Back

Monitor the location of distributed assets.


CONTROL ID
11684
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Protect distributed assets against theft., CC ID: 06799

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should identify the locations within and outside their premises (including service providers) where their customer data are stored or can be accessed. They should satisfy themselves that adequate physical security (including physical access controls, security guards and surveillance cameras) is … (Annex G. ¶ 1, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • Provide CD/ATM with GPS units or other tracking means. (F113.2. ¶ 4, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Fax machines and MFDs are located in areas where their use can be observed. (Control: ISM-1036; Revision: 3, Australian Government Information Security Manual, June 2023)
  • Fax machines and MFDs are located in areas where their use can be observed. (Control: ISM-1036; Revision: 3, Australian Government Information Security Manual, September 2023)
  • Use a wireless monitoring system that can track and locate all wireless devices and report if one or more devices are missing. (4.1.1 F, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • The entity identifies, documents, and maintains records of physical location and custody of information assets, particularly for those stored outside the physical security control of the entity (for example, software and data stored on vendor devices or employee mobile phones under a bring-your-own-… (CC2.1 ¶ 4 Bullet 5 Manages the Location of Assets, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Locations, either individually or by group. (Attachment 1 Section 3. 3.1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • Locations, either individually or by group. (Section 3. 3.1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Locations, either individually or by group. (Attachment 1 Section 3. 3.1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. (§ 164.310(d)(1), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore. (§ 164.310(d)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Ability to determine the location of agency controlled devices (§ 5.13.2 ¶ 3(2)(i), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Operational risk mitigation: Review whether management controls include the following: risk management; transaction monitoring and geolocation tools; fraud prevention, detection, and response programs; additional controls (e.g., stronger authentication and encryption); authentication and authorizati… (AppE.7 Objective 5:4 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Employ [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]. (PE-20 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Employ [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]. (PE-20 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • People and Asset Tracking. Locating people and vehicles in a large installation is important for safety reasons, and it is increasingly important for security reasons as well. Asset location technologies can be used to track the movements of people and vehicles within the plant, to ensure that they … (§ 6.2.11 ICS-specific Recommendations and Guidance ¶ 4 Bullet 3, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and (PE-20a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]. (PE-20 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]. (PE-20 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and (PE-20a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)