Back

Establish, implement, and maintain end user computing device security guidelines.


CONTROL ID
00719
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain physical security controls for distributed assets., CC ID: 00718

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a locking screen saver policy., CC ID: 06717
  • Encrypt information stored on devices in publicly accessible areas., CC ID: 16410
  • Secure workstations to desks with security cables., CC ID: 04724


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • F122: The organization should install its servers in zones that are difficult to access from outside. F125: The organization should install its servers in fire preventive blocks in accordance with the Building Standard Law. (F122, F125, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Fax machines and MFDs are located in areas where their use can be observed. (Security Control: 1036; Revision: 3, Australian Government Information Security Manual, March 2021)
  • The procedures for how to secure the system during temporary absence should be included in the Standard Operating Procedures for users. (Control: 0056 Table Row "Temporary absence", Australian Government Information Security Manual: Controls)
  • The organization must ensure information and communications technology equipment and media that contains sensitive information or classified information is secured in accordance with the requirements from the australian government physical security management protocol. (Control: 0161, Australian Government Information Security Manual: Controls)
  • The organization should use telephones that display a visual indication of the type of connection, if different levels of conversations are allowed with different kinds of connections. (Control: 0231, Australian Government Information Security Manual: Controls)
  • The organization must ensure when devices at home are not being actively used, they are secured in accordance with the requirements of the australian government physical security management protocol. (Control: 0685, Australian Government Information Security Manual: Controls)
  • Any workstation storing official information during non-working hours should be stored and protected according to the classification of the information. Portable computers and personal electronic devices should be protected according to the classification of the information stored on them. Portable … (§ 3.1.27, § 3.1.28, § 3.4.59, § 3.4.61, Australian Government ICT Security Manual (ACSI 33))
  • Processes are in place to protect endpoint and mobile computing and personal productivity devices (such as laptop and desktop computers, servers, networking and data storage devices, smart phones and tablets) that are used in computing, networking, data storage and processing of the entity's informa… (S7.3 Protects end point and mobile devices, Privacy Management Framework, Updated March 1, 2020)
  • § 2.2 (2.2.090) Embedded/unremovable wireless NICs should not be allowed, if possible, in any wireless device that is not authorized to process highly sensitive information, any wireless device used in areas that process highly sensitive information, or any wireless device that connects to wired or… (§ 2.2 (2.2.090), § 2.3.2 (2.3.2.010), § 2.3.2 (2.3.2.050), § 2.3.2 (2.3.2.080), The Center for Internet Security Wireless Networking Benchmark, 1)
  • Mobile device management should be reviewed by the IT auditor and he/she should, at a minimum, consider the processes to procure devices; standardizing devices; the policies and procedures for defining the security baselines; the process to control data transmission; the process to control access in… (App A.2, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • Locking devices should be used to ensure the security of desktop computers. Computers should not be left unattended when a user is logged on to the system. Standalone PCs should be stored in an appropriate security container when not in use. (Pg 12-II-24, Pg 12-II-40, Pg 12-II-45, Protection of Assets Manual, ASIS International)
  • Access to computing devices used in remote environments should be restricted by encrypting passwords and preventing logical access to the capabilities of unattended computing devices (e.g., by using password-protected screen savers and configuring computers with a terminal lock-out). (CF.14.01.05, The Standard of Good Practice for Information Security)
  • Verify that user-uploaded files - if required to be displayed or downloaded from the application - are served by either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. Implement a suitable Content Security Policy (CSP) to reduce the risk from XSS vectors or … (1.12.2, Application Security Verification Standard 4.0.3, 4.0.3)
  • Users shall ensure that unattended equipment has appropriate protection. (A.11.2.8 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Users should ensure that unattended equipment has appropriate protection. (§ 11.2.8 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Information stored on, processed by or accessible via user endpoint devices should be protected. (§ 8.1 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. (DE.CM-3.1, CRI Profile, v1.2)
  • The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. (DE.CM-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • If business information systems are used to transmit scoped systems and data, are security requirements documented? (§ I.1.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • If business information systems are used to process scoped systems and data, are security requirements documented? (§ I.1.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • If business information systems are used to store scoped systems and data, are security requirements documented? (§ I.1.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Systems that process classified information should be declassified before leaving them unattended, unless they are located in a secure area or a container that has been approved for the storage of classified material. Remote terminal areas should be locked or secured when an authorized individual is… (§ 2-10.f, § 2-13.c, § 2-24.c, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • CSR 1.13.1: The organization must define and implement the following workstation security requirements: what functions can be performed; how these functions are to be performed; and the physical attributes of the surroundings of workstations that can access CMS sensitive information. CSR 2.2.19: Th… (CSR 1.13.1, CSR 2.2.19, CSR 2.2.24, CSR 7.3.1, CSR 7.3.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Physical safeguards shall be implemented to restrict access to authorized users for all workstations that access electronic protected health information. (§ 164.310(c), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protec… (§ 164.310(b), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Desktop security—discuss use of screensavers, restricting visitors' view of information on screen (mitigating "shoulder surfing"), battery backup devices, allowed access to systems. (§ 5.2.1.3 ¶ 1(15), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Computers used for remote access should meet the security and configuration requirements of the organization. (Pg 30, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should implement physical controls to limit access to the payment messaging system to only authorized staff members. (Pg 17, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Computer operations should be in a secure area whenever possible. The organization should provide hardware to lock down the IT equipment to large objects. (§ 4.6, § 4.7.1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the Credit Union use fire resistant storage cabinets, boxes, or safes for storing computing and non-computing assets? (IT - Security Program Q 19, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • § 4.12.1 Bullet 1: Document how employees and third parties access workstations. § 4.12.2 Bullet 2: Identify the type of workstation access that is the greatest threat to security. (§ 4.12.1 Bullet 1, § 4.12.2 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • (§ 3.10.7, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Access Control. Access control systems should ensure that only authorized people have access to controlled spaces. An access control system should be flexible. The need for access may be based on time (day vs. night shift), level of training, employment status, work assignment, plant status, and a m… (§ 6.2.11 ICS-specific Recommendations and Guidance ¶ 4 Bullet 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Computers and computerized devices used for ICS functions (such as PLC programming) should never be allowed to leave the ICS area. Laptops, portable engineering workstations and handhelds (e.g., 375 HART communicator) should be tightly secured and should never be allowed to be used outside the ICS n… (§ 6.2.11.2 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Client devices should have wireless radios disabled by default. Radios should be disabled by users when they are not being used. Client devices should be configured to not automatically connect to WLANs or connect to more than one network interface simultaneously. (§ 6.3.4 (IEEE 802.11 radio management), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)