Back

Establish, implement, and maintain asset return procedures.


CONTROL ID
04537
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain physical security controls for distributed assets., CC ID: 00718

This Control has the following implementation support Control(s):
  • Request the return of all appropriate assets upon notification of a personnel status change., CC ID: 06678
  • Require the return of all assets upon notification an individual is terminated., CC ID: 06679


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • App 2-1 Item Number VI.5.4(6): The organization must ensure that data and materials provided for consignment are returned and/or disposed of after completion of consigned services. This is a control item that constitutes a relatively small risk to financial information. This is an IT general control… (App 2-1 Item Number VI.5.4(6), App 2-1 Item Number VI.5.5(4), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization shall require contractors to return any important materials, documents, and copies lent to subcontractors after the work is complete. (O90.2(4), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • A procedure for the return and secure removal of information assets from each external IT service is defined and implemented. (5.3.3 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • When records and documents that contain sensitive or judicial personal data are given to persons in charge of processing in order to discharge a task, these records and documents must be kept and controlled by the persons in charge of processing until they are returned in order to prevent unauthoriz… (Annex B.28, Italy Personal Data Protection Code)
  • ¶ 47: When the contract is complete and the contractor has no need to keep protectively marked assets, the contracting authority DSO or MOD DE&S DHSY/PSyA is responsible to ensure protectively marked assets or destroyed or returned, loaned security equipment is returned, and notifying MOD DE&S DHSY… (¶ 47, ¶ 62, App 2 ¶ 6, App 6 ¶ 7, The Contractual process, Version 5.0 October 2010)
  • Interview responsible personnel to verify that all physical authentication factors—such as, smart cards, tokens, etc.—have been returned or deactivated for terminated users. (8.2.5.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Customer contracts should cover Information Security activities to be performed by the customer, which include returning or destroying information on an agreed date, or upon request. (CF.05.02.06e-2, The Standard of Good Practice for Information Security)
  • Customer contracts should cover Information Security activities to be performed by the customer, which include returning or destroying equipment on an agreed date, or upon request. (CF.05.02.06f, The Standard of Good Practice for Information Security)
  • Upon termination of employment, staff and external individuals should be required to return important documentation (e.g., about business processes, technical procedures, and key contact details) stored on portable storage media or in paper form. (CF.02.01.07a, The Standard of Good Practice for Information Security)
  • Upon termination of employment, staff and external individuals should be required to return software (including media, documentation, and licensing information). (CF.02.01.07c, The Standard of Good Practice for Information Security)
  • Contracts should specify that outsource providers are required to return or destroy information, software, or equipment on an agreed date, or upon request. (CF.16.03.07d, The Standard of Good Practice for Information Security)
  • Customer contracts should cover Information Security activities to be performed by the customer, which include returning or destroying information on an agreed date, or upon request. (CF.05.02.06e-2, The Standard of Good Practice for Information Security, 2013)
  • Customer contracts should cover Information Security activities to be performed by the customer, which include returning or destroying equipment on an agreed date, or upon request. (CF.05.02.06f, The Standard of Good Practice for Information Security, 2013)
  • Upon termination of employment, staff and external individuals should be required to return important documentation (e.g., about business processes, technical procedures, and key contact details) stored on portable storage media or in paper form. (CF.02.01.07a, The Standard of Good Practice for Information Security, 2013)
  • Upon termination of employment, staff and external individuals should be required to return software (including media, documentation, and licensing information). (CF.02.01.07c, The Standard of Good Practice for Information Security, 2013)
  • Contracts should specify that outsource providers are required to return or destroy information, software, or equipment on an agreed date, or upon request. (CF.16.03.07d, The Standard of Good Practice for Information Security, 2013)
  • The organization shall establish procedures for identifying and distinguishing returned medical devices from the conforming products. (§ 7.5.3.1 ¶ 2, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • Outsourced service providers should ensure that when assets are relocated, the organization is informed; assets are retrieved and returned in an agreed upon timeframe when the organization requests the return; and the organization is forewarned and assets are returned before any seizures or stoppage… (§ 5.3.3 ¶ 3, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • When an employee, contractor, or third party user is terminated, a formal process should be in place to ensure the return of the organization's assets. This includes software, equipment, corporate documents, credit cards, and more. If the users are using their own equipment, procedures should be in … (§ 8.3.2, ISO 27002 Code of practice for information security management, 2005)
  • Personnel and other interested parties as appropriate should return all the organization's assets in their possession upon change or termination of their employment, contract or agreement. (§ 5.11 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The organization should state, in an agreement, how and when third parties should dispose of and return personal information that is furnished by the organization. (Table Ref 7.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The security program, in relation to protecting personal information, should include procedures to verify computers and other assets are returned when personnel are terminated. (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should establish procedures for employees and contractors to return or destroy portable media, portable devices, and printed copies that access or store personal information when they are terminated. (Table Ref 8.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Are constituents required to return assets (notebook, desktop, PDA, cell phones, access cards, tokens, smart cards, keys, proprietary documentation)? (§ E.6.4, Shared Assessments Standardized Information Gathering Questionnaire - E. Human Resource Security, 7.0)
  • CSR 1.3.8: Upon completion of federal tax information (FTI) use, FTI users must physically destroy the FTI or return it to the system security administrator or the originator. A receipt process must be used for FTI information that is returned to CMS. CSR 1.10.3(2): The organization must include the… (CSR 1.3.8, CSR 1.10.3(2), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The security manager and the information assurance manager must ensure the organization has a program that requires personnel to out process through the security section, which includes returning all assets and badges. (§ 3.1 ¶ AC31.035, DISA Access Control STIG, Version 2, Release 3)
  • Remote users must return all government-owned equipment at the end of teleworking arrangements. (App B, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Contracts must ensure business associates will not further use or disclose the information other than as allowed or required. (§ 164.504(e)(2)(ii)(I), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • If necessary, the group health plan must be corrected to incorporate the following: protected health information will be disclosed to the plan sponsor upon certification that the plan documents includes and the plan sponsor agrees to the return or destruction of received information and to retain no… (§ 164.504(f)(2)(ii)(I), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • A Records Officer shall examine nonrecord materials that are being removed by a departing official or employee to protect information that is restricted from being released under the Privacy Act or other statutes, executive orders, or regulations. (Ch 10 (Responsibilities).a, Department of Health and Human Services Records Management Procedures Manual, Version 1.0 Final Draft)
  • Assess adequacy of returned card procedures. Determine whether adequate controls are in place to ensure returned cards are not sent to staff with access to, or responsibility for, issuing cards. (App A Tier 2 Objectives and Procedures D.9, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization, upon termination of individual employment retains access to organizational information and information systems formerly controlled by terminated individual. (PS-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization, upon termination of individual employment retains access to organizational information and information systems formerly controlled by terminated individual. (PS-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization, upon termination of individual employment retains access to organizational information and information systems formerly controlled by terminated individual. (PS-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization, upon termination of individual employment retains access to organizational information and information systems formerly controlled by terminated individual. (PS-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)