Back

Obtain management authorization for restricted storage media transit or distribution from a controlled access area.


CONTROL ID
00964
CONTROL TYPE
Records Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Control the transiting and internal distribution or external distribution of assets., CC ID: 00963

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Devices, hardware, software or data may only be transferred to external premises after it has been approved by authorised committees or bodies of the cloud provider. The transfer takes place securely according to the type of the assets to be transferred. (Section 5.4 AM-08 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • When transmitting goods that are labeled confidential or above, the organization must use a security transportation plan approved by the DSO or MOD DE&S DHSY/PSYA. (¶ 111, Security Requirements for List X Contractors, Version 5.0 October 2010)
  • Select a recent sample of several days of offsite tracking logs for all media containing cardholder data, and verify the presence in the logs of tracking details and proper management authorization. (§ 9.8, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 2.0)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (§ 9.6.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance; Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced, Version 3.1)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance; Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced, Version 3.2)
  • Select a recent sample of several days of offsite tracking logs for all media containing cardholder data, and verify the presence in the logs of tracking details and proper management authorization. (§ 9.8, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 2.0)
  • Select a recent sample of several days of offsite tracking logs for all media containing cardholder data, and verify the presence in the logs of tracking details and proper management authorization. (§ 9.8, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 2.0)
  • Select a recent sample of several days of offsite tracking logs for all media containing cardholder data, and verify the presence in the logs of tracking details and proper management authorization. (§ 9.8, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Interview responsible personnel and examine the logs from a sample of offsite tracking logs to verify proper management authorization has been received when media is moved from a secure area, including the distribution to individuals. (Testing Procedures § 9.6.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure procedures are in place to have management approve any transit of sensitive media from a secured area. (§ 9.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Select a recent sample of several days of offsite tracking logs for all media containing cardholder data, and verify the presence in the logs of tracking details and proper management authorization. (§ 9.8 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Management must approve the movement of all media from a secured area, including the distribution to individuals. (PCI DSS Requirements § 9.6.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals). (9.6.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals). (9.6.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals). (9.6.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Select a recent sample of several days of offsite tracking logs for all media. From examination of the logs and interviews with responsible personnel, verify proper management authorization is obtained whenever media is moved from a secured area (including when media is distributed to individuals). (9.6.3, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals). (9.4.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation to verify that procedures are defined to ensure that media moved outside the facility is approved by management. (9.4.4.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine offsite media tracking logs and interview responsible personnel to verify that proper management authorization is obtained for all media moved outside the facility (including media distributed to individuals). (9.4.4.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (PCI DSS Question 9.6.3, PCI DSS Self-Assessment Questionnaire A and Attestation of Compliance, Version 3.0)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (PCI DSS Question 9.6.3, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (PCI DSS Question 9.6.3, PCI DSS Self-Assessment Questionnaire B and Attestation of Compliance, Version 3.0)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (PCI DSS Question 9.6.3, PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (PCI DSS Question 9.6.3, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (PCI DSS Question 9.6.3, PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (PCI DSS Question 9.6.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (PCI DSS Question 9.6.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals). (9.4.4, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals). (9.4.4, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals). (9.4.4, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals). (9.4.4, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals). (9.4.4, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals). (9.4.4, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals). (9.4.4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals). (9.4.4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Authorization must be obtained prior to relocation or transfer of hardware, software, or data to an offsite premises (DCS-04, Cloud Controls Matrix, v3.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location. The relocation or transfer request requires the written or cryptographically verifiable autho… (DCS-02, Cloud Controls Matrix, v4.0)
  • Consent may be required from the responsible archival authority when records are being removed from the control or ownership of the organization. (§ 4.3.9.4 ¶ 5, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • PII on media leaving the organization’s premises should be subject to an authorization procedure and should not be accessible to anyone other than authorized personnel (e.g. by encrypting the data concerned). (§ A.10.4 ¶ 2, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • PII on media leaving the organization’s premises should be subject to an authorization procedure and should not be accessible to anyone other than authorized personnel (e.g. by encrypting the data concerned). (§ A.11.4 ¶ 2, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • Are there procedures for media in transit? (§ D.2.2.5, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • The Government Contracting Agency must authorize, in writing, the transmission of Top Secret information outside of the facility. (§ 5-402, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • All Federal Tax Information shipments, including electronic media, must be documented with a transmittal form. (§ 4.5, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)