richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-7.9-Security-of-assets-off-premises.md

3.2 KiB
Raw Blame History

7.9 Security of assets off-premises

| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |

|------------------|-----------------------------------------|---------------------------|----------------------------------------|---------------------|

| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security #Asset_management | #Protection |

Control

Off-site assets should be protected. Purpose

To prevent loss, damage, theft or compromise of off-site devices and interruption to the organizations operations.

Guidance

Any device used outside the organizations premises which stores or processes information (e.g. mobile device), including devices owned by the organization and devices owned privately and used on behalf of the organization [bring your own device (BYOD)] needs protection. The use of these devices should be authorized by management.

The following guidelines should be considered for the protection of devices which store or process information outside the organizations premises:

a) not leaving equipment and storage media taken off premises unattended in public and unsecured places;

b) observing manufacturers instructions for protecting equipment at all times (e.g. protection against exposure to strong electromagnetic fields, water, heat, humidity, dust);

c) when off-premises equipment is transferred among different individuals or interested parties, maintaining a log that defines the chain of custody for the equipment including at least names and organizations of those who are responsible for the equipment. Information that does not need to be transferred with the asset should be securely deleted before the transfer;

d) where necessary and practical, requiring authorization for equipment and media to be removed from the organizations premises and keeping a record of such removals in order to maintain an audit trail (see 5.14);

e) protecting against viewing information on a device (e.g. mobile or laptop) on public transport, and the risks associated with shoulder surfing;

f) implementing location tracking and ability for remote wiping of devices.

Permanent installation of equipment outside the organizations premises [such as antennas and automated teller machines (ATMs)] can be subject to higher risk of damage, theft or eavesdropping. These risks can vary considerably between locations and should be taken into account in determining the most appropriate measures. The following guidelines should be considered when siting this equipment outside of the organizations premises:

a) physical security monitoring (see 7.4);

b) protecting against physical and environmental threats (see 7.5);

c) physical access and tamper proofing controls;

d) logical access controls.

Other information

More information about other aspects of protecting information storing and processing equipment and user endpoint devices can be found in 8.1and 6.7.