When devices containing information assets are taken out of an organisation’s premises, they will be exposed to higher risks of damage, loss, destruction, theft, or compromise.This is because physical security controls implemented within an organisation’s facilities will not be effective, leaving the assets taken off-site vulnerable to threats such as physical risks and unauthorized access by malicious parties. For example, employees working off-site can take corporate computers containing sensitive information out of business premises, work at a coffee house or a hotel lobby, connect to an insecure public Wi-Fi and leave their devices unattended. All of these present risks to the security, confidentiality, integrity, and availability of information hosted on these devices. Organisations are to establish and apply procedures and controls that cover all devices owned by or used on behalf of the organisation. Furthermore, the creation of an asset inventory and upper management’s approval of the use of personal devices is essential to the effective protection of off-site devices.
Security controls need to be applied to off-site assets, taking into account the different risks involved with working outside the organisation’s premises. This is a common area of vulnerability and it is therefore important that the appropriate level of controls is implemented and tie into other mobile controls and policies for homeworkers etc. Considerations should be made and risk assessments carried out for assets that are taken off site, either routinely or by exception. Controls will likely include a mixture of; Technical controls such as access control policies, password management, encryption; Physical controls such as Locks might also be considered too; alongside policy and process controls such as instruction to never leave assets unattended in public view (e.g. locking in the boot of the car).It is particularly important to review security incident trends relating to off-site assets. The auditor will expect to see evidence of this risk assessment taking place and the proportionate controls selected according to the evaluated risk levels. They will also expect to see evidence of policy compliance.
Off-site assets should be protected.
To prevent loss, damage, theft or compromise of off-site devices and interruption to the organization’s operations.
ISO 27002 Implementation Guidance
Any device used outside the organization’s premises which stores or processes information (e.g. mobile device), including devices owned by the organization and devices owned privately and used on behalf of the organization [bring your own device (BYOD) needs protection. The use of these devices should be authorized by management. The following guidelines should be considered for the protection of devices which store or process information outside the organization’s premises:
- not leaving equipment and storage media taken off premises unattended in public and unsecured places;
- observing manufacturers’ instructions for protecting equipment at all times (e.g. protection against exposure to strong electromagnetic fields, water, heat, humidity, dust);
- when off-premises equipment is transferred among different individuals or interested parties, maintaining a log that defines the chain of custody for the equipment including at least names and organizations of those who are responsible for the equipment. Information that does not need to be transferred with the asset should be securely deleted before the transfer;
- where necessary and practical, requiring authorization for equipment and media to be removed from the organization’s premises and keeping a record of such removals in order to maintain an
- audit trail ;
- protecting against viewing information on a device (e.g. mobile or laptop) on public transport, and
- the risks associated with shoulder surfing;
- implementing location tracking and ability for remote wiping of devices.
Permanent installation of equipment outside the organization’s premises [such as antennas and automated teller machines (ATMs)] can be subject to higher risk of damage, theft or eavesdropping. These risks can vary considerably between locations and should be taken into account in determining the most appropriate measures. The following guidelines should be considered when siting this equipment outside of the organization’s premises:
a) physical security monitoring.
b) protecting against physical and environmental threats;
c) physical access and tamper proofing controls;
d) logical access controls.
It may be difficult to maintain the same level of security controls for information systems or other assets when they are taken off-premises. Controls in place while systems are connected to the organization’s network may not be enforceable when working off of the network. Physical security controls are very likely to be significantly different as well. These risks may be further magnified if personnel are not well trained on security best practices and acceptable use requirements. Computers, peripherals, paperwork, reports, software, or other information assets belonging to your organization should not be taken off site without prior authorization. Records should be maintained for all information assets that are taken off site. These records should be updated once a timely return of the equipment or other information assets has been completed. The asset inventory of your organization is likely the most convenient place to document what assets have been taken off-site, by whom, and when they are scheduled to be returned.Information asset security controls should be applied to off-site equipment that are comparable to on-site controls. The different risks associated with working outside the organization’s premises should be considered. Particular attention should be given to protecting equipment during business or personal travel. Full-disk encryption should be deployed on all laptops.Information assets remain the property of your organization even when they are off-premises. Personnel should be trained that these assets should not be used by family members or friends. This unauthorized use may introduce not only technical risks, but also potential risks to the confidentiality of data contained on devices due to improper viewing of information by unauthorized audiences. All of your personnel need to be responsible, and held accountable, for all actions performed on or with the information assets that are presently assigned to them. When equipment goes off the premises, it is not only important to establish that its content is encrypted – the employees who take equipment out of the facility must also ensure its physical safety at all times, with special attention in public places, and take care not to let it become damaged. These same measures should also apply if the employee works from home.Organisations can maintain the security of equipment containing information assets by preventing two specific risks:
- Eliminating and/or minimizing risks of loss, damage, destruction, or compromise of devices housing information assets when they are taken off-premises.
- Preventing the risk of interruption to the organisation’s information processing activities due to the compromise of off-site devices.
- Computing equipment and storage media taken off-site such as corporate computers, USBs, hard drives, and monitors should not be left unattended in public spaces such as coffee houses or in any insecure area.
- Device manufacturer’s guidance and specifications on the physical protection of the relevant device should be complied with at all times. For instance, the device manufacturer’s instructions may include how to protect the device/equipment against water, heat, electromagnetic fields, and dust.
- Employees and/or other organisations that take computing equipment outside corporate premises may transfer this equipment to other employees or third parties. To maintain the security of this equipment, organisations should keep a log that defines the chain of custody. This log record should at least contain the names of individuals responsible for the device and their organisation.
- If an organisation deems that an authorization process is necessary and practical for the removal of equipment out of corporate premises, it should establish and apply an authorization procedure for the taking of certain equipment off-site. This authorization procedure should also include keeping a record of all device removal actions so that the organisation has an audit trail.
- Appropriate measures should be implemented to eliminate the risk of unauthorized viewing of information on-screen on public transport.
- Location tracking tools and remote access should be in place so that the device can be tracked and the information contained in the device can be wiped off remotely if needed.
It also prescribes requirements for the protection of equipment installed outside of corporate premises permanently.This equipment may include antennas and ATM’s.Considering that this equipment may be subject to heightened risks of damage and loss, organisations to take into account the following when protecting this off-site equipment:
- Physical security monitoring, should be considered.
- The protection against environmental and physical threats should be taken into account
- Access controls should be established and appropriate measures should be implemented to prevent tampering.
- Logical access controls should be created and applied.
Advice for laptop, tablet & smartphone users
- Employees should keep mobile devices with them at all times. When unattended – for example in a hotel room or meeting room – they should keep them hidden or physically locked away. They should also be carried in hand baggage on an aircraft or coach.
- Laptops, tablets and smartphones should never be left on a vehicle seat. Even when the driver is in the vehicle, their device could be vulnerable when stationary (for example, whilst parking or at traffic lights).
- Employees with tablets and smartphones should do their best not to have them on display when out and about owing to the increasing trend of snatch robberies, sometimes involving physical violence.
- Ensure your employees use padded bags to carry their laptops and, where feasible, tablets. Many laptops are broken simply by dropping them.