Maintain an accurate media inventory

Status: Live

The organization will maintain a media inventory of all fixed and removable storage systems as a part of the asset audit plan. [UCF ID 00694]

Supporting and supported controls

This control directly supports:

Maintain asset discovery audit trails [UCF Control ID 00689]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg G-7; FFIEC IT Examination Handbook – Operations, July 2004, Pg 10; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier II Obj 4.1; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 9.9.1; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 3.2, § 4.6; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; The Standard of Good Practice for Information Security, CB4.2.2, CI2.5.1; IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 5.6.1(a); Australian Government ICT Security Manual (ACSI 33), § 3.1.49, § 3.1.51, § 3.4.18; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 9.9.1

Banking and Finance Guidance

The organization should maintain comprehensive inventories of all assets. [Pg G-7, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should maintain a media inventory. For each media, the inventory should identify the type of media; how much storage capacity the media has; where the media is stored; what type of information is stored on the media; the classification of the information; the file structure of the information on the media; the system the data comes from; who owns the data; how often the data is backed up; and where the back-up media is stored. This inventory should complement the hardware, software, and network inventory without being redundant. [Pg 10, FFIEC IT Examination Handbook – Operations, July 2004]

[Exam Tier II Obj 4.1, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Payment Card Guidance

The organization must maintain inventories of all media and ensure the inventories are reviewed at least annually.
Review the media inventory log to verify media inventories are performed on an annual basis. [§ 9.9.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The organization must maintain inventories of all media and ensure the inventories are reviewed at least annually. [§ 9.9.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Internal Revenue Guidance

The organization must conduct semiannual inventories of all removable media containing Federal Tax Information. [§ 3.2, § 4.6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

General Guidance

An inventory should be maintained of all documentation that support applications. [CB4.2.2, CI2.5.1, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

[§ 5.6.1(a), IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]

Asia and Pacific Rim Guidance

The use of seals should be recorded and include details of who they were issued to, what they are being used for, and the serial numbers of the seals. The register should be reviewed annually to ensure the register matches the actual use of the seals. [§ 3.1.49, § 3.1.51, § 3.4.18, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of scheduled asset inventories that occurred on time [UCF Control ID 02055]