Management should authorize devices used outside an organization’s premises, such as mobile devices or personally-owned devices used for work, and require protection for them. Guidelines for protecting such devices include not leaving them publicly unattended, following manufacturers’ instructions for protection, logging device custody when transferring equipment, using authorization tools for equipment removal, preventing information from being viewed publicly, and tracking locations and remote wiping capabilities. Permanent equipment outside an organization’s location, such as ATMs, requires monitoring, protection against environmental and physical issues, physical access and tamper-proofing controls, and reasonable access controls. The appropriate measures should be determined based on the specific location and associated risks.