The organization will physically control and securely store information system media. [UCF ID 00720]
Supporting and supported controls
This control directly supports:
• Establish and maintain physical security of distributed IT assets [UCF Control ID 00718]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
Australian Government ICT Security Manual (ACSI 33) § 3.1.32, 3.1.44, 3.1.46; FFIEC IT Examination Handbook – Information Security Pg 66, Exam Tier II Obj E.2; FFIEC IT Examination Handbook – Audit Exam Tier II Obj E.2; FFIEC IT Examination Handbook – Retail Payment Systems Pg 40, Exam Tier II Obj 4.4; The Standard of Good Practice for Information Security CI2.8.6; Introductory Resource Guide for HIPAA NIST (800-66) 4.13; ISO 17799:2000, Code of Practice for Information Security Management § 7.3.1; OGC ITIL: Security Management 4.2.3.2; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 § 3.10.7; Recommended Security Controls for Federal Information Systems, NIST SP 800-53 MP-4; Guide for Assessing the Security Controls in Federal Information Systems, NIST 800-53A § MP-2(1), MP-2.7, MP-4; AICPA/CICA Privacy Framework § 8.1.1; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems § 3; DoD 5220.22-M, National Industrial Security Program Operating Manual § 8-308.c; CT-PAT Best Practices Guide Pg 47
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Retail Payment Systems Pg 40, Exam Tier II Obj 4.4 states that the organization should ensure blank cards for embossing are stored in a secure area.
Healthcare and Life Science Guidance
NGSAT Worksheet for CSR § 2.2.7 states that sensitive information in any form is protected during non-working hours through a combination of a secured or locked perimeter, a secured area, or appropriate containerization.
US Federal Security Guidance
FIPS Publication 200, § 3 Specifications for Minimum Security Requirements calls for Media Protection (MP): Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse.
The DoD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM) § 8-308.c states that devices that display or output information in human-readable form shall be positioned to prevent unauthorized individuals from reading the information.
The Customs-Trade Partnership Against Terrorism (C-TPAT) Supply Chain Security Best Practices Catalog specification Pg 47 states that the organization will conduct system backups daily that are stored in a safe that is fireproof and only accessible to the IT Manager and senior executives. Additional backups will be stored off site weekly with a bonded provider.
NIST Guidance
NIST 800-53, MP-4, sates that the organization should protect information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
Asia and Pacific Rim Guidance
The Australian Government ICT Security Manual (ACSI 33) § 3.1.32, 3.1.44, 3.1.46 states that removable hard drives should be removed after hours and stored in an appropriate place in accordance with the classification of the material contained on the hard drive..