Inventory and physically secure all media that store classified information.

UCF ID: 00962
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain procedures for controlling access to all types of media. [UCF Control ID 00959]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Pg 74; FFIEC IT Examination Handbook – Operations, July 2004, Pg 27, Pg 30, Exam Tier I Obj 6.3, Exam Tier I Obj 6.6; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 13, Pg 17; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 9.6; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 1.2, § 9.6; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 1.2, § 9.6; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-19; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 3.2, § 4.6, § 5.6.10, § 6.3.2, Exhibit 4 MP-4; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, MP-2(1), MP-2.7; CobiT, Version 4.1, DS11.3; The Standard of Good Practice for Information Security, CI3.1.2(b), CI3.1.5, CI3.2.5(e); DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4, § 2.1 (WIR0016); DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2, § 2.2 (WIR0016); Australian Government ICT Security Manual (ACSI 33), § 3.1.44, § 3.11.16; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2, § 9.6; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 9.6; California OPP Recommended Practices on Notification of Security Breach, May 2008, Part I ¶ 2; Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, DRAFT, § 4.3 (MP-4); DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3, § 2.1 (WIR0016); ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.7(5)

Banking and Finance Guidance

The organization should ensure the secure storage of all media. Access controls should be implemented to limit access. [Pg 74, FFIEC IT Examination Handbook – Information Security]

The organization should develop procedures for securely storing output containing sensitive information. Back-up tapes that are stored offsite should be physically inventoried periodically. [Pg 27, Pg 30, Exam Tier I Obj 6.3, Exam Tier I Obj 6.6, FFIEC IT Examination Handbook – Operations, July 2004]

Work papers should be secured at all times. If the information is stored on portable computers during the examination, the portable computers should be properly controlled. [Pg 13, Pg 17, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

Payment Card Guidance

The organization must ensure all paper and electronic media that contains cardholder data are physically secured.
Verify procedures exist for controlling physical access to paper and electronic media, including reports, faxes, CDs, disks, and hard drives. [§ 9.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

The organization must ensure all paper and electronic media that contains cardholder data are physically secured. [§ 9.6, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 1.2]

The organization must ensure all paper and electronic media that contains cardholder data are physically secured. [§ 9.6, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 1.2]

The organization must ensure all paper and electronic media that contains cardholder data are physically secured. [§ 9.6, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2]

The organization must ensure all paper and electronic media that contains cardholder data are physically secured. [§ 9.6, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

Classified media should be protected appropriately. Printer ribbons should be controlled and destroyed in accordance with AR 380-5, paragraph 5-201c. [§ 2-19, Army Regulation 380-19: Information Systems Security, February 27, 1998]

US Internal Revenue Guidance

Media that contains Federal Tax Information (FTI) must be securely and physically stored in a controlled area. Removable media that contains FTI must undergo semiannual inventories. When media containing FTI is removed from the storage area, the removal must be recorded. Removable media containing FTI must be promptly returned to its storage area when not in use. [§ 3.2, § 4.6, § 5.6.10, § 6.3.2, Exhibit 4 MP-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

Access to media storage areas should be restricted by either guard stations or automated mechanisms. Automated mechanisms should be configured to allow only authorized personnel access and should audit all attempts to enter the storage area, both failed and granted access.
Test the automated mechanisms used to control access to media storage areas to ensure access to the media is restricted according to its sensitivity and both failed and granted access to the area is audited. [MP-2(1), MP-2.7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should securely store all media, both electronic and paper, that contains Personally Identifiable Information (PII), until the information is destroyed or sanitized. [§ 4.3 (MP-4), Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, DRAFT]

US State Laws and Protectorates Guidance

Inventory records systems, critical computing systems, and storage media to identify those containing personal information. [Part I ¶ 2, California OPP Recommended Practices on Notification of Security Breach, May 2008]

Other Configuration Guidance

The Information Assurance Officer (IAO) will maintain a list of all Designated Approval Authority (DAA) approved wireless and non-wireless Portable Electronic Devices (PEDs) that store, process, or transmit Department of Defense (DoD) information. The list will be stored in a secure location. [§ 2.1 (WIR0016), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4]

The organization should maintain a list of all wireless devices. The list will be stored in a secure location. [§ 2.2 (WIR0016), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2]

The IAO will maintain a list of all DAA approved wireless and non-wireless PED devices that store, process, or transmit DoD information. The list will be stored in a secure location. [§ 2.1 (WIR0016), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3]

ISO Guidance

Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building is considered. Safeguards in this area are listed below.
5. Protection against Theft
To achieve stock control, all items of equipment should be uniquely identifiable and an inventory maintained. Security guards/receptionists should be encouraged to check for equipment or media leaving rooms/areas or the building without authorization. Sensitive information and proprietary software held on portable media (e.g. floppy discs) should be protected appropriately. [¶ 8.1.7(5), ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

General Guidance

The organization should define and implement procedures to maintain an inventory of onsite media and ensure their usability and integrity. Procedures should provide for timely review and follow-up on any discrepancies noted. [DS11.3, CobiT, Version 4.1]

Sensitive media should be stored in a locked and fireproof safe. Backups should be recorded in a log with the date and time, information backed up, and the media used to back it up. [CI3.1.2(b), CI3.1.5, CI3.2.5(e), The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

Removable media containing classified material should be secured according to the classification of the information stored on the media. [§ 3.1.44, § 3.11.16, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of scheduled asset inventories that occurred on time. [UCF Control ID 02055]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.