search:
               

Status: Live

[UCF ID 04723]

Supporting and supported controls

This control directly supports:

• Establish and maintain physical security of distributed IT assets [UCF Control ID 00718]

This control has the following supporting controls:

• Protect information residing on portable and mobile devices [UCF Control ID 01422]

Authority documents complied with:

Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 9.1.3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, AC-19; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AC-19, AC-19.4; The Standard of Good Practice for Information Security, SM6.4.6, CB3.3.4, CI2.4.4, UE4.1.3, UE6.4.2(c); DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2, § 3.3, § 6.3; DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2, § 3.2 (WIR0167), § 3.3 (WIR0190), § 5 (WIR0410); ISO 17799:2005 Code of Practice for Information Security Management, § 11.7.1; ISO/IEC 27002-2005 Code of practice for information security management, § 11.7.1; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 9.1.3; Archer Control Table, ATCS-082, ATCS-095; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 30; Australian Government ICT Security Manual (ACSI 33), § 3.1.27, § 3.1.28, § 3.4.59, § 3.4.61; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 4.6.1.D

Banking and Finance Guidance

Computers used for remote access should meet the security and configuration requirements of the organization. [Pg 30, FFIEC IT Examination Handbook – E-Banking, August 2003]

Payment Card Guidance

The organization must restrict physical access to handheld devices. Verify physical access to handheld devices is restricted. [§ 9.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The organization must restrict physical access to handheld devices. [§ 9.1.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

§ 4.6.1.D An organization must require that wireless devices be labeled with owner, contact information and purpose. [§ 4.6.1.D, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

NIST Guidance

Portable and mobile devices (e.g., notebook computers, workstations, personal digital assistants) should not be allowed access to organizational networks without first meeting organizational security policies and procedures Security policies and procedures might include such activities as scanning the devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless). [AC-19, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure specific responsibilities and actions are defined for the implementation of the portable or mobile device access control. Any problems discovered during the implementation of the portable or mobile device access control should be documented and used to improve the controls.
Test the system by connecting unauthorized portable and mobile devices to the system and ensure the unauthorized devices are detected and identified by the organization's personnel.
Interviews should be conducted with personnel involved in the implementation of access controls for portable or mobile devices. [AC-19, AC-19.4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

Other Configuration Guidance

Laptops and PDAs must never be checked as baggage; they must be hand carried. A Type 1 media encryptor must be used to protect hard drives. [§ 3.3, § 6.3, DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2]

Laptops that contain a WLAN card should have the default setting of the WLAN card radio set to OFF. Computers with an embedded WLAN that processes, receives, transfers, or stores classified information should have a wireless NIC that can be removed. PDAs and Smart phones should not be allowed to be connected to any computer that transmits, processes, or stores classified information.
Examine the WLAN NIC management utility to ensure the configuration of the WLAN card is set to OFF by default. Examine user training materials and user agreements to verify users have been made aware of the fact that they should not attach a PDA or Smart phone to any computer containing classified information.
Inspect 10% of the laptops to verify that the WLAN card is set to OFF on boot up. Inspect laptops that process classified information to verify that the wireless NIC can be physically removed from the laptop.
Interview a sampling of laptop users to verify they are able to enable and disable the NIC in accordance with the organizational policy. Interview the Information Assurance Officer (IAO) to determine if any laptops are used to process classified information and have an embedded wireless NIC. [§ 3.2 (WIR0167), § 3.3 (WIR0190), § 5 (WIR0410), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2]

ISO Guidance

A formal policy should be developed to protect mobile devices. The policy should contain requirements for physical protection, access controls, cryptographic techniques, backups, virus protection, how to connect to networks securely, and guidance on using the systems in public places. [§ 11.7.1, ISO 17799:2005 Code of Practice for Information Security Management]

A formal policy should be developed to protect mobile devices. The policy should contain requirements for physical protection, access controls, cryptographic techniques, backups, virus protection, how to connect to networks securely, and guidance on using the systems in public places. [§ 11.7.1, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

Portable computers should be protected against theft by providing locks to all mobile users, attaching labels to the devices, and marking the devices with indelible markings. All equipment should have some form of protection to prevent theft from occurring. [SM6.4.6, CB3.3.4, CI2.4.4, UE4.1.3, UE6.4.2(c), The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

Any workstation storing official information during non-working hours should be stored and protected according to the classification of the information. Portable computers and personal electronic devices should be protected according to the classification of the information stored on them. Portable computers and personal electronic devices containing classified material should be operated in physically protected areas, under direct supervision when in use, and stored appropriately when not in use. [§ 3.1.27, § 3.1.28, § 3.4.59, § 3.4.61, Australian Government ICT Security Manual (ACSI 33)]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.