Physical information and media security

Status: Live

The organization will physically control and securely store information system media. [UCF ID 00720]

Supporting and supported controls

This control directly supports:

Establish and maintain physical security of distributed IT assets [UCF Control ID 00718]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj E.2; FFIEC IT Examination Handbook – Information Security, Pg 66, Exam Tier II Obj E.2; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 40, Exam Tier II Obj 4.4; Introductory Resource Guide for HIPAA NIST Special Publication 800-66, § 4.13; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-24.c; Protection of Assets Manual, ASIS International, Pg 11-V-12; C-TPAT Supply Chain Security Best Practices Catalog, Pg 47; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 5-102; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.6; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.10.7; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, MP-4; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, MP-2(1), MP-2.7, MP-4; The Standard of Good Practice for Information Security, CI2.8.6; DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2, § 3.3; OGC ITIL: Security Management, § 4.2.3.2; Australian Government ICT Security Manual (ACSI 33), § 3.1.32, § 3.1.44, § 3.1.46; Archer Control Table, ATCS-039, ATCS-046, ATCS-049, ATCS-772, ATCS-847; Italy Personal Data Protection Code, Annex B.21; Luxembourg Data Protection Law, Art 23(d); Multi-Function Device (MFD)and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3, MFD08.001; The Center for Internet Security Security Benchmark For Multi-Function Devices, Version 1.0.0, April 2009, § 1.2.2, § 3.1.1

Banking and Finance Guidance

[Exam Tier II Obj E.2, FFIEC IT Examination Handbook – Audit, August 2003]

All media taken to and from the developer work area should be restricted. [Pg 66, Exam Tier II Obj E.2, FFIEC IT Examination Handbook – Information Security]

The organization should ensure blank cards for embossing are stored in a secure area. [Pg 40, Exam Tier II Obj 4.4, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Healthcare and Life Science Guidance

[§ 4.13, Introductory Resource Guide for HIPAA NIST Special Publication 800-66]

US Federal Security Guidance

Only authorized individuals should be able to receive sensitive hardcopy output in terminal areas and remove sensitive hardcopy output from terminal areas. [§ 2-24.c, Army Regulation 380-19: Information Systems Security, February 27, 1998]

Fax machines should be located only where authorized employees can send or receive documents. One person and an alternate should be assigned the responsibility for fax transmissions. [Pg 11-V-12, Protection of Assets Manual, ASIS International]

The organization will conduct system backups daily that are stored in a safe that is fireproof and only accessible to the IT Manager and senior executives. Additional backups will be stored off site weekly with a bonded provider. [Pg 47, C-TPAT Supply Chain Security Best Practices Catalog]

The organization must conduct security checks at the end of each day to ensure that all classified material has been properly secured. [§ 5-102, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Calls for Media Protection (MP): Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

US Internal Revenue Guidance

Removable media that contains Federal Tax Information should be locked up when not in use. When in use, it should be in a secure area under the control of an authorized individual. [§ 4.6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.10.7, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The organization should protect information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. [MP-4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Media storage areas should be restricted by either guard stations or automated mechanisms. Automated mechanisms should be configured to allow only authorized personnel access and should audit all attempts to enter the storage area, both failed and granted access. Organizational records and documents should be examined to ensure paper and digital media are stored according to the highest FIPS 199 security category, media is stored in a consistent fashion and stored securely at all times, and specific responsibilities and actions are defined for the implementation of the media storage control. Any problems discovered during the implementation of the media storage control should be documented and used to improve the controls.
Test the automated mechanisms used to control access to media storage areas to ensure access to the media is restricted according to its sensitivity and both failed and granted access to the area is audited.
Interviews should be conducted with personnel involved in storing media to ensure the media is stored at the appropriate classification level. [MP-2(1), MP-2.7, MP-4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

Other Configuration Guidance

Laptops and PDAs must be kept out of plain view when they are stored in a locked car or hotel room. [§ 3.3, DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2]

Ensure that the MFD has a mechanism to lock and prevent access to the hard disk. [MFD08.001, Multi-Function Device (MFD)and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3]

§ 1.2.2 Ensure that the MFD has a mechanism to lock the chassis, preventing access to internal components.
§ 3.1.1 Require a PIN, RFID or other authorization mechanism to access print jobs on a MFD. [§ 1.2.2, § 3.1.1, The Center for Internet Security Security Benchmark For Multi-Function Devices, Version 1.0.0, April 2009]

ITIL Guidance

[§ 4.2.3.2, OGC ITIL: Security Management]

General Guidance

Equipment that is owned by the organization should have identification labels attached to it. [CI2.8.6, The Standard of Good Practice for Information Security]

Other European and African Guidance

Technical and organizational instructions will be issued on how to keep and use removable media that stores data to prevent unauthorized access and processing. [Annex B.21, Italy Personal Data Protection Code]

Based on the risk of a privacy breach and the state of the art and implementation costs, the technical and organization security measures must prevent unauthorized personnel from using data processing systems using the data transmission facilities. [Art 23(d), Luxembourg Data Protection Law]

Asia and Pacific Rim Guidance

Removable hard drives should be removed after hours and stored in an appropriate place in accordance with the classification of the material contained on the hard drive. [§ 3.1.32, § 3.1.44, § 3.1.46, Australian Government ICT Security Manual (ACSI 33)]