Back

Secure system components from unauthorized viewing.


CONTROL ID
01437
CONTROL TYPE
Physical and Environmental Protection
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain physical security controls for distributed assets., CC ID: 00718

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • F137.3: If the ATM is located in a convenience store, the organization should have provisions in place to prevent other people from seeing the personal identification number or other private information from the side or back when another customer is using the ATM. O37.3(2).1: Concrete measures to pr… (F137.3, O37.3(2).1, T26.1, T26.5, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Prevent unauthorised personnel from viewing the screens of personal computers easily, such as by using privacy filters, or through positioning of the personal computer. (Annex A1: Security of Personal Computers & Other Computing Devices 39, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Unauthorised people are prevented from observing systems, in particular workstation displays and keyboards, within facilities. (Control: ISM-0164; Revision: 3, Australian Government Information Security Manual, June 2023)
  • Unauthorised people are prevented from observing systems, in particular workstation displays and keyboards, within facilities. (Control: ISM-0164; Revision: 3, Australian Government Information Security Manual, September 2023)
  • The organization should prevent unauthorized individuals from being able to view systems, in particular, keyboards and monitors. (Control: 0164, Australian Government Information Security Manual: Controls)
  • The organization should use privacy filters on the screens of mobile devices. (Control: 1145, Australian Government Information Security Manual: Controls)
  • Unauthorized personnel should be prevented from viewing computer displays and keyboards by positioning them appropriately. (§ 3.1.41, Australian Government ICT Security Manual (ACSI 33))
  • Protective measures against overhearing and viewing are implemented. (C) (2.1.4 Additional requirements for high protection needs Bullet 1, Information Security Assessment, Version 5.1)
  • Protective measures against simple overhearing and viewing are implemented. (C) (3.1.1 Additional requirements for high protection needs Bullet 1, Information Security Assessment, Version 5.1)
  • The organization should not place computer screens in locations where they might be illicitly viewed. (Security Policy No. 5 ¶ 7, HMG Security Policy Framework, Version 6.0 May 2011)
  • Equipment should be placed in suitable locations where extraneous factors cannot interfere with the system. (¶ 3, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • Discretion should be used in public areas. (§ 5.4 (Business Process Risks), IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • Workstations that process data in the clear must be located to ensure that unauthorized users cannot see the monitor. (Pg 12-II-19, Pg 12-II-45, Protection of Assets Manual, ASIS International)
  • Computing devices used by staff working in remote environments should be supplied with a security screen filter (often referred to as a privacy filter) to protect against the threat of shoulder surfing. (CF.14.01.04f, The Standard of Good Practice for Information Security)
  • Physical access to critical facilities should be protected by locating computer equipment (e.g., servers, desktop computers, and laptops) and peripheral devices (e.g., console screens and printers) so that sensitive information cannot be overlooked. (CF.19.01.05c, The Standard of Good Practice for Information Security)
  • Physical access to critical facilities should be protected by locating computer equipment (e.g., servers, desktop computers, and laptops) and peripheral devices (e.g., console screens and printers) so that sensitive information cannot be overlooked. (CF.19.01.05c, The Standard of Good Practice for Information Security, 2013)
  • The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access (PE-18 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization must position data entry workstation monitors to eliminate viewing by unauthorized persons. (CSR 7.3.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization must place display devices or devices that output sensitive information or classified information in human-readable format in a way to prevent unauthorized individuals from reading the information. (PEDI-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Control panels for gaining access to classified areas must be installed in such a way as to prevent unauthorized personnel from seeing the combinations during input. Windows that can be used to see classified information must be covered to prevent unauthorized disclosures. Computer displays must be … (§ 5-314.b, § 5-801.c, § 8-308, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • The agency shall place Information System monitors in a way to prevent unauthorized individuals from accessing and viewing criminal justice information. (§ 5.9.1.5, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall place Information System devices and documents in controlled areas that contain criminal justice information in a way to prevent unauthorized individuals from access and view. (§ 5.9.2(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall control physical access to information system devices that display CJI and shall position information system devices in such a way as to prevent unauthorized individuals from accessing and viewing CJI. (§ 5.9.1.5 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Position information system devices and documents containing CJI in such a way as to prevent unauthorized individuals from access and view. (§ 5.9.2 ¶ 1(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency shall control physical access to information system devices that display CJI and shall position information system devices in such a way as to prevent unauthorized individuals from accessing and viewing CJI. (§ 5.9.1.5 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Position information system devices and documents containing CJI in such a way as to prevent unauthorized individuals from access and view. (§ 5.9.2 ¶ 1 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Determine whether retail EFT equipment keyboards or display units are properly shielded to avoid disclosure of customer IDs or PINs. (App A Tier 2 Objectives and Procedures G.5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine whether retail EFT equipment keyboards or display units are properly shielded to avoid disclosure of customer IDs or PINs. (Exam Tier II Obj 7.5, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The organization positions information system components within the facility to minimize potential damage from [FedRAMP Assignment: physical and environmental hazards identified during threat assessment] and to minimize the opportunity for unauthorized access. (PE-18 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Position system components within the facility to minimize potential damage from [FedRAMP Assignment: physical and environmental hazards identified during threat assessment] and to minimize the opportunity for unauthorized access. (PE-18 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Devices that display Federal Tax Information must not be located in such a position as to allow unauthorized personnel to view the information when walking by. (§ 4.3.2, Exhibit 4 PE-5, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Establish policies and procedures that limit unauthorized persons from viewing sensitive information. (§ 4.11.3 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporti… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents and the facility should be examined to ensure system displays are continually protected against being viewed by unauthorized individuals and specific responsibilities and actions are defined for the implementation of the access control for display medium control.… (PE-5, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access (PE-18 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access (PE-18 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. (PE-18 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)