Manage and store information system media by deploying physical access controls.

UCF ID: 00720
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj E.2; FFIEC IT Examination Handbook – Information Security, Pg 66, Exam Tier II Obj E.2; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 40, Exam Tier II Obj 4.4; Introductory Resource Guide for HIPAA NIST SP 800-66, § 4.13; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-24.c; Protection of Assets Manual, ASIS International, Pg 11-V-12; C-TPAT Supply Chain Security Best Practices Catalog, Pg 47; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 5-102; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.6; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.10.7; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § MP-4; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, MP-2(1), MP-2.7, MP-4; The Standard of Good Practice for Information Security, CI2.8.6; DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2, § 3.3; OGC ITIL: Security Management, § 4.2.3.2; Australian Government ICT Security Manual (ACSI 33), § 3.1.32, § 3.1.44, § 3.1.46; Italy Personal Data Protection Code, Annex B.21; Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data, Art 23(d); Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3, MFD08.001; The Center for Internet Security Security Benchmark For Multi-Function Devices, Version 1.0.0, April 2009, § 1.2.2, § 3.1.1; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.5(8), ¶ 10.2.9, ¶ 10.4.19

Banking and Finance Guidance

[Exam Tier II Obj E.2, FFIEC IT Examination Handbook – Audit, August 2003]

All media taken to and from the developer work area should be restricted. [Pg 66, Exam Tier II Obj E.2, FFIEC IT Examination Handbook – Information Security]

The organization should ensure blank cards for embossing are stored in a secure area. [Pg 40, Exam Tier II Obj 4.4, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Healthcare and Life Science Guidance

[§ 4.13, Introductory Resource Guide for HIPAA NIST SP 800-66]

US Federal Security Guidance

Only authorized individuals should be able to receive sensitive hardcopy output in terminal areas and remove sensitive hardcopy output from terminal areas. [§ 2-24.c, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The organization will conduct system backups daily that are stored in a safe that is fireproof and only accessible to the IT Manager and senior executives. Additional backups will be stored off site weekly with a bonded provider. [Pg 47, C-TPAT Supply Chain Security Best Practices Catalog]

The organization must conduct security checks at the end of each day to ensure that all classified material has been properly secured. [§ 5-102, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Calls for Media Protection (MP): Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

US Internal Revenue Guidance

Removable media that contains Federal Tax Information should be locked up when not in use. When in use, it should be in a secure area under the control of an authorized individual. [§ 4.6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.10.7, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The organization must establish and maintain media marking policies and procedures to physically control and securely store specified media within a controlled area using appropriate measures; and should protect stored media using appropriate techniques and procedures until it is properly disposed of. [App F § MP-4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Media storage areas should be restricted by either guard stations or automated mechanisms. Automated mechanisms should be configured to allow only authorized personnel access and should audit all attempts to enter the storage area, both failed and granted access. Organizational records and documents should be examined to ensure paper and digital media are stored according to the highest FIPS 199 security category, media is stored in a consistent fashion and stored securely at all times, and specific responsibilities and actions are defined for the implementation of the media storage control. Any problems discovered during the implementation of the media storage control should be documented and used to improve the controls.
Test the automated mechanisms used to control access to media storage areas to ensure access to the media is restricted according to its sensitivity and both failed and granted access to the area is audited.
Interviews should be conducted with personnel involved in storing media to ensure the media is stored at the appropriate classification level. [MP-2(1), MP-2.7, MP-4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

Other Configuration Guidance

Laptops and PDAs must be kept out of plain view when they are stored in a locked car or hotel room. [§ 3.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2]

Ensure that the MFD has a mechanism to lock and prevent access to the hard disk. [MFD08.001, Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3]

§ 1.2.2 Ensure that the MFD has a mechanism to lock the chassis, preventing access to internal components.
§ 3.1.1 Require a PIN, RFID or other authorization mechanism to access print jobs on a MFD. [§ 1.2.2, § 3.1.1, The Center for Internet Security Security Benchmark For Multi-Function Devices, Version 1.0.0, April 2009]

ISO Guidance

¶ 8.1.5(8) Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards are necessary in combination with other, for example, physical and technical, safeguards. Safeguards in the area of operational issues are listed below.
8. Media Controls
Media controls include a variety of safeguards to provide physical and environmental protection and accountability for tapes, discs, printouts, and other media. This includes marking, logging, integrity verification, physical access protection, environmental protection, transmittal, and secure disposal.
¶ 10.2.9 Unauthorized access to storage media. An organization should implement safeguards to prevent the unauthorized access and use of storage media, which can endanger confidentiality if any confidential material is stored on that media. Safeguards to protect confidentiality are listed below.
• Operational issues: Media controls can be applied to provide, for example, physical protection and accountability for the media and assured storage deletion guarantees that nobody can obtain confidential material from a previously deleted medium. Special care should be taken to protect easily removable media, such as floppy discs, back-up tapes and paper.
• Physical security: The appropriate protection of rooms (strong walls and windows as well as physical access control) and security furniture can protect against unauthorized access.
• Data confidentiality protection: Additional protection for sensitive material on storage media can be achieved by encrypting the material. A key management system should be implemented to apply encryption.
¶ 10.4.19 Unauthorized access to storage media. An organization should implement safeguards that prevent the unauthorized access and use of storage media, which can endanger availability since it could result in unauthorized destruction of the information stored on these media. Safeguards to protect availability are listed below.
• Operational issues: Media controls can be applied to provide, for example, physical protection and accountability for the media to avoid unauthorized access to the information stored on the media. Special care should be taken for easily removable media, such as floppy discs, back-up tapes and paper.
• Physical security: The appropriate protection of rooms (strong walls and windows as well as physical access control) and security furniture protect against unauthorized access. [¶ 8.1.5(8), ¶ 10.2.9, ¶ 10.4.19, ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

ITIL Guidance

[§ 4.2.3.2, OGC ITIL: Security Management]

General Guidance

Fax machines should be located only where authorized employees can send or receive documents. One person and an alternate should be assigned the responsibility for fax transmissions. [Pg 11-V-12, Protection of Assets Manual, ASIS International]

Equipment that is owned by the organization should have identification labels attached to it. [CI2.8.6, The Standard of Good Practice for Information Security]

Other European and African Guidance

Technical and organizational instructions will be issued on how to keep and use removable media that stores data to prevent unauthorized access and processing. [Annex B.21, Italy Personal Data Protection Code]

Based on the risk of a privacy breach and the state of the art and implementation costs, the technical and organization security measures must prevent unauthorized personnel from using data processing systems using the data transmission facilities. [Art 23(d), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data]

Asia and Pacific Rim Guidance

Removable hard drives should be removed after hours and stored in an appropriate place in accordance with the classification of the material contained on the hard drive. [§ 3.1.32, § 3.1.44, § 3.1.46, Australian Government ICT Security Manual (ACSI 33)]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.