Back

Record the physical location for applicable assets in the asset inventory.


CONTROL ID
06634
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an asset inventory., CC ID: 06631

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Its location (Critical components of information security 3) ¶ 2 Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Internet of Things (IoT) includes any electronic devices, such as smart phones, multi-function printers, security cameras and smart televisions, which can be connected to the FI's network or the Internet. As with all information assets, the FI should maintain an inventory of all its IoT devices, inc… (§ 11.5.1, Technology Risk Management Guidelines, January 2021)
  • essential rooms for maintenance of operation correspondingly requiring a higher security level (e.g. data centre, server rooms): Type, room number and building (§ 3.2.4 Subsection 1 ¶ 1 Bullet 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In addition, checks must be made as to whether information that requires protection is stored in other rooms. Then these rooms must also be recorded. Here, also the rooms where non-electronic information requiring protection is stored, e.g. document files or microfilms, must be acquired. The type of… (§ 8.1.8 ¶ 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • location (e.g. building and room number), (§ 8.1.4 ¶ 2 Bullet 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • place of installation of the IT systems (e.g. location, building, room), (§ 8.1.5 Subsection 1 ¶ 3 Bullet 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • place of installation of the devices (e.g. building, hall, room), (§ 8.1.6 ¶ 5 Bullet 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • place of installation of the devices, (§ 8.1.7 ¶ 5 Bullet 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • For the further approach of modelling as per IT-Grundschutz and for planning the gap analysis it is useful to produce a summary of the properties, especially the rooms, in which the IT, ICS or IoT systems are located or are used for their operation. This includes rooms that are used exclusively for … (§ 8.1.8 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • the location of the assigned objects and/or group of objects, (§ 8.4.3 ¶ 4 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The architecture of the network is documented comprehensibly and currently (e. g. in the form of diagrams) in order to avoid errors in the management during live operation and ensure timely restoration according to the contractual duties in the event of damage. Different environments (e. g. administ… (Section 5.9 KOS-06 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Examine the list of devices to verify it includes the location of the device. (Testing Procedures § 9.9.1.a Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Select a sample of devices and observe their locations to verify the device list is accurate and up-to-date. (Testing Procedures § 9.9.1.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The list of devices must include the location of the device. (PCI DSS Requirements § 9.9.1 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. (9.9.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. (9.9.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. (9.9.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Does the list of devices include the following? - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification (9.9.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Does the list of devices include the following? - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification (9.9.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
  • Does the list of devices include the following? - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification (9.9.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Does the list of devices include the following? - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification (9.9.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Does the list of devices include the following? - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification (9.9.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Does the list of devices include the following? - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification (9.9.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Does the list of devices include the following? - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification (9.9.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Does the list of devices include the following? - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification (9.9.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Does the list of devices include the following? - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification (9.9.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Does the list of devices include the following? - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification (9.9.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Does the list of devices include the following? - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification (9.9.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Does the list of devices include the following? - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification (9.9.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
  • Examine the list of devices to verify it includes: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. (9.9.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Inventory of any hardware security modules (HSMs), key management systems (KMS), and other secure cryptographic devices (SCDs) used for key management, including type and location of devices, as outlined in Requirement 12.3.4. (3.6.1.1 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Offsite tracking logs include details about media location. (9.4.3 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Location of device. (9.5.1.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Does the list of devices that capture payment card data via direct physical interaction with the card include the location of the device (for example, the address of the site or facility where the device is located)? (PCI DSS Question 9.9.1(a) Bullet 2, PCI DSS Self-Assessment Questionnaire B and Attestation of Compliance, Version 3.0)
  • Does the list of devices that capture payment card data via direct physical interaction with the card include the location of the device (for example, the address of the site or facility where the device is located)? (PCI DSS Question 9.9.1(a) Bullet 2, PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Does the list of devices that capture payment card data via direct physical interaction with the card include the location of the device (for example, the address of the site or facility where the device is located)? (PCI DSS Question 9.9.1(a) Bullet 2, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Does the list of devices that capture payment card data via direct physical interaction with the card include the location of the device (for example, the address of the site or facility where the device is located)? (PCI DSS Question 9.9.1(a) Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Does the list of devices that capture payment card data via direct physical interaction with the card include the location of the device (for example, the address of the site or facility where the device is located)? (PCI DSS Question 9.9.1(a) Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Does the list of devices that capture payment card data via direct physical interaction with the card include the location of the device (for example, the address of the site or facility where the device is located)? (PCI DSS Question 9.9.1(a) Bullet 2, PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
  • Location of device. (9.5.1.1 Bullet 2, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Location of device. (9.5.1.1 Bullet 2, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Location of device. (9.5.1.1 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Offsite tracking logs include details about media location. (9.4.3 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Inventory of any hardware security modules (HSMs), key management systems (KMS), and other secure cryptographic devices (SCDs) used for key management, including type and location of devices, as outlined in Requirement 12.3.4. (3.6.1.1 Bullet 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Location of device. (9.5.1.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Offsite tracking logs include details about media location. (9.4.3 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Location of device. (9.5.1.1 Bullet 2, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Asset registers should specify important information about each asset, including the location of hardware in use. (CF.03.04.04c-1, The Standard of Good Practice for Information Security)
  • Asset registers should specify important information about each asset, including the location of software in use. (CF.03.04.04c-2, The Standard of Good Practice for Information Security)
  • Asset registers should specify important information about each asset, including location of hardware and software in use and details of portability (i.e., the extent to which the asset can change location). (CF.03.04.04d, The Standard of Good Practice for Information Security, 2013)
  • Define and implement, processes, procedures and technical measures to specify and document the physical locations of data, including any locations in which data is processed or backed up. (DSP-19, Cloud Controls Matrix, v4.0)
  • The cloud service customer's inventory of assets should account for information and associated assets stored in the cloud computing environment. The records of the inventory should indicate where the assets are maintained, e.g., identification of the cloud service. (§ 8.1.1 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The entity identifies, documents, and maintains records of physical location and custody of information assets, particularly for those stored outside the physical security control of the entity (for example, software and data stored on vendor devices or employee mobile phones under a bring-your-own-… (CC2.1 ¶ 4 Bullet 5 Manages the Location of Assets, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Does the inventory system contain a field for the physical location of the asset? (§ D.1.1.3, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • Identifying the type and version of open source software in use, where it is used within the entity, and its purpose. (App A Objective 13:6g Bullet 2 Sub-Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Inventories of backup media, storage location, and access controls for the media or physical location. (App A Objective 15:4a Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; (CM-12a., FedRAMP Security Controls High Baseline, Version 5)
  • Document changes to the location (i.e., system or system components) where the information is processed and stored. (CM-12c., FedRAMP Security Controls High Baseline, Version 5)
  • Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; (CM-12a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Document changes to the location (i.e., system or system components) where the information is processed and stored. (CM-12c., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; (CM-12a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Document changes to the location (i.e., system or system components) where the information is processed and stored. (CM-12c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Document changes to the location (i.e., system or system components) where the information is processed and stored. (CM-12c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; (CM-12a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Support the tracking of system components by geographic location using [Assignment: organization-defined automated mechanisms]. (CM-8(8) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; (CM-12a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Document changes to the location (i.e., system or system components) where the information is processed and stored. (CM-12c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Support the tracking of system components by geographic location using [Assignment: organization-defined automated mechanisms]. (CM-8(8) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; (CM-12a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Document changes to the location (i.e., system or system components) where the information is processed and stored. (CM-12c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization should develop, document, and maintain a system component inventory that ensures the logical location and physical location of each component is located in the system boundary. (SG.CM-8 Requirement 5, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization employs automated mechanisms to support tracking of information system components by geographic location. (CM-8(8), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms to support tracking of information system components by geographic location. (CM-8(8) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Support the tracking of system components by geographic location using [Assignment: organization-defined automated mechanisms]. (CM-8(8) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; (CM-12a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Document changes to the location (i.e., system or system components) where the information is processed and stored. (CM-12c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Support the tracking of system components by geographic location using [Assignment: organization-defined automated mechanisms]. (CM-8(8) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; (CM-12a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Document changes to the location (i.e., system or system components) where the information is processed and stored. (CM-12c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization employs automated mechanisms to support tracking of information system components by geographic location. (CM-8(8) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • location; (§ 500.13 Asset Management and Data Retention Requirements (a)(1)(ii), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)