Back

Require the return of all assets upon notification an individual is terminated.


CONTROL ID
06679
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain asset return procedures., CC ID: 04537

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • All internal and external employees of the cloud provider are obliged to return or irrevocably delete all assets which were handed over to them in relation to the cloud service and/or for which they are responsible as soon as the employment relationship has been terminated. (Section 5.4 AM-04 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Verify that all physical authentication methods have been deactivated or returned. (Testing Procedures § 8.1.3.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Physical access for onsite personnel to sensitive areas must be controlled by disabling or having the individual return all physical access mechanisms. (PCI DSS Requirements § 9.3 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. (9.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. (9.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. (9.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Is physical access to sensitive areas controlled for onsite personnel, as follows: - Is access authorized and based on individual job function? - Is access revoked immediately upon termination - Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disab… (9.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is physical access to sensitive areas controlled for onsite personnel, as follows: - Is access authorized and based on individual job function? - Is access revoked immediately upon termination - Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disab… (9.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is physical access to sensitive areas controlled for onsite personnel, as follows: - Is access authorized and based on individual job function? - Is access revoked immediately upon termination - Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disab… (9.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is physical access to sensitive areas controlled for onsite personnel, as follows: - Is access authorized and based on individual job function? - Is access revoked immediately upon termination - Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disab… (9.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • All physical access mechanisms, such as keys, access cards, etc., are returned or disabled upon termination. (9.3.1.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • For terminated personnel, examine physical access controls lists and interview responsible personnel to verify that all physical access mechanisms (such as keys, access cards, etc.) were returned or disabled. (9.3.1.1.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Is physical access to sensitive areas controlled for onsite personnel by immediately revoking access upon termination? (PCI DSS Question 9.3 Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is physical access to sensitive areas controlled for onsite personnel by immediately revoking access upon termination? (PCI DSS Question 9.3 Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • All physical access mechanisms, such as keys, access cards, etc., are returned or disabled upon termination. (9.3.1.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All physical access mechanisms, such as keys, access cards, etc., are returned or disabled upon termination. (9.3.1.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Upon termination of employment, staff and external individuals should be required to return equipment (e.g., mobile devices, laptops, ultrabooks, tablets, smartphones, portable storage devices, and specialist equipment). (CF.02.01.07b, The Standard of Good Practice for Information Security)
  • Staff and external individuals should be required to return authentication hardware (e.g., physical tokens, smartcards, and biometric equipment) upon termination of employment. (CF.02.01.07d, The Standard of Good Practice for Information Security)
  • A consistent method for securely handling the termination of relationships with external suppliers should be established, which includes return, transfer, or secure destruction of assets (e.g., back-up media storage, documentation, hardware, and authentication devices). (CF.16.01.08c, The Standard of Good Practice for Information Security)
  • Upon termination of employment, staff and external individuals should be required to return equipment (e.g., mobile devices, laptops, ultrabooks, tablets, smartphones, portable storage devices, and specialist equipment). (CF.02.01.07b, The Standard of Good Practice for Information Security, 2013)
  • Staff and external individuals should be required to return authentication hardware (e.g., physical tokens, smartcards, and biometric equipment) upon termination of employment. (CF.02.01.07d, The Standard of Good Practice for Information Security, 2013)
  • A consistent method for securely handling the termination of relationships with external suppliers should be established, which includes return, transfer, or secure destruction of assets (e.g., back-up media storage, documentation, hardware, and authentication devices). (CF.16.01.10d, The Standard of Good Practice for Information Security, 2013)
  • Upon termination of workforce personnel and/or expiration of external business relationships, all organizationally-owned assets shall be returned within an established period. (HRS-01, Cloud Controls Matrix, v3.0)
  • Establish and document procedures for the return of organization-owned assets by terminated employees. (HRS-05, Cloud Controls Matrix, v4.0)
  • All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement. (A.8.1.4 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electr… (§ 8.1.4 Health-specific control, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • All employees and external party users should return all of the organizational assets in their possession upon termination of their employment, contract or agreement. (§ 8.1.4 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Retrieves all security-related organizational information system-related property; (PS-4d., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Retrieves all security-related organizational information system-related property; (PS-4d., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Retrieves all security-related organizational information system-related property; (PS-4d., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Retrieves all security-related organizational information system-related property; (PS-4d., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Are constituents required to return assets (notebook, desktop, PDA, cell phones, access cards, tokens, smart cards, keys, proprietary documentation) upon termination? (§ E.6.4.1, Shared Assessments Standardized Information Gathering Questionnaire - E. Human Resource Security, 7.0)
  • Retrieves all security-related organizational information system-related property; (PS-4d. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Retrieves all security-related organizational information system-related property; (PS-4d. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Retrieves all security-related organizational information system-related property; (PS-4d. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Retrieve all security-related organizational system-related property; and (PS-4d., FedRAMP Security Controls High Baseline, Version 5)
  • Retain access to organizational information and systems formerly controlled by terminated individual. (PS-4e., FedRAMP Security Controls High Baseline, Version 5)
  • Retrieve all security-related organizational system-related property; and (PS-4d., FedRAMP Security Controls Low Baseline, Version 5)
  • Retain access to organizational information and systems formerly controlled by terminated individual. (PS-4e., FedRAMP Security Controls Low Baseline, Version 5)
  • Retrieve all security-related organizational system-related property; and (PS-4d., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Retain access to organizational information and systems formerly controlled by terminated individual. (PS-4e., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Retrieve all security-related organizational system-related property; and (PS-4d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Retain access to organizational information and systems formerly controlled by terminated individual. (PS-4e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Retrieve all security-related organizational system-related property; and (PS-4d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Retain access to organizational information and systems formerly controlled by terminated individual. (PS-4e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Retrieve all security-related organizational system-related property; and (PS-4d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Retain access to organizational information and systems formerly controlled by terminated individual. (PS-4e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Retrieves all security-related organizational information system-related property; (PS-4d. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Retrieves all security-related organizational information system-related property; (PS-4d. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Retrieves all security-related organizational information system-related property; (PS-4d. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must retrieve all security-related organizational Information System-related property upon termination of employment. (App F § PS-4.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must retain access to organizational information and Information Systems formerly controlled by the terminated individual upon termination of employment. (App F § PS-4.d, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization, upon termination of individual employment retrieves all security-related organizational information system-related property. (PS-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization, upon termination of individual employment retrieves all security-related organizational information system-related property. (PS-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization, upon termination of individual employment retrieves all security-related organizational information system-related property. (PS-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization, upon termination of individual employment retrieves all security-related organizational information system-related property. (PS-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Retrieves all security-related organizational information system-related property; (PS-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Retrieves all security-related organizational information system-related property; (PS-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Retrieves all security-related organizational information system-related property; (PS-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Retrieves all security-related organizational information system-related property; (PS-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Retrieve all security-related organizational system-related property; and (PS-4d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Retain access to organizational information and systems formerly controlled by terminated individual. (PS-4e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Retrieve all security-related organizational system-related property; and (PS-4d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Retain access to organizational information and systems formerly controlled by terminated individual. (PS-4e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e., TX-RAMP Security Controls Baseline Level 1)
  • Retrieves all security-related organizational information system-related property; (PS-4d., TX-RAMP Security Controls Baseline Level 1)
  • Retains access to organizational information and information systems formerly controlled by terminated individual; and (PS-4e., TX-RAMP Security Controls Baseline Level 2)
  • Retrieves all security-related organizational information system-related property; (PS-4d., TX-RAMP Security Controls Baseline Level 2)