DCS-02: Off-Site Transfer Authorization Policy and Procedures

Control Family:

Datacenter Security

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: DCS-04: Off-Site Authorization, GRM-06: Policy, GRM-09: Policy Reviews.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location. The relocation or transfer request requires the written or cryptographically verifiable authorization. Review and update the policies and procedures at least annually.

Implementation Guidance

The communications between services that facilitate movements of workloads, application data, etc., should be encrypted based on globally recognized crypto algorithms such as AES-256. Additionally, communication may include measures such as obfuscation or de-identification to render the information in transit illegible. NIST 800-122 (Guide to Protecting the Confidentiality of Personally Identifiable Information - PII) provides relevant and effective techniques for obscuring sensitive data, such as personally identifiable information (PII), etc.

Auditing Guidance

  1. Examine the organization's policy and procedures related to relocation, transfer or retirement of assets.
  2. Determine if policy has been approved, communicated, and reviewed.
  3. Determine if the policy requires recorded authorisation of movements.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.