Back

Protect electronic storage media with physical access controls.


CONTROL ID
00720
CONTROL TYPE
Physical and Environmental Protection
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Restrict physical access to distributed assets., CC ID: 11865

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization shall store data files in a predetermined room. For computer centers, the files should be stored in a data storage room. For head and branch offices, the files should be stored in a place that can be locked and put inside a fire preventive section. If a fire preventive section is no… (O25.3(5), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means. (Security Control: 0342; Revision: 5, Australian Government Information Security Manual, March 2021)
  • The organization must prevent unauthorized media from connecting to the system by physical means, data loss prevent software, or device access control software. (Control: 0342, Australian Government Information Security Manual: Controls)
  • The organization should secure the multifactor evidence, for something someone has, on the premises in accordance with the requirements in the australian government physical security management protocol for authenticating privileged access and positions of trust. (Control: 1174, Australian Government Information Security Manual: Controls)
  • Removable hard drives should be removed after hours and stored in an appropriate place in accordance with the classification of the material contained on the hard drive. (§ 3.1.32, § 3.1.44, § 3.1.46, Australian Government ICT Security Manual (ACSI 33))
  • Based on the risk of a privacy breach and the state of the art and implementation costs, the technical and organization security measures must prevent unauthorized personnel from using data processing systems using the data transmission facilities. (Art 23(d), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data)
  • Technical and organizational instructions will be issued on how to keep and use removable media that stores data to prevent unauthorized access and processing. (Annex B.21, Italy Personal Data Protection Code)
  • The organization should protect critical, sensitive, or protectively marked assets against surreptitious attack, by placing them in security areas that is protected by a defined security parameter with appropriate security barriers and entry controls. (Security Policy No. 5 ¶ 5, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization's security instructions should include guidance about the security implications of organizing conferences and meetings, including securing the protectively marked assets during breaks or keeping the room locked and guarded. (¶ 24.f, Security Requirements for List X Contractors, Version 5.0 October 2010)
  • (§ 4.2.3.2, OGC ITIL: Security Management)
  • Restrict physical access to cardholder data (Requirement 9, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance; Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced, Version 3.2)
  • Restrict physical access to cardholder data (Requirement 9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Restrict physical access to cardholder data (Requirement 9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Restrict physical access to cardholder data (Requirement 9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Restrict physical access to cardholder data (Requirement 9:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Restrict physical access to cardholder data (Requirement 9, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Restrict physical access to cardholder data (Requirement 9, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
  • Restrict physical access to cardholder data (Requirement 9:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Restrict physical access to cardholder data (Requirement 9, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Restrict physical access to cardholder data (Requirement 9, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Restrict physical access to cardholder data (Requirement 9:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Restrict physical access to cardholder data (Requirement 9, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Restrict physical access to cardholder data (Requirement 9:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Restrict physical access to cardholder data (Requirement 9, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Restrict physical access to cardholder data (Requirement 9:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Restrict physical access to cardholder data (Requirement 9, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Restrict physical access to cardholder data (Requirement 9:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Restrict physical access to cardholder data (Requirement 9, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
  • Fax machines should be located only where authorized employees can send or receive documents. One person and an alternate should be assigned the responsibility for fax transmissions. (Pg 11-V-12, Protection of Assets Manual, ASIS International)
  • Information associated with office equipment shall be protected against physical access and tampering by locating equipment in a physically secure environment (e.g., restricted area or locked office). (CF.12.03.03a, The Standard of Good Practice for Information Security)
  • Information associated with office equipment shall be protected against physical access and tampering by locating equipment in a physically secure environment (e.g., restricted area or locked office). (CF.12.03.03a, The Standard of Good Practice for Information Security, 2013)
  • ¶ 8.1.5(8) Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards… (¶ 8.1.5(8), ¶ 10.2.9, ¶ 10.4.19, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. (§ 5.15 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The organization should physically protect personal information that is stored or accessed on mobile devices or portable media. (Table Ref 8.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Are there procedures for media access controls including authorization? (§ D.2.2.2, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • Only authorized individuals should be able to receive sensitive hardcopy output in terminal areas and remove sensitive hardcopy output from terminal areas. (§ 2-24.c, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • Restricted areas shall meet the secured area criteria or the organization shall store CMS sensitive items in appropriate containers during non-working hours. (§ 4.2.1 ¶ 1, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 1.3.13: The organization must keep sensitive information locked up when it is not in use. The organization must keep compact disks and magnetic media that contain sensitive information in a secure area. CSR 1.13.3: The organization must secure all CMS-owned software at the close of business or a… (CSR 1.3.13, CSR 1.13.3, CSR 2.2.20, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization will conduct system backups daily that are stored in a safe that is fireproof and only accessible to the IT Manager and senior executives. Additional backups will be stored off site weekly with a bonded provider. (Pg 47, C-TPAT Supply Chain Security Best Practices Catalog)
  • Laptops and PDAs must be kept out of plain view when they are stored in a locked car or hotel room. (§ 3.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Ensure that the MFD has a mechanism to lock and prevent access to the hard disk. (MFD08.001, Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3)
  • The organization must conduct security checks at the end of each day to ensure that all classified material has been properly secured. (§ 5-102, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • A patient safety organization, to control and limit physical and virtual access to areas and equipment where patient safety work is received, accessed, or handled, must provide physical and environmental protection. (§ 3.106(b)(2)(iii), 42 CFR Part 3, Patient Safety and Quality Improvements, Final Rule)
  • The agency shall securely store physical media and electronic media in a controlled area or a physically secure location. (§ 5.8.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Controls shall be in place to protect digital media containing CJI while in transport (physically moved from one location to another) to help prevent compromise of the data. Encryption, as defined in Section 5.10.1.2 of this Policy, is the optimal control during transport; however, if encryption of … (§ 5.8.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Inventories of backup media, storage location, and access controls for the media or physical location. (App A Objective 15:4a Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Data management controls for safeguarding data in physical and digital form. (III.A Action Summary ¶ 2 Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether audit procedures for payment systems risk adequately consider the risks in retail EFT (automatic teller machines, point-of-sale, debit cards, home banking, and other card-based systems including VISA/ Master Charge compliance). Evaluate whether ▪ Written procedures are complete a… (Exam Tier II Obj E.2, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should ensure blank cards for embossing are stored in a secure area. (Pg 40, Exam Tier II Obj 4.4, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Removable media that contains Federal Tax Information should be locked up when not in use. When in use, it should be in a secure area under the control of an authorized individual. (§ 4.6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Are the firewall backups safeguarded? (IT - Firewalls Q 26, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Calls for Media Protection (MP): Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • (§ 3.10.7, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Media storage areas should be restricted by either guard stations or automated mechanisms. Automated mechanisms should be configured to allow only authorized personnel access and should audit all attempts to enter the storage area, both failed and granted access. Organizational records and documents… (MP-2(1), MP-2.7, MP-4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Design or integrate appropriate data backup capabilities into overall system designs, and ensure that appropriate technical and procedural processes exist for secure system backups and protected storage of backup data. (T0056, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must manage and store smart grid information system media inside of protected areas, based on the sensitivity of the material on the media. (SG.MP-4 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must physically control and securely store named media inside a controlled area using appropriate measures. (App F § MP-4.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Design or integrate appropriate data backup capabilities into overall system designs, and ensure that appropriate technical and procedural processes exist for secure system backups and protected storage of backup data. (T0056, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Restrict physical access to nonpublic information to authorized individuals only. (Section 27-62-4(d)(2) c., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Restrict physical access to nonpublic information to authorized individuals only. (§ 8604.(d)(2) c., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Restricting physical access to nonpublic information to authorized individuals only. (Sec. 18.(2)(C), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Restrict physical access to nonpublic information to authorized individuals. (§2504.D.(2)(c), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Restricting physical access to nonpublic information to authorized individuals only. (Sec. 555.(4)(b)(iii), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • restrict physical access to nonpublic information to authorized individuals only; (§ 60A.9851 Subdivision 4(2)(iii), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Restrict physical access to nonpublic information to authorized individuals only. (§ 420-P:4 IV.(b)(3), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Protects and controls [TX-RAMP Assignment: all media with sensitive information] during transport outside of controlled areas using [TX-RAMP Assignment: prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media… (MP-5a., TX-RAMP Security Controls Baseline Level 2)
  • At physical locations containing nonpublic information, restrict access to nonpublic information to authorized persons only; (§ 38.2-623.C.4., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • Restrict physical access to nonpublic information to authorized individuals only. (§ 601.952(3)(b)3., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)