compliance controls are associated with this Policy definition 'Ensure security safeguards not needed when the individuals return' (1fdf0b24-4043-3c55-357e-036985d50b52)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CM-2(7) |
FedRAMP_High_R4_CM-2(7) |
FedRAMP High CM-2 (7) |
Configuration Management |
Configure Systems, Components, Or Devices For High-Risk Areas |
Shared |
n/a |
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return.
Supplemental Guidance: When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for
example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family..\ |
link |
2 |
| FedRAMP_Moderate_R4 |
CM-2(7) |
FedRAMP_Moderate_R4_CM-2(7) |
FedRAMP Moderate CM-2 (7) |
Configuration Management |
Configure Systems, Components, Or Devices For High-Risk Areas |
Shared |
n/a |
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return.
Supplemental Guidance: When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for
example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family..\ |
link |
2 |
| hipaa |
0403.01x1System.8-01.x |
hipaa-0403.01x1System.8-01.x |
0403.01x1System.8-01.x |
04 Mobile Device Security |
0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization monitors for unauthorized connections of mobile devices. |
|
7 |
| hipaa |
0426.01x2System.1-01.x |
hipaa-0426.01x2System.1-01.x |
0426.01x2System.1-01.x |
04 Mobile Device Security |
0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
A centralized, mobile device management solution has been deployed to all mobile devices permitted to store, transmit, or process organizational and/or customer data, enforcing built-in detective and preventative controls. |
|
7 |
| hipaa |
0427.01x2System.2-01.x |
hipaa-0427.01x2System.2-01.x |
0427.01x2System.2-01.x |
04 Mobile Device Security |
0427.01x2System.2-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization ensures that mobile devices connecting to corporate networks, or storing and accessing company information, allow for remote software version/patch validation. |
|
4 |
| hipaa |
0428.01x2System.3-01.x |
hipaa-0428.01x2System.3-01.x |
0428.01x2System.3-01.x |
04 Mobile Device Security |
0428.01x2System.3-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization ensures that mobile devices connecting to corporate networks, or storing and accessing company information, allow for remote wipe. |
|
4 |
| hipaa |
0429.01x1System.14-01.x |
hipaa-0429.01x1System.14-01.x |
0429.01x1System.14-01.x |
04 Mobile Device Security |
0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization prohibits the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting). |
|
7 |
| hipaa |
0627.10h1System.45-10.h |
hipaa-0627.10h1System.45-10.h |
0627.10h1System.45-10.h |
06 Configuration Management |
0627.10h1System.45-10.h 10.04 Security of System Files |
Shared |
n/a |
The organization maintains information systems according to a current baseline configuration and configures system security parameters to prevent misuse. Vendor supplied software used in operational systems is maintained at a level supported by the supplier and uses the latest version of web browsers on operational systems to take advantage of the latest security functions in the application. |
|
11 |
| ISO27001-2013 |
A.11.2.6 |
ISO27001-2013_A.11.2.6 |
ISO 27001:2013 A.11.2.6 |
Physical And Environmental Security |
Security of equipment and assets off-premises |
Shared |
n/a |
Security shall be applied to off-site assets taking into account the different risks of working outside the organization's premises. |
link |
10 |
|
mp.eq.1 Clear desk |
mp.eq.1 Clear desk |
404 not found |
|
|
|
n/a |
n/a |
|
19 |
|
mp.eq.3 Protection of portable devices |
mp.eq.3 Protection of portable devices |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
mp.si.2 Cryptography |
mp.si.2 Cryptography |
404 not found |
|
|
|
n/a |
n/a |
|
32 |
| NIST_SP_800-53_R4 |
CM-2(7) |
NIST_SP_800-53_R4_CM-2(7) |
NIST SP 800-53 Rev. 4 CM-2 (7) |
Configuration Management |
Configure Systems, Components, Or Devices For High-Risk Areas |
Shared |
n/a |
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return.
Supplemental Guidance: When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for
example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family..\ |
link |
2 |
| NIST_SP_800-53_R5 |
CM-2(7) |
NIST_SP_800-53_R5_CM-2(7) |
NIST SP 800-53 Rev. 5 CM-2 (7) |
Configuration Management |
Configure Systems and Components for High-risk Areas |
Shared |
n/a |
(a) Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls]. |
link |
2 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |