HRS-05: Asset returns

Control Family:

Human Resources

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: HRS-01: Asset Returns.

Control Statement

Establish and document procedures for the return of organization-owned assets by terminated employees.

Implementation Guidance

The organization should establish and communicate a policy and procedure for the return of assets owned or controlled by the organization upon the termination of a personnel contract. The organization should identify and document all information and other associated assets to be returned or disabled. Information and assets can include:

  1. User endpoint devices
  2. Portable storage devices
  3. Specialist equipment
  4. Authentication hardware (e.g., mechanical keys, physical tokens, and smartcards) for information systems, sites, and physical archives
  5. Physical copies of information

The organization should prevent the unauthorized copying of information (e.g., intellectual property) by personnel under a notice of termination.

Auditing Guidance

  1. Examine policy for adequacy, currency, communication, and effectiveness.
  2. Verify that a definition of organizationally-owned assets exists, and is implemented.
  3. Verify that a definition of terminated employees exists, and is implemented.
  4. Examine policy and procedures for evidence of review at least annually.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.