Handbook – Operations, July 2004]
NIST Guidance
Organizational records and documents should be examined to ensure all hardware, software, and firmware entering and exiting the facility is controlled, a log is maintained of all material entering and exiting the facility, and specific responsibilities and actions are defined for the implementation of the delivery and removal control. Any problems discovered during the implementation of the delivery and removal control should be documented and used to improve the controls.
Interviews should be conducted with personnel who receive or send hardware, software, or firmware to ensure they are documented and approved for receipt and/or removal. [PE-16, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]
ISO Guidance
Personnel should not have the authority to take equipment, information, or software off the premises without proper authorization. Employees who have the authority to permit personnel to take equipment off site should be clearly identified. A log should be kept tracking what equipment has been removed and recording when it has been returned. [§ 9.2.7, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]
Approval should be gained from appointed personnel before any equipment, information, or software is removed from the site. [Annex A.9.2.7, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]
Personnel should not have the authority to take equipment, information, or software off the premises without proper authorization. Employees who have the authority to permit personnel to take equipment off site should be clearly identified. A log should be kept tracking what equipment has been removed and recording when it has been returned. [§ 9.2.7, ISO/IEC 27002 Code of practice for information security management, 2005]
General Guidance
The organization should have policies and procedures for moving assets in and out of the facility. Property passes should be used when personal or company equipment is removed from the facility. The property pass should clearly identify the property being removed; identify the individual removing the equipment by name and badge number; be used to verify the identity of the individual when leaving the facility; include a signature, name, and phone number of the person authorizing the removal; allow the determination that the property being removed is the property listed on the property pass; include the issue date and time; include the date, time, and exit point when the property leaves the facility; identify the guard inspecting the pass; include the date the property should be returned; and include an audit copy of the property pass. [Pg 11-III-8, Pg 11-III-9, Pg 12-II-41, Protection of Assets Manual, ASIS International]
Personnel should obtain written approval from an authorized individual prior to removing any equipment from the site or facility. [CI2.8.4, The Standard of Good Practice for Information Security]
Other European and African Guidance
To remove data that discloses health and sex life or genetic identity outside of the premises, the containers must be equipped with locks. [Annex B.24, Italy Personal Data Protection Code]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.