Oct 25 2012

Off Premises Equipment Security in ISMS

Category: Laptop SecurityDISC @ 11:22 am

Control  A 9.2.5 in annex A of ISO 27001 standard requires organization to have authorized policies and procedures in place for security of off-premises equipment and these controls should be implemented based on risk assessment of physical particular assets.  There should be a formal approval procedure before taking the equipment offsite. Approval authority will depend upon the classification of an asset and can be determined through risk assessment process for potential risk to an organization. Below are some of the ISO 27002 recommendations for taking equipments off site.

Laptop computers, mobile phones, USB flash drive should be encrypted and password  protected, especially when these equipments are carrying a classified or sensitive information and exposure of this information may significantly harm the organization. Laptop computers and flash drives should be carried in an unidentified secure laptop bags and your bag should stay in your possession at all time and never be unattended in any circumstance. Some organizations are allocating separate laptop for travel to avoid personal and corporate data exposure and placing a limit on data that can be carried on the laptop or USB drive. Some travelers are asked to backup their data on web based backup service in case they lose the equipment or it may get corrupted. Especially in case of laptop, screen saver and privacy screen are must policies to have in an organization which has a healthy group of folks on the road on a regular basis.

Awareness is a key to every successful implementation of security control. A special awareness session should be designed for off-site staff which covers the off premises security.  Completing this awareness training and risk assessment of an asset should be built in the user authorization form.

Leave a Reply