Title

The organization must define locations the organization deems to be of significant risk to DoD information systems, in accordance with organizational policies and procedures. (Cat II impact)

Discussion

Given the continuous threat level in today's global environment, there are certain locations presenting significant risks to an organization's personnel, equipment, and data. To afford an increased level of awareness and security for its personnel, equipment, and data, an organization must identify those locations representing a higher level of risk. Failure of an organization to identify these locations could result in dangerous situations for its personnel, such as; damaged, stolen or compromised equipment; or unauthorized access to, modification of, or destruction of sensitive or classified data.

Check Content

Review the organization's security policy and procedures to ensure the organization has developed and documented a list of high risk locations, and has published this list to its security staff and other organizational personnel. Also examine the date of last update to ensure the list is periodically reviewed and updated. Interview organization security staff to determine if a high risk location list exists and if it is periodically reviewed and updated. If the organization has not developed and disseminated a list of high risk locations, this is a finding.

Fix Text

Develop and document a list of high risk locations, and publish this list to security staff and other organizational personnel.

Additional Identifiers

Rule ID:

Vulnerability ID: V-35990

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.