Back

Establish, implement, and maintain on-site logical controls for all distributed assets.


CONTROL ID
11682
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Protect distributed assets against theft., CC ID: 06799

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should implement controls over their premises or service providers that process or have access to large quantity of sensitive customer data (e.g. call centres, customer document imaging or processing centres, etc.) to reduce the risk of customer data theft (e.g. staff taking away copies of custo… (Annex G. ¶ 2, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • Security measures are implemented to prevent unauthorised access to network management traffic. (Security Control: 1006; Revision: 6, Australian Government Information Security Manual, March 2021)
  • The organization should implement security measures in order to minimize the unauthorized access risk to network management traffic. (Control: 1006, Australian Government Information Security Manual: Controls)
  • The sources of forensic information should be protected by preventing the tampering of possible evidence. (CF.11.04.07b, The Standard of Good Practice for Information Security)
  • Access to office equipment by business users shall be authenticated (e.g. Password, token, biometric, or Radio Frequency Identification badge) to reduce the likelihood of confidential documents being left uncollected on the device. (CF.12.03.05a, The Standard of Good Practice for Information Security)
  • Access to office equipment by business users shall be authenticated (e.g. Password, token, biometric, or Radio Frequency Identification badge) to reduce the likelihood of confidential documents being left uncollected on the device. (CF.12.03.05a, The Standard of Good Practice for Information Security, 2013)
  • Important internal Certification Authorities (and related sub-certification authorities) should be protected by employing other general security controls (e.g., Change Management, back-up, and security event logging) in a particularly disciplined manner. (CF.08.06.03c, The Standard of Good Practice for Information Security, 2013)
  • The security manager must protect unclassified, non-sensitive assets with the use of badges, smart cards, and memory cards. (§ 3.5.4 ¶ AC35.060, DISA Access Control STIG, Version 2, Release 3)
  • Physical, logical, and environmental controls. (App A Objective 14:2c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Separation of duties and logical controls protect EFT-related software, customer account, and PIN information; (TIER II OBJECTIVES AND PROCEDURES E.2. Bullet 4, FFIEC IT Examination Handbook - Audit, April 2012)
  • The quality of physical and logical security, including the privacy of data. (TIER II OBJECTIVES AND PROCEDURES C.1. Bullet 8, FFIEC IT Examination Handbook - Audit, April 2012)
  • Evaluate the logical and physical security controls to ensure the availability and integrity of production retail payment systems applications. Determine: (App A Tier 2 Objectives and Procedures C.1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Evaluate the effectiveness of all logical access controls assigned for staff responsible for retail payment-related services. Determine: (App A Tier 2 Objectives and Procedures C.2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess the adequacy of security devices and access control procedures for EFT/POS, bankcard, and acquiring processing facilities to ensure appropriate physical and logical access controls are in place. (App A Tier 2 Objectives and Procedures G.10, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The service provider must define the key Information Security tools, mechanisms, and support components that are associated with system administration and Security Administration and use physically or logically separate subnets to isolate these from other internal Information System components. (Column F: SC-7(13), FedRAMP Baseline Security Controls)
  • Does the Credit Union provide adequate protection for the servers that house the Certification Authority information and directories? (IT - Authentication Q 26, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)