Back

Control the transiting and internal distribution or external distribution of assets.


CONTROL ID
00963
CONTROL TYPE
Records Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain physical security controls for distributed assets., CC ID: 00718

This Control has the following implementation support Control(s):
  • Log the transiting, internal distribution, and external distribution of restricted storage media., CC ID: 12321
  • Encrypt digital media containing sensitive information during transport outside controlled areas., CC ID: 14258
  • Obtain management authorization for restricted storage media transit or distribution from a controlled access area., CC ID: 00964
  • Use locked containers to transport non-digital media outside of controlled areas., CC ID: 14286
  • Transport restricted media using a delivery method that can be tracked., CC ID: 11777


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • O25: The organization shall develop set procedures for transferring and storing data files. O25.3(1).1: To prevent the unauthorized use, tampering, or loss of data files when they are being transferred, the organization shall clarify the following items: the purpose, date, and time of the use; the u… (O25, O25.3(1).1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • When relocating the computer center, it is necessary to implement adequate measures in addition to those in item 1 above, considering the risks arising from transporting data. (P77.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Banks should maintain the security of media while in transit or when shared with third parties. Policies should include contractual requirements that incorporate necessary risk-based controls, restrictions on the carriers used and procedures to verify the identity of couriers. (Critical components of information security 15) viii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Policies regarding media handling, disposal, and transit should be implemented to enable the use of protection profiles and otherwise mitigate risks to data. If protection profiles are not used, the policies should accomplish the same goal as protection profiles, which is to deliver the same degree … (Critical components of information security 15) iv., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Keyed CGCE is transported based on the sensitivity or classification of the keying material in it. (Security Control: 0501; Revision: 4, Australian Government Information Security Manual, March 2021)
  • If unable to carry or store mobile devices in a secured state, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag. (Control: ISM-1084; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Keyed cryptographic equipment is transported based on the sensitivity or classification of its keying material. (Control: ISM-0501; Revision: 6, Australian Government Information Security Manual, June 2023)
  • If unable to carry or store mobile devices in a secured state, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag. (Control: ISM-1084; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Keyed cryptographic equipment is transported based on the sensitivity or classification of its keying material. (Control: ISM-0501; Revision: 6, Australian Government Information Security Manual, September 2023)
  • The procedures for managing the review of media that contains information for transferring offsite should be included in the Standard Operating Procedures for the information technology security officer. (Control: 0790 Table Row "Data transfers", Australian Government Information Security Manual: Controls)
  • The organization must ensure media that contains sensitive information or classified information meets the minimum physical transfer requirements from the australian government protective security policy framework. (Control: 0831, Australian Government Information Security Manual: Controls)
  • The organization should not transport commercial grade cryptographic equipment in a keyed state. (Control: 1002, Australian Government Information Security Manual: Controls)
  • Unkeyed commercial grade cryptographic equipment must be distributed and managed in an approved way for transporting and managing government property. (Control: 0500, Australian Government Information Security Manual: Controls)
  • Keyed commercial grade cryptographic equipment must be distributed, managed, and stored in an approved way for transporting and managing government property based on the key's classification or sensitivity. (Control: 0501, Australian Government Information Security Manual: Controls)
  • The organization must physically transfer a mobile device that is unable to use encryption to reduce the the storage and physical transfer requirements to an unclassified level as a sensitive asset or classified asset in a Security Construction and Equipment Committee endorsed secure briefcase. (Control: 1084, Australian Government Information Security Manual: Controls)
  • Based on the risk of a privacy breach and the state of the art and implementation costs, the technical and organization security measures must prevent data from being copied, read, deleted, or amended in an unauthorized manner when data media is transported and disclosed. (Art 23(h), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data)
  • ¶ 17: The organization must notify the DSO or MOD DE&S DHSY/PSYA at the earliest possible time any intention to transfer protectively marked work from one List X site to another one or to close a List X contractor's organization. This is required to make proper arrangements to dispose of the assets… (¶ 17, ¶ 50.c, ¶ 53, ¶ 86, ¶ 110, Security Requirements for List X Contractors, Version 5.0 October 2010)
  • App 2 ¶ 10: The organization shall transmit restricted documents, both inside and outside the premises, in a manner that prevents unauthorized persons from accessing them. The documents may be sent by regular mail, but the word restricted must not appear on the envelope and commercial couriers may … (App 2 ¶ 10, App 6 ¶ 12, The Contractual process, Version 5.0 October 2010)
  • Verify that a policy exists to control distribution of media containing cardholder data, and that the policy covers all distributed media including that distributed to individuals. (§ 9.7, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 2.0)
  • Is strict control maintained over the internal or external distribution of any kind of media? (§ 9.6(a), Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance; Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced, Version 3.1)
  • Is strict control maintained over the internal or external distribution of any kind of media? (9.6(a), Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance; Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced, Version 3.2)
  • Verify that a policy exists to control distribution of media containing cardholder data, and that the policy covers all distributed media including that distributed to individuals. (§ 9.7, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 2.0)
  • Verify that a policy exists to control distribution of media containing cardholder data, and that the policy covers all distributed media including that distributed to individuals. (§ 9.7, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 2.0)
  • Verify that a policy exists to control distribution of media containing cardholder data, and that the policy covers all distributed media including that distributed to individuals. (§ 9.7, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify a policy exists for controlling the distribution of all types of media, including that which is distributed to individuals. (Testing Procedures § 9.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure any media that contains cardholder data is strictly controlled during any distribution, either internally or externally. (§ 9.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that a policy exists to control distribution of media containing cardholder data, and that the policy covers all distributed media including that distributed to individuals. (§ 9.7 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Strict control must be maintained over the internal distribution or external distribution of all types of media. (PCI DSS Requirements § 9.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Maintain strict control over the internal or external distribution of any kind of media, including the following: (9.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Maintain strict control over the internal or external distribution of any kind of media, including the following: (9.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Maintain strict control over the internal or external distribution of any kind of media, including the following: (9.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Is strict control maintained over the internal or external distribution of any kind of media? (9.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Is strict control maintained over the internal or external distribution of any kind of media? (9.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Is strict control maintained over the internal or external distribution of any kind of media? (9.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Is strict control maintained over the internal or external distribution of any kind of media? (9.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
  • Is strict control maintained over the internal or external distribution of any kind of media? (9.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Is strict control maintained over the internal or external distribution of any kind of media? (9.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Is strict control maintained over the internal or external distribution of any kind of media? (9.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Is strict control maintained over the internal or external distribution of any kind of media? (9.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Is strict control maintained over the internal or external distribution of any kind of media? (9.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Is strict control maintained over the internal or external distribution of any kind of media? (9.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Is strict control maintained over the internal or external distribution of any kind of media? (9.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is strict control maintained over the internal or external distribution of any kind of media? (9.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is strict control maintained over the internal or external distribution of any kind of media? (9.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is strict control maintained over the internal or external distribution of any kind of media? (9.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Verify that a policy exists to control distribution of media, and that the policy covers all distributed media including that distributed to individuals. (9.6, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Is strict control maintained over the internal and external distribution of any kind of media? (PCI DSS Question 9.6(a), PCI DSS Self-Assessment Questionnaire A and Attestation of Compliance, Version 3.0)
  • Is strict control maintained over the internal and external distribution of any kind of media? (PCI DSS Question 9.6(a), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Is strict control maintained over the internal and external distribution of any kind of media? (PCI DSS Question 9.6(a), PCI DSS Self-Assessment Questionnaire B and Attestation of Compliance, Version 3.0)
  • Is strict control maintained over the internal and external distribution of any kind of media? (PCI DSS Question 9.6(a), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Is strict control maintained over the internal and external distribution of any kind of media? (PCI DSS Question 9.6(a), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Is strict control maintained over the internal and external distribution of any kind of media? (PCI DSS Question 9.6(a), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Is strict control maintained over the internal and external distribution of any kind of media? (PCI DSS Question 9.6(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is strict control maintained over the internal and external distribution of any kind of media? (PCI DSS Question 9.6(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • A digital asset management audit should be performed and should include examining the procedures used to transport digital assets. (App A.9 (Recommendations for Piracy), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • When an organization has international offices, the protection of confidential information may not be the same there as in the United States, because there may be no applicable laws or the laws may not be enforced. Protective measures that should be used include regular countermeasure sweeps where b… (Pg 23-VI-19, Protection of Assets Manual, ASIS International)
  • There should be documented standards / procedures for the protection of sensitive physical information (e.g., blank checks, bonds, or print-outs of documents, such as personal information, financial projections, business plans, or product designs), which covers secure transportation of sensitive phy… (CF.03.03.01d, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be monitored by recording its issue. (CF.03.03.02d-1, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be monitored by recording its use. (CF.03.03.02d-2, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be monitored by recording its return. (CF.03.03.02d-3, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be protected in transit by minimizing distribution. (CF.03.03.05a, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be protected in transit by using double-packaging (i.e., one package inside another). (CF.03.03.05b, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be protected in transit by recording authorised recipients. (CF.03.03.05c, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be protected in transit by clearly marking all packaging with the identity of the authorized recipient. (CF.03.03.05d, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be protected in transit by reviewing records of authorised recipients regularly. (CF.03.03.05f, The Standard of Good Practice for Information Security)
  • Standards / procedures should include the type of information that can be transferred to and from portable storage devices (e.g., restricted to non- classified information or encrypted files). (CF.14.04.02c, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for the protection of sensitive physical information (e.g., blank checks, bonds, or print-outs of documents, such as personal information, financial projections, business plans, or product designs), which covers secure transportation of sensitive phy… (CF.03.03.01d, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be monitored by recording its issue. (CF.03.03.02d-1, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be monitored by recording its use. (CF.03.03.02d-2, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be monitored by recording its return. (CF.03.03.02d-3, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be protected in transit by minimizing distribution. (CF.03.03.05a, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be protected in transit by using double-packaging (i.e., one package inside another). (CF.03.03.05b, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be protected in transit by recording authorised recipients. (CF.03.03.05c, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be protected in transit by clearly marking all packaging with the identity of the authorized recipient. (CF.03.03.05d, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be protected in transit by reviewing records of authorised recipients regularly. (CF.03.03.05f, The Standard of Good Practice for Information Security, 2013)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the secure transportation of physical media. Review and update the policies and procedures at least annually. (DCS-04, Cloud Controls Matrix, v4.0)
  • Elements to consider when dealing with transfer of ownership of records are as follows. The most important thing is to figure out who is held accountable for the records, and this can be done by asking some of these questions: a) Have the operational and administrative needs for transfer of the reco… (§ 4.3.9.4, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The movement of the record should be tracked to identify personnel who have or have had custody of it, in order to effectively manage the use of records. (§ 4.3.8 ¶ 2(e), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The delivery process should be examined to ensure the documented procedures are used when a product is delivered to the user's site. The procedures should include all the necessary steps to ensure the product is secure during the delivery process (including packaging, storage, and delivery), technic… (§ 11.5.1, § 12.5.1, § 13.5.1, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • The service provider should develop formal procedures for transporting vital records, magnetic media, and supplies to and from the organization's premises to the on-site and off-site storage facilities and the recovery sites. Appropriate environmental controls should be implemented to maintain the o… (§ 6.4.7(a), ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Media containing information shall be protected against unauthorized access, misuse or corruption during transportation. (A.8.3.3 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Media being transported between sites should be protected. The following guidelines should be considered by organizations that must transport media: Maintain a list of reliable couriers; package the material to prevent physical damage; and use controls to protect against unauthorized disclosure or m… (§ 10.8.3, ISO 27002 Code of practice for information security management, 2005)
  • The organization shall maintain and retain documented information on the OH&S objectives and plans to achieve them. (§ 6.2.2 ¶ 2, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • Media containing information should be protected against unauthorized access, misuse or corruption during transportation. (§ 8.3.3 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements. (§ 7.10 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Restricts the activities associated with the transport of information system media to authorized personnel. (MP-5d., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; (MP-5a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Restricts the activities associated with the transport of information system media to authorized personnel. (MP-5d., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; (MP-5a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Restricts the activities associated with the transport of information system media to authorized personnel. (MP-5d., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; (MP-5a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should implement measures to protect personal information in electronic format and hardcopy format that is sent by courier, mail, and other physical means. (Table Ref 8.2.5, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Procedure(s) for protecting and securely handling BES Cyber System Information, including storage, transit, and use. (CIP-011-2 Table R1 Part 1.2 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Information Protection CIP-011-2, Version 2)
  • Does the procedure for managing information assets include media handling based on classification? (§ D.2.2.13, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • For the backup media stored offsite, is there verification of receipt? (§ G.8.2.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Backup tapes that are destined for off-site storage or are for data center transitions use are excepted from the requirement that personally identifiable information must be encrypted. They must be shipped using proper precautions, such as in a locked sturdy container. (§ 4.3 ¶ 3, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 2.2.25: While in transit, sensitive information must be locked in cabinets or sealed in packing cartons. The CMS or CMS business partner must maintain custody of the sensitive information material. The organization must maintain accountability for the sensitive information during the move. CSR 2… (CSR 2.2.25, CSR 2.2.26, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Classified assets must be transported by approved and authorized couriers and/or with the proper cover sheets and envelopes. (§ 3.5.1 ¶ 4, DISA Access Control STIG, Version 2, Release 3)
  • Transmittal documents must be marked with both the highest classification level of the material being transmitted and the classification level of the transmittal document when the enclosures are removed. Top Secret information that is transmitted must be covered by receipts both inside and outside t… (§ 4-211, § 5-201, § 5-202, § 5-400, § 8-605, § 10-603, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • The agency shall control and protect physical media and electronic media during transport outside of controlled areas and restrict these activities to authorized individuals. (§ 5.8.2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Controls shall be implemented for physically transporting electronic media that contains criminal justice information to help prevent data compromise. (§ 5.8.2.1 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Physical media in transit shall be protected at the same level as information in electronic format. (§ 5.8.2.2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall protect and control digital and physical media during transport outside of controlled areas and restrict the activities associated with transport of such media to authorized personnel. (§ 5.8.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Controls shall be in place to protect digital media containing CJI while in transport (physically moved from one location to another) to help prevent compromise of the data. Encryption, as defined in Section 5.10.1.2 of this Policy, is the optimal control during transport; however, if encryption of … (§ 5.8.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Media protection policy and procedures shall be documented and implemented to ensure that access to digital and physical media in all forms is restricted to authorized individuals. Procedures shall be defined for securely handling, transporting and storing media. (§ 5.8 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Restrict the activities associated with the transport of system media to authorized personnel. (§ 5.8 MP-5d., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Protect and control digital and non-digital media to help prevent compromise of the data during transport outside of the physically secure locations or controlled areas using encryption, as defined in Section 5.10.1.2 of this Policy. Physical media will be protected at the same level as the informat… (§ 5.8 MP-5a., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Maintains the security of physical media, including backup tapes, containing sensitive information while in transit, including to off-site storage, or when shared with third parties. (App A Objective 6.18.f, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should control and protect access to and transmission of information to avoid loss or damage and do the following: - Establish and supervise compliance with policies for storing and handling information, including storing data on mobile devices and cloud services. - Define and implement… (II.C.13 Control of Information, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Exam Tier II Obj 4.7 Assess adequacy of institution card-mailing procedures. Ensure the institution mails the card and associated PIN to customers in separate envelopes. Also ensure that the return address does not identify the institution. Exam Tier II Obj 4.8 Assess whether mailing procedures prov… (Exam Tier II Obj 4.7, Exam Tier II Obj 4.8, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Tamper-resistant mailing procedures should be used to send bank cards and other sensitive material through the U.S. mail. (Pg 31, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The service provider must define the security measures used to protect digital media and non-digital media, while it is in transit. (Column F: MP-5a, FedRAMP Baseline Security Controls)
  • The joint authorization board must approve and accept the security measures used to protect digital media and non-digital media in transit. (Column F: MP-5a, FedRAMP Baseline Security Controls)
  • Restricts the activities associated with the transport of information system media to authorized personnel. (MP-5d. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Restricts the activities associated with the transport of information system media to authorized personnel. (MP-5d. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Restrict the activities associated with the transport of system media to authorized personnel. (MP-5d., FedRAMP Security Controls High Baseline, Version 5)
  • Protect and control [FedRAMP Assignment: all media with sensitive information] during transport outside of controlled areas using [FedRAMP Assignment: prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or … (MP-5a., FedRAMP Security Controls High Baseline, Version 5)
  • Restrict the activities associated with the transport of system media to authorized personnel. (MP-5d., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Protect and control [FedRAMP Assignment: all media with sensitive information] during transport outside of controlled areas using [FedRAMP Assignment: prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or … (MP-5a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Federal Tax Information (FTI) must be in a sealed packing carton or a locked cabinet during a move and remain in the custody of an authorized person. FTI that is shipped through the mail or a courier must be double-sealed. When the organization returns FTI to the IRS, it must ensure the information … (§ 4.4, § 4.5, § 5.6.10, § 8.2, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Protect and control [Assignment: organization-defined types of system media] during transport outside of controlled areas using [Assignment: organization-defined controls]; (MP-5a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Restrict the activities associated with the transport of system media to authorized personnel. (MP-5d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Protect and control [Assignment: organization-defined types of system media] during transport outside of controlled areas using [Assignment: organization-defined controls]; (MP-5a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Restrict the activities associated with the transport of system media to authorized personnel. (MP-5d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Protect and control [Assignment: organization-defined types of system media] during transport outside of controlled areas using [Assignment: organization-defined controls]; (MP-5a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Restrict the activities associated with the transport of system media to authorized personnel. (MP-5d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Protect and control [Assignment: organization-defined types of system media] during transport outside of controlled areas using [Assignment: organization-defined controls]; (MP-5a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Restrict the activities associated with the transport of system media to authorized personnel. (MP-5d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Media Protection (MP): Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure printed and digital media are accessible only by authorized users; the pick up, receipt, transfer, and delivery of media is restricted to authorized individuals; and specific responsibilities and actions are defined for the implementa… (MP-2, MP-5, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; (MP-5a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; (MP-5a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Restricts the activities associated with the transport of information system media to authorized personnel. (MP-5d. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Restricts the activities associated with the transport of information system media to authorized personnel. (MP-5d. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Media assets include removable media and devices such as floppy disks, CDs, DVDs and USB memory sticks, as well as printed reports and documents. Physical security controls should address specific requirements for the safe and secure maintenance of these assets and provide specific guidance for tran… (§ 6.2.10 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization may protect digital media, non-digital media, and mobile devices that contain Personally Identifiable Information that is transported out of controlled areas. (§ 4.3 Bullet Media Transport (MP-5), NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • System data should be backed up regularly. Policies should specify the minimum frequency and scope of backups (e.g., daily or weekly, incremental or full) based on data criticality and the frequency that new information is introduced. Data backup policies should designate the location of stored data… (§ 3.4.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Where will the media be delivered and what is the rotation schedule of backup media? (§ 5.1.2 ¶ 4 Bullet 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must restrict the transport of media to authorized personnel. (SG.MP-5 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use a defined custodian throughout the transport of the smart grid information system media. (SG.MP-5 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must protect and control named media during transportation outside of secure areas using established security procedures. (App F § MP-5.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must maintain accountability for media while outside of secure areas. (App F § MP-5.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must restrict transportation of media to authorized personnel. (App F § MP-5.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should document the activities associated with the transport of system media. (App F § MP-5(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use cryptographic mechanisms to protect the confidentiality and integrity of the information stored on the media during transport outside of controlled areas. (App F § MP-5(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use trusted shipping and warehousing for systems, system components, and Information Technology products. (App F § SA-12(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should require defined system components to have tamper-evident packaging during transport from the vendor site to the operational site and/or during operations. (App F § SI-7(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must use compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot support cryptographic mechanisms during media transport. (App I § MP-5 Control Enhancement: (4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization protects and controls {organizationally documented types of information system media} during transport outside of controlled areas using {organizationally documented security safeguards}. (MP-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization documents activities associated with the transport of information system media. (MP-5c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization restricts the activities associated with the transport of information system media to authorized personnel. (MP-5d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs an identified custodian during transport of information system media outside of controlled areas. (MP-5(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization protects and controls {organizationally documented types of information system media} during transport outside of controlled areas using {organizationally documented security safeguards}. (MP-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents activities associated with the transport of information system media. (MP-5c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization restricts the activities associated with the transport of information system media to authorized personnel. (MP-5d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization protects and controls {organizationally documented types of information system media} during transport outside of controlled areas using {organizationally documented security safeguards}. (MP-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents activities associated with the transport of information system media. (MP-5c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization restricts the activities associated with the transport of information system media to authorized personnel. (MP-5d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Restricts the activities associated with the transport of information system media to authorized personnel. (MP-5d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; (MP-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Restricts the activities associated with the transport of information system media to authorized personnel. (MP-5d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; (MP-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Restricts the activities associated with the transport of information system media to authorized personnel. (MP-5d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; (MP-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs an identified custodian during transport of information system media outside of controlled areas. (MP-5(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Protect and control [Assignment: organization-defined types of system media] during transport outside of controlled areas using [Assignment: organization-defined controls]; (MP-5a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Restrict the activities associated with the transport of system media to authorized personnel. (MP-5d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ an identified custodian during transport of system media outside of controlled areas. (MP-5(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Protect and control [Assignment: organization-defined types of system media] during transport outside of controlled areas using [Assignment: organization-defined controls]; (MP-5a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Restrict the activities associated with the transport of system media to authorized personnel. (MP-5d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employ an identified custodian during transport of system media outside of controlled areas. (MP-5(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; (MP-5a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Restricts the activities associated with the transport of information system media to authorized personnel. (MP-5d., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Restricts the activities associated with the transport of information system media to authorized personnel. (MP-5d., TX-RAMP Security Controls Baseline Level 2)
  • Protects and controls [TX-RAMP Assignment: all media with sensitive information] during transport outside of controlled areas using [TX-RAMP Assignment: prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media… (MP-5a., TX-RAMP Security Controls Baseline Level 2)