Maintain a media inventory.

UCF ID: 00694

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Maintain asset discovery audit trails. [UCF Control ID 00689]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg G-7; FFIEC IT Examination Handbook – Operations, July 2004, Pg 10; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier II Obj 4.1; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 9.9.1; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 3.2, § 4.6; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; The Standard of Good Practice for Information Security, CB4.2.2, CI2.5.1; IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 5.6.1(a); Australian Government ICT Security Manual (ACSI 33), § 3.1.49, § 3.1.51, § 3.4.18; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 9.9.1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCSW-1; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.5(8), ¶ 10.2.9

Banking and Finance Guidance

The organization should maintain comprehensive inventories of all assets. [Pg G-7, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should maintain a media inventory. For each media, the inventory should identify the type of media; how much storage capacity the media has; where the media is stored; what type of information is stored on the media; the classification of the information; the file structure of the information on the media; the system the data comes from; who owns the data; how often the data is backed up; and where the back-up media is stored. This inventory should complement the hardware, software, and network inventory without being redundant. [Pg 10, FFIEC IT Examination Handbook – Operations, July 2004]

[Exam Tier II Obj 4.1, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Payment Card Guidance

The organization must maintain inventories of all media and ensure the inventories are reviewed at least annually. Review the media inventory log to verify media inventories are performed on an annual basis. [§ 9.9.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

The organization must maintain inventories of all media and ensure the inventories are reviewed at least annually. [§ 9.9.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

Ensure that a backup copy of the software inventory is stored in a fire-rated container or otherwise not collocated with the original. [DCSW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

US Internal Revenue Guidance

The organization must conduct semiannual inventories of all removable media containing Federal Tax Information. [§ 3.2, § 4.6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

ISO Guidance

¶ 8.1.5(8) Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards are necessary in combination with other, for example, physical and technical, safeguards. Safeguards in the area of operational issues are listed below.
8. Media Controls
Media controls include a variety of safeguards to provide physical and environmental protection and accountability for tapes, discs, printouts, and other media. This includes marking, logging, integrity verification, physical access protection, environmental protection, transmittal, and secure disposal.
¶ 10.2.9 Unauthorized access to storage media. An organization should implement safeguards to prevent the unauthorized access and use of storage media, which can endanger confidentiality if any confidential material is stored on that media. Safeguards to protect confidentiality are listed below.
• Operational issues: Media controls can be applied to provide, for example, physical protection and accountability for the media and assured storage deletion guarantees that nobody can obtain confidential material from a previously deleted medium. Special care should be taken to protect easily removable media, such as floppy discs, back-up tapes and paper.
• Physical security: The appropriate protection of rooms (strong walls and windows as well as physical access control) and security furniture can protect against unauthorized access.
• Data confidentiality protection: Additional protection for sensitive material on storage media can be achieved by encrypting the material. A key management system should be implemented to apply encryption. [¶ 8.1.5(8), ¶ 10.2.9, ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

General Guidance

An inventory should be maintained of all documentation that support applications. [CB4.2.2, CI2.5.1, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

[§ 5.6.1(a), IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]

Asia and Pacific Rim Guidance

The use of seals should be recorded and include details of who they were issued to, what they are being used for, and the serial numbers of the seals. The register should be reviewed annually to ensure the register matches the actual use of the seals. [§ 3.1.49, § 3.1.51, § 3.4.18, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of scheduled asset inventories that occurred on time. [UCF Control ID 02055]