Removal of Property

The HITRUST “Removal of Property” requirement means you must prevent equipment, information, and software from leaving your premises (or controlled environments) without documented, prior authorization, and you must run periodic spot checks to detect unauthorized removal. To operationalize it fast, implement an asset-removal approval workflow, enforce physical and technical exit controls, and retain auditable logs of approvals and checks. ¹

Key takeaways:

• You need prior authorization + documentation for any off-site removal of equipment, information, or software. ¹
• The control is incomplete without spot checks that can actually detect unauthorized removal. ¹
• Auditors look for evidence of consistent execution, not just a policy: approvals, inventories, check results, and exception handling.

“Removal of property” is a deceptively simple requirement that often fails in practice because organizations treat it as a badge-sticker policy rather than an operational control. HITRUST CSF v11 08.m makes three concrete demands: (1) don’t allow equipment, information, or software off-site without prior authorization; (2) document and approve removals; and (3) perform spot checks to detect unauthorized removal from organizational premises. ¹

For a Compliance Officer, CCO, or GRC lead, the fastest path to coverage is to define what “property” includes in your environment (laptops, removable media, paper records, test data extracts, licensed software, even imaging files), identify the exit points and transfer paths (front desk, loading dock, mailroom, remote work, third-party couriers), then implement a single approval-and-record mechanism that employees will actually use. You also need to coordinate with Facilities/Security and IT Asset Management, because the evidence is split across ticketing systems, badge/visitor logs, asset inventories, and security procedures.

This page gives requirement-level implementation guidance, artifacts to retain, and audit-ready execution steps for the removal of property requirement.

Regulatory text

Requirement (HITRUST CSF v11 08.m): “Equipment, information, or software shall not be taken off-site without prior authorization. The removal of assets shall be documented and approved, and spot checks shall be performed to detect unauthorized removal of property from organizational premises.” ¹

Operator interpretation (what you must do):

1. Gate the act of removal. No one removes covered assets from controlled spaces without an approval that happens before the asset leaves. ¹
2. Create an auditable trail. Every approved removal produces a record with what was removed, who removed it, why, when, and who approved it. ¹
3. Verify reality matches records. You perform spot checks that can catch “walk-outs” and unrecorded transfers. Spot checks must be documented. ¹

Plain-English interpretation

Treat “removal of property” as a controlled transfer process. If a laptop goes home, a server drive goes to a shredder, a paper file goes to an off-site clinic, or a database extract gets copied to a portable device, you need a pre-approval and a record. Then you prove the process works by running spot checks at the places property leaves (doors, loading areas, shipping/receiving, mailroom, security desk, or IT e-waste staging).

This requirement is about preventing data loss and theft, but also about preventing “accidental” removal: employees taking paper records to work at home, engineering copying production data into a local environment, or contractors walking out with devices after a project ends.

Who it applies to

Entity scope: All organizations implementing HITRUST CSF controls. ¹

Operational scope (where it bites in real life):

• Corporate offices and clinics: laptops, printed PHI, badge-controlled areas, front desk exits.
• Data centers and server rooms: storage media, spare drives, backup tapes, network gear.
• Shipping/receiving and mailroom: outbound packages, returns, courier handoffs.
• Remote/hybrid work: assets leaving premises “temporarily” (laptops, hotspots) and information leaving via physical media.
• Third-party operations: contractors, managed service providers, disposal vendors, repair depots, couriers. (You still own the control objective even if execution is shared.)

What you actually need to do (step-by-step)

1) Define “property” and what counts as “off-site”

Write a short scoping statement your teams can apply without guessing:

• Equipment: laptops, desktops, tablets, phones, removable drives, backup media, networking equipment, badge readers, printers with storage.
• Information: paper records, printed reports, labels, screenshots, notebooks with sensitive content.
• Software: licensed software media/keys, controlled build artifacts, proprietary code moved on physical media. ¹

Clarify that “off-site” includes homes, hotels, conferences, another company office, a third party facility, and any location not covered by your physical security program.

2) Establish an authorization workflow that is harder to bypass than to use

Pick one system of record (service desk, GRC workflow, or facilities ticketing). Require:

• Requestor identity and department
• Asset identifier (tag/serial) or information description (file set, record type, box number)
• Reason for removal and destination
• Expected return date or disposition (return, destroy, transfer custody)
• Approver name/title and approval timestamp ¹

Practical decision: Make approvals role-based. Example:

• Manager approves standard laptop travel.
• Information Security approves removable media and any sensitive data in physical form.
• Facilities/Security approves large equipment removals and after-hours moves.
• Procurement/Asset Management approves disposals and transfers.

3) Tie approvals to asset inventory and custody records

Your control breaks if approvals cannot be reconciled to inventory.

• For equipment, require an asset tag/serial and automatically link the ticket to the asset inventory record.
• For paper records, require a box ID or tracking number and link to records management logs.
• For media disposal/repair, maintain a chain-of-custody record that includes handoff to the third party and confirmation of receipt.

4) Implement exit controls aligned to your environment

Match controls to actual exit points:

• Front desk/security desk: require approval reference for equipment leaving; use bag checks where culturally and legally acceptable.
• Loading dock/shipping: outbound equipment must have an approved removal record attached to the shipment.
• IT staging areas: quarantine “to-be-disposed” assets until an approved disposal/removal record exists.
• Visitor/contractor exits: verify return of temporary devices, badges, and any issued media.

Keep it simple: the goal is that the guard, receptionist, or shipping clerk can quickly verify “approved vs not approved.”

5) Run spot checks that can detect unauthorized removal

HITRUST explicitly requires spot checks. ¹ Design them so they are defensible in an audit:

• Define who performs checks (Security, Facilities, ITAM) and where (main exits, loading dock, mailroom, e-waste area).
• Define what you check: presence of approval record, asset tag matches, and whether the item is in inventory status “authorized off-site.”
• Define how you record results: date/time, location, checker, sample observed, exceptions found, corrective action.

Spot checks should also cover “information” leaving, not just devices. Example: check shredding bins and outbound records boxes for required tracking documentation.

6) Build exception handling that doesn’t become the normal path

Create a controlled “break glass” option for urgent operational needs (e.g., emergency equipment swap), but require:

• documented justification,
• retroactive approval within a defined internal timeframe,
• a review of patterns (repeat offenders, specific sites).

7) Train the people who actually move things

Training should target:

• facilities movers and office managers,
• shipping/receiving staff,
• IT support teams,
• clinicians or business users handling paper records,
• contractors who may remove equipment at project end.

A one-page job aid at exits usually beats a long policy.

Required evidence and artifacts to retain

Auditors typically ask for proof in three buckets: policy, execution, and monitoring.

Policy & procedure artifacts

• Removal of property policy/procedure (scope, definitions, approval roles)
• Physical security procedures for exits/loading docks
• Records retention and media handling procedures (if applicable)

Execution artifacts

• Asset removal requests and approvals (tickets/workflow exports)
• Asset inventory showing custody/status changes (e.g., “assigned off-site”)
• Shipping manifests tied to approval records
• Chain-of-custody documents for disposal/repair transfers to third parties

Monitoring artifacts

• Spot check logs (including “no issues found” results)
• Exception logs and corrective actions
• Evidence of periodic review of removals (trend review notes, management sign-off)

Common exam/audit questions and hangups

Expect these questions and prepare your evidence package accordingly:

1. “Show me the last few asset removals and the prior approvals.” They will check timestamps and approver authority.
2. “How do you prevent untagged assets from leaving?” If you have “mystery devices,” you need a process for tagging and quarantine.
3. “Do you control paper records leaving the building?” Many programs only cover laptops; that fails the “information” part. ¹
4. “Where are spot checks documented, and what happens on exceptions?” If you can’t produce logs, the control is usually scored weak.
5. “How do third parties remove or receive your assets?” Look for chain-of-custody, authorized courier processes, and return confirmations.

Frequent implementation mistakes (and how to avoid them)

• Mistake: Policy without workflow. Fix: require a ticket number for every removal and make it the system of record.
• Mistake: Only covering laptops. Fix: include paper, removable media, and software artifacts in scope language and training. ¹
• Mistake: Approvals after the fact. Fix: enforce “prior authorization” at exit points, not just in IT processes. ¹
• Mistake: Spot checks that are performative. Fix: check real exit paths and record exceptions, even if uncomfortable.
• Mistake: No link to inventory. Fix: require asset identifiers and automate status changes where possible.

Risk implications (why operators care)

Unauthorized removal is a common root cause for:

• loss of devices containing sensitive data,
• uncontrolled copies of regulated information in physical form,
• licensing exposure for software moved outside controlled environments,
• custody disputes with third parties during repair/disposal.

Even without a public enforcement case cited here, the operational risk is direct: once property leaves your controlled perimeter without authorization, your ability to prove confidentiality and chain-of-custody drops fast.

Practical 30/60/90-day execution plan

First 30 days (get the control working in one place)

• Pick the system of record for approvals (service desk or GRC workflow).
• Write a one-page Removal of Property procedure with clear scope and approver roles. ¹
• Identify top exit points (front desk, loading dock, mailroom) and assign control owners.
• Start logging approvals for the most common case: corporate laptops leaving for remote work/travel.

Next 60 days (expand coverage and make it auditable)

• Integrate approvals with asset inventory (required fields: tag/serial, status change).
• Extend scope to paper records and removable media; add records management tracking.
• Publish exit-point job aids and train Security/Facilities/shipping staff.
• Start formal spot check logs and define exception handling. ¹

By 90 days (operational maturity and monitoring)

• Add third-party custody flows: repair, disposal, returns, couriers; keep chain-of-custody artifacts.
• Create a monthly management review of removal activity and spot check results.
• Tune approvals to reduce friction (pre-approved roles, templates) while keeping “prior authorization” intact. ¹
• If you use Daydream to manage control evidence, map the workflow outputs (tickets, check logs, inventories) to a single evidence collection view so audits don’t become a screenshot hunt.

Frequently Asked Questions

Does “removal of property” apply to remote employees taking laptops home?

Yes if the laptop is leaving a controlled organizational premise, it needs prior authorization and documentation. Make the approval implicit in your device issuance process only if the issuance record clearly authorizes off-site use and is retrievable for audit. ¹

Are paper records included, or is this just an IT control?

Paper is covered because the requirement includes “information,” not only equipment. Treat outbound paper files and records boxes as tracked assets with approvals and custody documentation. ¹

What counts as “software” being taken off-site?

Focus on physical or controlled transfers: licensed installation media, dongles/keys, and proprietary software artifacts moved outside controlled spaces. If teams move software via downloads, handle it under your access control and data transfer controls, but keep this control scoped to physical removal. ¹

How do we run spot checks without disrupting the business?

Keep checks lightweight and targeted to high-risk exits (loading dock, after-hours removals, e-waste staging). Document the check results and exceptions; the documentation is as important as the act. ¹

Can a manager approval be enough, or do we need Security to approve everything?

Use risk-based approver tiers. Manager approval may be enough for standard issued laptops, but removal of sensitive information in physical form or removable media usually warrants Security or Privacy approval based on your internal policy. ¹

What evidence is most persuasive to auditors?

A clean sample set: approved removal tickets with timestamps, inventory status changes tied to the ticket, and spot check logs showing you detect and resolve exceptions. Policies matter, but execution evidence closes the loop. ¹

Footnotes

1. HITRUST CSF v11 Control Reference