Back

Transport backup media in lockable electronic media storage containers.


CONTROL ID
01264
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Store backup media at an off-site electronic media storage facility., CC ID: 01332

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization should implement controls to maintain the security of the backup media during transit. (Attach B ¶ 12, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • APRA envisages that a regulated institution would regularly backup critical and sensitive IT assets, regardless of the level of resilience in place. Appropriate controls would be implemented to ensure the security of the backups is maintained while in transit and storage, typically via physical secu… (Attachment B ¶ 12, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The delivery process should be examined to ensure the documented procedures are used when a product is delivered to the user's site. The procedures should include all the necessary steps to ensure the product is secure during the delivery process (including packaging, storage, and delivery), technic… (§ 11.5.1, § 12.5.1, § 13.5.1, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • Organizations should be provided with secure storage facilities and accessories for storing their vital records, supplies, and magnetic media. To provide secure storage, the service provider should develop a formal set of procedures to handle and secure the collecting, transporting, receipt, marking… (§ 6.4.7(a), § 6.4.7(b), ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. (CP-9(5) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • For the backup media stored offsite, is there secure transport? (§ G.8.2.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Management should decide how to transport the back-up tapes to the offsite location. (Pg 30, FFIEC IT Examination Handbook - Operations, July 2004)
  • Provisions for secured transport and off-site storage of sensitive customer information. (App A Tier 2 Objectives and Procedures E.1 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine whether data and program files are adequately secured, retained, and backed up at off-premises facilities, including secured transport mechanisms for those resources. (App A Tier 2 Objectives and Procedures L.4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization transfers information system backup information to the alternate storage site [FedRAMP Assignment: time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA]. (CP-9(5) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Transfer system backup information to the alternate storage site [FedRAMP Assignment: time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA]. (CP-9(5) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • The data back-up policy should state the method that will be used to transfer media to the off-site storage location. (§ 3.4.2, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. (CP-9(5) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Organizational records and documents should be examined to ensure the pick up, receipt, transfer, and delivery of printed and digital media is restricted to authorized individuals and specific responsibilities and actions are defined for the implementation of the media transport control. Any problem… (MP-5, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. (CP-9(5) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • It is good business practice to store backed-up data offsite. Commercial data storage facilities are specially designed to archive media and protect data from threatening elements. If using offsite storage, data is backed up at the organization's facility and then labeled, packed, and transported to… (§ 3.4.2 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must protect media while it is being transported outside of protected areas using defined security measures. (SG.MP-5 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should transfer backup information to the alternate storage site in a time period that is consistent with the recovery time and recovery point objectives. (App F § CP-9(5), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization transfers information system backup information to the alternate storage site {organizationally documented time period}. (CP-9(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization transfers information system backup information to the alternate storage site {organizationally documented transfer rate consistent with the recovery time}. (CP-9(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization transfers information system backup information to the alternate storage site {organizationally documented recovery point objectives}. (CP-9(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization transfers information system backup information to the alternate storage site {organizationally documented time period}. (CP-9(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization transfers information system backup information to the alternate storage site {organizationally documented transfer rate consistent with the recovery time}. (CP-9(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization transfers information system backup information to the alternate storage site {organizationally documented recovery point objectives}. (CP-9(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. (CP-9(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. (CP-9(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. (CP-9(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. (CP-9(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)