T2.3.5 - SECURITY OF EQUIPMENT OFF-PREMISES Implementation Guidance
The entity shall apply security to off-site equipment.
Back to T2.3.5 - P3 - SECURITY OF EQUIPMENT OFF-PREMISES
The use of any information storing and processing equipment outside the entity’s premises should be authorized by management. This applies to equipment owned by the entity and those owned privately and used on behalf of the entity.
The following guidelines should be considered for the protection of off-site equipment:
- A. Equipment and media taken off the premises should not be left unattended in public places; portable computers should be carried as hand luggage and disguised where possible when travelling
- B. Manufacturers’ instructions for protecting equipment should be observed at all times, e.g. protection against exposure to strong electromagnetic fields
- C. Controls for off-premise locations, such as home-working, teleworking and temporary sites should be determined by a risk assessment and suitable controls applied as appropriate, e.g. lockable filing cabinets, clear desk policy, access controls for computers and secure communication with the office
- D. It may be appropriate to avoid the risk by discouraging certain employees from working off-site and/or by restricting their use of portable IT equipment
- E. When off-premises equipment is transferred among different individuals or external parties, a log should be maintained that defines the chain of custody for the equipment including at least names and entities of those who are responsible for the equipment
Risks, e.g. of damage, theft or eavesdropping, may vary considerably between locations and should be taken into account in determining the most appropriate controls.
