Back

Establish, implement, and maintain off-site physical controls for all distributed assets.


CONTROL ID
04539
CONTROL TYPE
Physical and Environmental Protection
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Protect distributed assets against theft., CC ID: 06799

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • O50.6: The organization shall prepare for lost or stolen handheld terminals by making provisions for the protection of data. T39: The organization shall provide a function to prohibit transactions through accounts using the missing medium where there has been a loss or theft of cards, passbooks, or … (O50.6, T39, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The organization must ensure the transferring, processing, and storage requirements for equipment that is maintained or repaired off-site are appropriate for the equipment's classification or sensitivity and the procedures are complied with at all times. (Control: 0310, Australian Government Information Security Manual: Controls)
  • The organization must ensure all mobile devices are carried in a secured state when they are not being actively used. (Control: 0870, Australian Government Information Security Manual: Controls)
  • Mobile devices must be kept under continual direct supervision when they are in use. (Control: 0871, Australian Government Information Security Manual: Controls)
  • Personnel must keep control over mobile devices and media at all times while traveling, including not putting them in checked-in luggage or leaving them unattended for any time period. (Control: 1087, Australian Government Information Security Manual: Controls)
  • The organization must ensure the area in the home where the devices are used meets the requirements of the australian government physical security management protocol. (Control: 0865, Australian Government Information Security Manual: Controls)
  • The organization must ensure when devices at home are not being actively used, they are secured in accordance with the requirements of the australian government physical security management protocol. (Control: 0685, Australian Government Information Security Manual: Controls)
  • A firm must arrange adequate protection for clients' assets when it is responsible for them. (2.1.1 Principle 10 Clients' assets, Principles for Businesses)
  • ¶ 28: If an inspector wants to take photographs that are likely to reveal assets that are labeled as confidential or above, the security controller should arrange with the inspector to have the film processed securely. The photographs must be examined and correctly protectively marked before being … (¶ 28, ¶ 51, ¶ 52, ¶ 82, Security Requirements for List X Contractors, Version 5.0 October 2010)
  • Staff traveling to 'high-risk' countries or regions should protect sensitive information from targeted attack by limiting the number and duration of verbal and electronic business discussions that involve sensitive information. (CF.14.01.07e, The Standard of Good Practice for Information Security)
  • Staff traveling to 'high-risk' countries or regions should protect sensitive information from targeted attack by limiting the number and duration of verbal and electronic business discussions that involve sensitive information. (CF.14.01.05e, The Standard of Good Practice for Information Security, 2013)
  • The service provider should make provisions for organizations to place their computing equipment in a secure environment to prevent unauthorized physical access, alteration, or removal. (§ 6.5.5, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises. (A.11.2.6 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Equipment located off site should be protected. The use of equipment off site should be approved by management, regardless of ownership. Any equipment taken off site should not be left unattended in public places, should be protected according to the manufacturer's instructions, and should have suit… (§ 9.2.5, ISO 27002 Code of practice for information security management, 2005)
  • Security should be applied to off-site assets taking into account the different risks of working outside the organization’s premises. (§ 11.2.6 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Off-site assets should be protected. (§ 7.9 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Remote terminal equipment should be protected to ensure only authorized individuals can use the equipment. (§ 2-24.c, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • The organization must have the following alternate work site equipment controls: only CMS business partner-owned computers and software will be used to access, process, and store sensitive information; specific rooms or areas must be used; means must be available to communicate with managers or the … (CSR 2.2.28, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The physical security requirements for remote devices listed in the Computing Services Security Handbook must be implemented by the remote user. All Type 1 encryption devices must be in the user's possession or stored according to the applicable guidelines. (§ 3.3, § 6.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Assess adequacy of procedures for issuing cards from more than one location (e.g., branches) to ensure there are accountability and bankcard control procedures at each card-issuing location. (Exam Tier II Obj 4.6, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • For remote equipment or office work sites that process Federal Tax Information where a secure area with restricted access cannot be maintained, the highest level of protection that can be implemented should be used. (§ 4.6, Exhibit 4 PE-17, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)