SID-PHY-02 — Equipment and Media Security
| Property | Value |
|---|---|
| Owner | operator |
| Category | physical |
| CSF Function | protect |
| Group | Physical Security Controls |
Description
Secure siting and protection of equipment and storage media throughout their lifecycle, from procurement to disposal.
Implementation requirements: (1) Equipment siting: servers, HSMs, and network devices MUST be rack-mounted in access-controlled facilities (SID-PHY-01). Unauthorized removal MUST trigger an alert. (2) Off-premises assets: mobile devices and laptops used by wallet operations staff MUST have full-disk encryption enabled and be enrolled in MDM for remote-wipe capability. (3) Storage media handling: - Media containing Confidential or Restricted data MUST be encrypted before transport. - Media inventory (physical drives, USB devices, backup tapes) MUST be maintained with classification and custodian. (4) Secure disposal/re-use: before disposal or re-use, all media MUST be sanitized per NIST SP 800-88 (Clear for lower classification, Purge/Destroy for Confidential+). Destruction certificates MUST be retained for ≥5 years. (5) Equipment maintenance: only authorized service providers may perform maintenance. Any media removed for maintenance MUST be tracked and returned or sanitized. (6) Clear desk / clear screen: policy documented and enforced; screens auto-lock after ≤5 minutes of inactivity on operations workstations.
Note: Platform provides at-rest encryption for database volumes; this control covers physical media lifecycle management outside the platform software boundary.
Review criteria: media inventory, most recent disposal certificate, MDM enrollment evidence, clear-desk policy documentation.
Components
- WSCA / HSM
- PostgreSQL Database
Source References
Framework Requirements
ISO 27001 Annex A: A.7.7, A.7.8, A.7.9, A.7.10, A.7.13, A.7.14