Back

Physically secure all electronic storage media that store restricted data or restricted information.


CONTROL ID
11664
CONTROL TYPE
Physical and Environmental Protection
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain removable storage media controls., CC ID: 06680

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Protection of information confidentiality should be in place regardless of the media (including paper and electronic media) in which the information is maintained. AIs should ensure that all media are adequately protected, and establish secure processes for disposal and destruction of sensitive info… (3.1.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Also, for any various pieces of data stored separately from the data storage room, it is necessary to hold the critical data in proper fire-proof depositories, fire-proof cabinets, or other fire-proof data storage vaults that protect the data recorded on magnetic media. (F31.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • to any security measures incorporated into any equipment in which the personal data is stored; (Part II Division 1 9. (1) (c), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • There should be secure storage of media. Controls could include physical and environmental controls such as fire and flood protection, limiting access by means like physical locks, keypad, passwords, biometrics, etc., labelling, and logged access. Management should establish access controls to limit… (Critical components of information security 15) v., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization must ensure information and communications technology equipment and media that contains sensitive information or classified information is secured in accordance with the requirements from the australian government physical security management protocol. (Control: 0161, Australian Government Information Security Manual: Controls)
  • Removable media containing classified material should be secured according to the classification of the information stored on the media. (§ 3.1.44, § 3.11.16, Australian Government ICT Security Manual (ACSI 33))
  • You have protected stored data important to the operation of the essential function. (B3.c ¶ 1, NCSC CAF guidance, 3.1)
  • The entity has policies and procedures in place that address the physical protection of information and system and data storage devices and removable media. The policies and procedures include the handling and secure operation of such devices, and their removal from service, the removal of informati… (S7.2 Physical protection of information on storage media, Privacy Management Framework, Updated March 1, 2020)
  • Verify that procedures for protecting cardholder data include controls for physically securing paper and electronic media. (§ 9.6, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 2.0)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (§ 9.5, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance; Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced, Version 3.1)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance; Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced, Version 3.2)
  • Verify that procedures for protecting cardholder data include controls for physically securing paper and electronic media. (§ 9.6, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 2.0)
  • Verify that procedures for protecting cardholder data include controls for physically securing paper and electronic media. (§ 9.6, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 2.0)
  • Verify that procedures for protecting cardholder data include controls for physically securing paper and electronic media. (§ 9.6, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify the procedures for protected cardholder data include controls for physically securing all types of media. (Testing Procedures § 9.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure all paper and electronic media that contains cardholder data are physically secured. (§ 9.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that procedures for protecting cardholder data include controls for physically securing paper and electronic media. (§ 9.6 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • All types of media must be physically secured. (PCI DSS Requirements § 9.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Protect stored cardholder data. (Requirement 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Physically secure all media. (9.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Physically secure all media. (9.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Protect stored cardholder data. (Requirement 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Protect stored cardholder data. (Requirement 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Physically secure all media. (9.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Protect stored cardholder data (Requirement 3:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Protect stored cardholder data (Requirement 3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Protect stored cardholder data (Requirement 3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Protect stored cardholder data (Requirement 3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
  • Protect stored cardholder data (Requirement 3:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Protect stored cardholder data (Requirement 3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Protect stored cardholder data (Requirement 3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Protect stored cardholder data (Requirement 3:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Protect stored cardholder data (Requirement 3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Protect stored cardholder data (Requirement 3:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Protect stored cardholder data (Requirement 3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Protect stored cardholder data (Requirement 3:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Protect stored cardholder data (Requirement 3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Protect stored cardholder data (Requirement 3:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Protect stored cardholder data (Requirement 3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
  • Verify that procedures for protecting cardholder data include controls for physically securing all media (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes). (9.5, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • All media with cardholder data is physically secured. (9.4.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation to verify that the procedures defined for protecting cardholder data include controls for physically securing all media. (9.4.1., Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (PCI DSS Question 9.5, PCI DSS Self-Assessment Questionnaire A and Attestation of Compliance, Version 3.0)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (PCI DSS Question 9.5, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (PCI DSS Question 9.5, PCI DSS Self-Assessment Questionnaire B and Attestation of Compliance, Version 3.0)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (PCI DSS Question 9.5, PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (PCI DSS Question 9.5, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (PCI DSS Question 9.5, PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (PCI DSS Question 9.5, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (PCI DSS Question 9.5, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (PCI DSS Question 9.5, PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
  • All media with cardholder data is physically secured. (9.4.1, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All media with cardholder data is physically secured. (9.4.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All media with cardholder data is physically secured. (9.4.1, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All media with cardholder data is physically secured. (9.4.1, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All media with cardholder data is physically secured. (9.4.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All media with cardholder data is physically secured. (9.4.1, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All media with cardholder data is physically secured. (9.4.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All media with cardholder data is physically secured. (9.4.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All media with cardholder data is physically secured. (9.4.1, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Sensitive physical information should be stored in a physically secure location (e.g., a locked, document fireproof safe or container). (CF.03.03.02c, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be protected against theft or copying by storing important papers and printed material in a physically secure location (e.g., a locked, document fireproof safe, cabinet, or container) when not in use. (CF.03.03.03a, The Standard of Good Practice for Information Security)
  • Sensitive physical information should be stored in a physically secure location (e.g., a locked, document fireproof safe or container). (CF.03.03.02c, The Standard of Good Practice for Information Security, 2013)
  • Sensitive physical information should be protected against theft or copying by storing important papers and printed material in a physically secure location (e.g., a locked, document fireproof safe, cabinet, or container) when not in use. (CF.03.03.03a, The Standard of Good Practice for Information Security, 2013)
  • The master image must be stored on a securely configured server. (Critical Control 3.4, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should properly protect backups with encryption or physical security when they are stored and moved over the network, including cloud services and remote backups. (Critical Control 8.4, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Physical Security. An organization should combine the identification of the environment with safeguards which deal with physical protection. The following items may apply to buildings, secure areas, computer rooms and offices. The safeguard selection depends on which part of the building is consider… (¶ 8.1.7(5), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • In order to perform these validations the component must contain data that provides a way to differentiate between valid and invalid origins. The list of valid and invalid origins will differ from asset owner to asset owner, and it is unlikely that a product supplier will have a complete list of eve… (15.10.2 ¶ 2, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and (MP-4a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and (MP-4a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and (MP-4a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Are image snapshots containing scoped data stored in an environment where the security controls protecting them are commensurate with the production environment? (§ V.1.16.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Classified media should be protected appropriately. Printer ribbons should be controlled and destroyed in accordance with AR 380-5, paragraph 5-201c. (§ 2-19, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • The agency shall securely store digital and physical media within physically secure locations or controlled areas. The agency shall restrict access to digital and physical media to authorized individuals. If physical and personnel restrictions are not feasible then the data shall be encrypted per Se… (§ 5.8.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Physically control and securely store digital and non-digital media within physically secure locations or controlled areas and encrypt CJI on digital media when physical and personnel restrictions are not feasible; and (§ 5.8 MP-4a., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The organization should develop procedures for securely storing output containing sensitive information. Back-up tapes that are stored offsite should be physically inventoried periodically. (Pg 27, Pg 30, Exam Tier I Obj 6.3, Exam Tier I Obj 6.6, FFIEC IT Examination Handbook - Operations, July 2004)
  • Work papers should be secured at all times. If the information is stored on portable computers during the examination, the portable computers should be properly controlled. (Pg 13, Pg 17, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, March 2003)
  • Physically controls and securely stores [FedRAMP Assignment: all types of digital and non-digital media with sensitive information] within [FedRAMP Assignment: The service provider defines controlled areas within facilities where the information and information system reside.]; and (MP-4a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Physically controls and securely stores [FedRAMP Assignment: all types of digital and non-digital media with sensitive information] within [FedRAMP Assignment: The service provider defines controlled areas within facilities where the information and information system reside.]; and (MP-4a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Physically control and securely store [FedRAMP Assignment: all types of digital and non-digital media with sensitive information] within [FedRAMP Assignment: see additional FedRAMP requirements and guidance]; and (MP-4a., FedRAMP Security Controls High Baseline, Version 5)
  • Physically control and securely store [FedRAMP Assignment: all types of digital and non-digital media with sensitive information] within [FedRAMP Assignment: see additional FedRAMP requirements and guidance]; and (MP-4a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Media that contains Federal Tax Information (FTI) must be securely and physically stored in a controlled area. Removable media that contains FTI must undergo semiannual inventories. When media containing FTI is removed from the storage area, the removal must be recorded. Removable media containing F… (§ 3.2, § 4.6, § 5.6.10, § 6.3.2, Exhibit 4 MP-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Physically control and securely store [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and (MP-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Physically control and securely store [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and (MP-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Physically control and securely store [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and (MP-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Physically control and securely store [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and (MP-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Physically control and securely store [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and (MP-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Access to media storage areas should be restricted by either guard stations or automated mechanisms. Automated mechanisms should be configured to allow only authorized personnel access and should audit all attempts to enter the storage area, both failed and granted access. Test the automated mechan… (MP-2(1), MP-2.7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and (MP-4a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and (MP-4a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Media assets include removable media and devices such as floppy disks, CDs, DVDs and USB memory sticks, as well as printed reports and documents. Physical security controls should address specific requirements for the safe and secure maintenance of these assets and provide specific guidance for tran… (§ 6.2.10 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • When the media are stored onsite, what environmental controls are provided to preserve the media? (§ 5.1.2 ¶ 4 Bullet 9, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization physically controls and securely stores {organizationally documented types of digital and/or non-digital media} within {organizationally documented controlled areas}. (MP-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization physically controls and securely stores {organizationally documented types of digital and/or non-digital media} within {organizationally documented controlled areas}. (MP-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization physically controls and securely stores {organizationally documented types of digital and/or non-digital media} within {organizationally documented controlled areas}. (MP-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and (MP-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and (MP-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and (MP-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Physically control and securely store [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and (MP-4a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Physically control and securely store [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and (MP-4a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • A controller shall take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business. (§ 6-1-1308 (5) ¶ 1, Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • A controller shall take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business. (§ 6-1-1308 (5) ¶ 1, Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • Physically controls and securely stores [TX-RAMP Assignment: all types of digital and non-digital media with sensitive information] within [Assignment: organization-defined controlled areas]; and (MP-4a., TX-RAMP Security Controls Baseline Level 2)
  • When carrying out public health studies, research entities may have access to personal databases, which shall be processed exclusively within the entity and strictly for the purpose of carrying out studies and research and shall be kept in a controlled and secure environment, in accordance with secu… (Art. 13, Brazilian Law No. 13709, of August 14, 2018)