Back

Establish, implement, and maintain storage media access control procedures.


CONTROL ID
00959
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain removable storage media controls., CC ID: 06680

This Control has the following implementation support Control(s):
  • Require removable storage media be in the custody of an authorized individual., CC ID: 12319


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • O25.3(2): The organization shall develop procedures to request, approve, and make copies of files and to transfer and destroy copied files. O33.4: The organization shall define management methods for copying and reproducing important documents. (O25.3(2), O33.4, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • There should be secure storage of media. Controls could include physical and environmental controls such as fire and flood protection, limiting access by means like physical locks, keypad, passwords, biometrics, etc., labelling, and logged access. Management should establish access controls to limit… (Critical components of information security 15) v., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should ensure only authorised data storage media, systems and endpoint devices are used to communicate, transfer, or store confidential data. (§ 11.1.4, Technology Risk Management Guidelines, January 2021)
  • Based on the risk of a privacy breach and the state of the art and implementation costs, the technical and organization security measures must prevent media from being copied, read, amended, or moved by unauthorized personnel. (Art 23(b), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data)
  • The access to archives that contain sensitive or judicial data must be controlled. Persons who are authorized to access these archives after hours must be identified and registered. If the archives are not equipped with electronic devices for access control or not under surveillance, persons who acc… (Annex B.29, Italy Personal Data Protection Code)
  • The organization must verify protectively marked material that is being released under the Freedom of Information Act is declassified and marked. The owner or originator must be consulted before declassifying the information. (Mandatory Requirement 15, HMG Security Policy Framework, Version 6.0 May 2011)
  • The security officer must refer to this framework when developing counter-terrorist policies and plans, but needs to ensure all systems consider and mitigate potential electronic and physical terrorist attacks and it includes the need to protect paper and electronic based information from unauthoriz… (Security Policy No.6 ¶ 12.c, HMG Security Policy Framework, Version 6.0 May 2011)
  • The system must only allow approved persons access to protectively marked material. (App 3 ¶ 6, The Contractual process, Version 5.0 October 2010)
  • Verify that a policy exists to control distribution of media containing cardholder data, and that the policy covers all distributed media including that distributed to individuals. (§ 9.7, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 2.0)
  • Verify that a policy exists to control distribution of media containing cardholder data, and that the policy covers all distributed media including that distributed to individuals. (§ 9.7, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 2.0)
  • Verify that a policy exists to control distribution of media containing cardholder data, and that the policy covers all distributed media including that distributed to individuals. (§ 9.7, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 2.0)
  • Verify that a policy exists to control distribution of media containing cardholder data, and that the policy covers all distributed media including that distributed to individuals. (§ 9.7, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data. (§ 9.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that a policy exists to control distribution of media containing cardholder data, and that the policy covers all distributed media including that distributed to individuals. (§ 9.7 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • A digital asset management audit should be performed and should include examining how administrative and third-party access is secured. (App A.9 (Recommendations for Piracy), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • Office equipment shall be supported by documented standards / procedures, which cover restricting access to sensitive equipment. (CF.12.03.01b, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for the protection of sensitive physical information (e.g., blank checks, bonds, or print-outs of documents, such as personal information, financial projections, business plans, or product designs), which covers protection against unauthorized disclo… (CF.03.03.01c, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for the protection of sensitive physical information (e.g., blank checks, bonds, or print-outs of documents, such as personal information, financial projections, business plans, or product designs), which covers handling of sensitive physical informa… (CF.03.03.01e-1, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be protected against theft or copying by restricting physical access to important post points. (CF.03.03.03b-1, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be protected against theft or copying by restricting physical access to important facsimile points. (CF.03.03.03b-2, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be protected against theft or copying by restricting physical access to important local environments. (CF.03.03.03b-4, The Standard of Good Practice for Information Security)
  • Office equipment shall be supported by documented standards / procedures, which cover restricting access to sensitive equipment. (CF.12.03.01b, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for the protection of sensitive physical information (e.g., blank checks, bonds, or print-outs of documents, such as personal information, financial projections, business plans, or product designs), which covers protection against unauthorized disclo… (CF.03.03.01c, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for the protection of sensitive physical information (e.g., blank checks, bonds, or print-outs of documents, such as personal information, financial projections, business plans, or product designs), which covers handling of sensitive physical informa… (CF.03.03.01e-1, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be protected against theft or copying by restricting physical access to important post points. (CF.03.03.03b-1, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be protected against theft or copying by restricting physical access to important facsimile points. (CF.03.03.03b-2, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be protected against theft or copying by restricting physical access to important local environments. (CF.03.03.03b-4, The Standard of Good Practice for Information Security, 2013)
  • ¶ 8.1.5(8) Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards… (¶ 8.1.5(8), ¶ 10.2.9, ¶ 10.3.1, ¶ 10.4.19, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Controls for data-at-rest include, but are not be restricted to, appropriate encryption, authentication and access control. (PR.DS-1.2, CRI Profile, v1.2)
  • Controls for data-at-rest include, but are not be restricted to, appropriate encryption, authentication and access control. (PR.DS-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Access to personal information stored on media should be restricted. (ID 8.2.2.h, AICPA/CICA Privacy Framework)
  • Procedures exist to restrict logical access to the system, including restricting Access to offline storage, backup data, systems, and media. (Security Prin. and Criteria Table § 3.2 f, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to restrict logical access to the system, including restricting Access to offline storage, backup data, systems, and media. (Availability Prin. and Criteria Table § 3.5 e, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to restrict logical access to the system, including restricting Access to offline storage, backup data, systems, and media. (Processing Integrity Prin. and Criteria Table § 3.6 f, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to restrict logical access to the system and the confidential information resources maintained on the system, including restricting Access to offline storage, backup data, systems, and media. (Confidentiality Prin. and Criteria Table § 3.8 h, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The use of non removable, nonvolatile media should be discouraged for processing classified information. Classified data should be stored on non removable, nonvolatile media only under the following conditions: the system is located in an area approved for open storage of classified material; when u… (§ 2-22, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • The organization must secure removable storage devices and media that contain sensitive information before, during, and after processing and ensure a proper acknowledgement form has been signed and returned to the originator. (CSR 1.3.12, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Members, brokers, dealers and transfer agents must store duplicate copies of digital media separately from originals on acceptable media for the time required. (§ 240.17a-4(3)(iii), 17 CFR Part 240.17a-4, Records to be preserved by certain exchange members, brokers, and dealers)
  • Members, brokers, dealers and transfer agents must store duplicate copies of digital media separately from originals. (§ 240.17Ad-7(f)(2)(v), 17 CFR Part 240.17Ad-7, Record retention)
  • Limit access to CUI on system media to authorized users. (MP.2.120, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. (MP.2.119, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Limit access to CUI on system media to authorized users. (MP.2.120, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. (MP.2.119, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. (MP.2.119, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Limit access to CUI on system media to authorized users. (MP.2.120, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. (MP.2.119, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Limit access to CUI on system media to authorized users. (MP.2.120, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. (MP.L2-3.8.1 Media Protection, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Limit access to CUI on system media to authorized users. (MP.L2-3.8.2 Media Access, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The agency shall restrict access to physical media and electronic media to authorized individuals. (§ 5.8.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Restrict access to digital and non-digital media to authorized individuals. (§ 5.8 MP-2 Control, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. (TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • § 11.1(e): Computer systems, hardware, software, controls, and documentation that are maintained under Part 11 of this Act shall be readily available for and subject to Food and Drug Administration inspection. § 11.10(d): The organization shall have procedures and controls in place to limit system… (§ 11.1(e), § 11.10(d), § 11.10(k)(1), 21 CFR Part 11, Electronic Records; Electronic Signatures)
  • The service provider must define the types of digital media and non-digital media. (Column F: MP-2, FedRAMP Baseline Security Controls)
  • The joint authorization board must approve and accept the types of digital media and non-digital media. (Column F: MP-2, FedRAMP Baseline Security Controls)
  • The organization must develop, document, and distribute a media protection policy that includes the roles, responsibilities, scope, and procedures for the implementation of the media protection security controls. (Exhibit 4 MP-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Are the backup copies of the certificates properly secured against unauthorized access or use? (IT - Authentication Q 30, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Media Protection (MP): Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure the media protection policy and procedures are documented, disseminated, reviewed, and updated and specific responsibilities and actions are defined for the implementation of the media protection policy and procedures control. Any pro… (MP-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Store the media securely. Administrators are responsible for ensuring that the media receives adequate physical protection. (§ 5.4 Bullet 4, Guide to Computer Security Log Management, NIST SP 800-92)
  • The organization may restrict Access to media that contains Personally Identifiable Information, including non-digital media, digital media, and mobile devices and portable devices with the ability to store data. (§ 4.3 Bullet Media Access (MP-2), NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital. (3.8.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Limit access to CUI on information system media to authorized users. (3.8.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. (3.8.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Limit access to CUI on system media to authorized users. (3.8.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Limit access to CUI on system media to authorized users. (3.8.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. (3.8.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization must restrict access to digital media and non-digital media to listed authorized individuals using defined security measures. (App F § MP-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, a formal, documented Media Protection policy that includes the purpose, roles, responsibilities, scope, compliance, coordination among entities, and management commitment. (App F § MP-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, formal, documented procedures to implement the Media Protection policy and its associated controls. (App F § MP-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization restricts access to {organizationally documented types of digital and/or non-digital media} to {organizationally documented personnel}. (MP-2, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization restricts access to {organizationally documented types of digital and/or non-digital media} to {organizationally documented roles}. (MP-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization restricts access to {organizationally documented types of digital and/or non-digital media} to {organizationally documented personnel}. (MP-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization restricts access to {organizationally documented types of digital and/or non-digital media} to {organizationally documented roles}. (MP-2, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization restricts access to {organizationally documented types of digital and/or non-digital media} to {organizationally documented personnel}. (MP-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization restricts access to {organizationally documented types of digital and/or non-digital media} to {organizationally documented roles}. (MP-2, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization restricts access to {organizationally documented types of digital and/or non-digital media} to {organizationally documented personnel}. (MP-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization restricts access to {organizationally documented types of digital and/or non-digital media} to {organizationally documented roles}. (MP-2, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)