Back

Request the return of all appropriate assets upon notification of a personnel status change.


CONTROL ID
06678
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain asset return procedures., CC ID: 04537

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Processes are in place to recover entity devices (for example, badges, laptops, and mobile devices) when an employee, contractor, vendor, or business partner no longer requires access. (CC6.4 ¶ 2 Bullet 3 Recovers Physical Devices, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Are constituents required to return assets (notebook, desktop, PDA, cell phones, access cards, tokens, smart cards, keys, proprietary documentation) upon change of status? (§ E.6.4.2, Shared Assessments Standardized Information Gathering Questionnaire - E. Human Resource Security, 7.0)
  • Do the physical access control procedures include collection of access equipment (badges, keys, change PIN numbers, etc.) when a constituent is terminated or changes status and no longer require access? (§ F.1.2.24.3, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • Is there a process to collect access mechanisms (badges, keys, change PIN numbers, etc.) when a constituent is terminated and no longer requires access to the scoped systems and data residing in the caged environment? (§ F.2.21.6, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • Are access mechanisms (badges, keys, change PIN numbers, etc.) to the locked equipment cabinets that contain scoped systems and data collected when a constituent is terminated and no longer requires access? (§ F.2.22.8, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • The organization must verify that terminated employees have returned all organization-owned property. (SG.PS-4 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)