Back

Establish, implement, and maintain asset removal procedures or asset decommissioning procedures.


CONTROL ID
04540
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Protect distributed assets against theft., CC ID: 06799

This Control has the following implementation support Control(s):
  • Prohibit assets from being taken off-site absent prior authorization., CC ID: 12027


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization shall develop restrictions and methods for removing data files for when the files will be taken outside the organization. (O25.3(1).2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Systems and applications are designed, deployed, maintained and decommissioned according to their value and their confidentiality, integrity and availability requirements. (P1:, Australian Government Information Security Manual, June 2023)
  • Systems and applications are designed, deployed, maintained and decommissioned according to their value and their confidentiality, integrity and availability requirements. (P1:, Australian Government Information Security Manual, September 2023)
  • A procedure for the return and secure removal of information assets from each external IT service is defined and implemented. (5.3.3 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • To remove data that discloses health and sex life or genetic identity outside of the premises, the containers must be equipped with locks. (Annex B.24, Italy Personal Data Protection Code)
  • Client organizations must ensure the infrastructure, systems, and documents of a service provider are secured properly. Organizations are demanding higher security levels in outsourcing facilities, especially when the outsourced activity is critical to the organization's operations. Key physical sec… (§ 5.2 (Physical Security and Environmental Controls), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The organization should have policies and procedures for moving assets in and out of the facility. Property passes should be used when personal or company equipment is removed from the facility. The property pass should clearly identify the property being removed; identify the individual removing th… (Pg 11-III-8, Pg 11-III-9, Pg 12-II-41, Protection of Assets Manual, ASIS International)
  • Individuals should be required to obtain written approval before leaving the organization's premises with critical Information Technology equipment (e.g., servers, network devices, printers, and specialist equipment). (CF.19.01.09, The Standard of Good Practice for Information Security)
  • Individuals should be required to obtain written approval before leaving the organization's premises with critical Information Technology equipment (e.g., servers, network devices, printers, and specialist equipment). (CF.19.01.09, The Standard of Good Practice for Information Security, 2013)
  • Personnel should not have the authority to take equipment, information, or software off the premises without proper authorization. Employees who have the authority to permit personnel to take equipment off site should be clearly identified. A log should be kept tracking what equipment has been remov… (§ 9.2.7, ISO 27002 Code of practice for information security management, 2005)
  • The cloud service provider should provide information about the arrangements for the return and removal of any cloud service customer's assets upon termination of the agreement for the use of a cloud service. The asset return and removal arrangements should be documented in the agreements and should… (Annex A: § CLD.8.1.5 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • at decommissioning, including the knowledge and data that are contained in the AI system. (§ 4.3 ¶ 6 Bullet 6, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (MA-3(3) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (MA-3(3) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization must isolate delivery areas from controlled/restricted areas and control the delivery areas to prevent unauthorized access. Appropriate officials must authorize the removal or delivery of information system-related items. The organization must maintain logs for the removal and deliv… (CSR 2.2.27, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • A record shall be maintained of hardware and electronic media movements, along with the responsible person's name. The covered entity shall assess this record to determine if it is a reasonable and appropriate safeguard in the environment and, if it is reasonable and appropriate, then implement it, … (§ 164.310(d)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • The organization should develop procedures for the removal of laptops and personal digital assistants from the facility. (Pg 21, Exam Tier II Obj E.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (MA-3(3) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (MA-3(3) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Prevent the removal of maintenance equipment containing organizational information by: (MA-3(3) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Prevent the removal of maintenance equipment containing organizational information by: (MA-3(3) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Processes and procedures are in place for decommissioning and phasing out AI systems safely and in a manner that does not increase risks or decrease the organization's trustworthiness. (GOVERN 1.7, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate AI systems that demonstrate performance or outcomes inconsistent with intended use. (MANAGE 2.4, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Prevent the removal of maintenance equipment containing organizational information by: (MA-3(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Prevent the removal of maintenance equipment containing organizational information by: (MA-3(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Prevent the removal of maintenance equipment containing organizational information by: (MA-3(3) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Organizational records and documents should be examined to ensure all hardware, software, and firmware entering and exiting the facility is controlled, a log is maintained of all material entering and exiting the facility, and specific responsibilities and actions are defined for the implementation … (PE-16, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (MA-3(3) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must explicitly approve that the system or system components may be removed for offsite maintenance or repairs. (SG.MA-3 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should require management to explicitly authorize the removal of maintenance tools from the facility. (SG.MA-4 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must require a designated official to approve the removal of Information Systems or system components from the facility for off-site maintenance or repairs. (App F § MA-2.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization requires that {organizationally documented personnel} explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs. (MA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires that {organizationally documented roles} explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs. (MA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires that {organizationally documented personnel} explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs. (MA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires that {organizationally documented roles} explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs. (MA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires that {organizationally documented personnel} explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs. (MA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires that {organizationally documented roles} explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs. (MA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires that {organizationally documented personnel} explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs. (MA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires that {organizationally documented roles} explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs. (MA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (MA-3(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (MA-3(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Prevent the removal of maintenance equipment containing organizational information by: (MA-3(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prevent the removal of maintenance equipment containing organizational information by: (MA-3(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (MA-3(3) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (MA-3(3) ¶ 1, TX-RAMP Security Controls Baseline Level 2)