PR.DS-P3: Systems/products/services and associated data are formally managed throughout removal, transfers, and disposition
CSF v1.1 References:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
CM-8: System Component Inventory
Develop and document an inventory of system components that: Accurately reflects the system; Includes all components within the system; Does not include duplicate accounting of components or components assigned to any other system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes the following information to achieve system component accountability:…
MP-6: Media Sanitization
Sanitize [Assignment: organization-defined system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures]; and Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
PE-16: Delivery and Removal
Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and Maintain records of the system components.
PE-20: Asset Monitoring and Tracking
Employ [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas].
Cloud Controls Matrix v3.0.1
CCC-04: Unauthorized Software Installations
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.
DSI-01: Classification
Data and objects containing data shall be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization.
DSI-04: Handling / Labeling / Security Policy
Policies and procedures shall be established for the labeling, handling, and security of data and objects which contain data. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.
DSI-07: Secure Disposal
Policies and procedures shall be established with supporting business processes and technical measures implemented for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means.
DCS-01: Asset Management
Assets must be classified in terms of business criticality, service-level expectations, and operational continuity requirements. A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time shall be maintained and updated regularly, and assigned ownership by defined roles and responsibilities.
DCS-04: Off-Site Authorization
Authorization must be obtained prior to relocation or transfer of hardware, software, or data to an offsite premises.
DCS-05: Off-Site Equipment
Policies and procedures shall be established for the secure disposal of equipment (by asset type) used outside the organization’s premises. This shall include a wiping solution or destruction process that renders recovery of information impossible. The erasure shall consist of a full overwrite of the drive to ensure that the erased drive is released to…
HRS-01: Asset Returns
Upon termination of workforce personnel and/or expiration of external business relationships, all organizationally-owned assets shall be returned within an established period.
IVS-02: Change Detection
The provider shall ensure the integrity of all virtual machine images at all times. Any changes made to virtual machine images must be logged and an alert raised regardless of their running state (e.g., dormant, off, or running). The results of a change or move of an image and the subsequent validation of the image’s…
MOS-09: Device Inventory
An inventory of all mobile devices used to store and access company data shall be kept and maintained. All changes to the status of these devices (i.e., operating system and patch levels, lost or decommissioned status, and to whom the device is assigned or approved for usage (BYOD)) will be included for each device in…
MOS-18: Remote Wipe
All mobile devices permitted for use through the company BYOD program or a company-assigned mobile device shall allow for remote wipe by the company’s corporate IT or shall have all company-provided data wiped by the company’s corporate IT.
Critical Security Controls Version 8
1: Inventory and Control of Enterprise Assets
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
3: Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
NIST Special Publication 800-53 Revision 4
CM-8: Information System Component Inventory
The organization: Develops and documents an inventory of information system components that: Accurately reflects the current information system; Includes all components within the authorization boundary of the information system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability];…
MP-6: Media Sanitization
The organization: Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the…
PE-16: Delivery And Removal
The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items.
PE-20: Asset Monitoring And Tracking
The organization: Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance.
Critical Security Controls Version 7.1
1: Inventory and Control of Hardware Assets
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
13: Data Protection
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.