Back

Establish, implement, and maintain a media protection policy.


CONTROL ID
14029
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain physical security controls for distributed assets., CC ID: 00718

This Control has the following implementation support Control(s):
  • Include compliance requirements in the media protection policy., CC ID: 14185
  • Include coordination amongst entities in the media protection policy., CC ID: 14184
  • Include management commitment in the media protection policy., CC ID: 14182
  • Include roles and responsibilities in the media protection policy., CC ID: 14180
  • Include the scope in the media protection policy., CC ID: 14167
  • Include the purpose in the media protection policy., CC ID: 14166
  • Disseminate and communicate the media protection policy to interested personnel and affected parties., CC ID: 14165
  • Establish, implement, and maintain media protection procedures., CC ID: 14062


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A media management policy is developed, implemented and maintained. (Control: ISM-1549; Revision: 1, Australian Government Information Security Manual, June 2023)
  • A media management policy is developed, implemented and maintained. (Control: ISM-1549; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Documented. (9.1.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Kept up to date. (9.1.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • In use. (9.1.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation and interview personnel to verify that security policies and operational procedures identified in Requirement 9 are managed in accordance with all elements specified in this requirement. (9.1.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • In use. (9.1.1 Bullet 3, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (9.1.1 Bullet 2, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (9.1.1 Bullet 1, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (9.1.1 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (9.1.1 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (9.1.1 Bullet 3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (9.1.1 Bullet 1, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (9.1.1 Bullet 2, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (9.1.1 Bullet 3, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (9.1.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (9.1.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (9.1.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (9.1.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (9.1.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (9.1.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (9.1.1 Bullet 1, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (9.1.1 Bullet 2, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (9.1.1 Bullet 3, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Media protection policy [Assignment: organization-defined frequency]; and (MP-1b.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Media protection policy [Assignment: organization-defined frequency]; and (MP-1b.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Media protection policy [Assignment: organization-defined frequency]; and (MP-1b.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Media protection policy [Assignment: organization-defined frequency]; and (MP-1b.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Media protection policy and procedures shall be documented and implemented to ensure that access to digital and physical media in all forms is restricted to authorized individuals. Procedures shall be defined for securely handling, transporting and storing media. (§ 5.8 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Agency-level media protection policy that: (§ 5.8 MP-1a.1., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (§ 5.8 MP-1a.1(b), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Policy at least annually and following any security incidents involving digital and/or non-digital media; and (§ 5.8 MP-1c.1., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Media protection policy [FedRAMP Assignment: at least annually]; and (MP-1b.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Media protection policy [FedRAMP Assignment: at least every 3 years]; and (MP-1b.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Media protection policy [FedRAMP Assignment: at least every 3 years]; and (MP-1b.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] media protection policy that: (MP-1a.1., FedRAMP Security Controls High Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (MP-1a.1(b), FedRAMP Security Controls High Baseline, Version 5)
  • Policy [FedRAMP Assignment: at least annually] and following [Assignment: organization-defined events]; and (MP-1c.1., FedRAMP Security Controls High Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] media protection policy that: (MP-1a.1., FedRAMP Security Controls Low Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (MP-1a.1(b), FedRAMP Security Controls Low Baseline, Version 5)
  • Policy [FedRAMP Assignment: at least every 3 years] and following [Assignment: organization-defined events]; and (MP-1c.1., FedRAMP Security Controls Low Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] media protection policy that: (MP-1a.1., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (MP-1a.1(b), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Policy [FedRAMP Assignment: at least every 3 years] and following [Assignment: organization-defined events]; and (MP-1c.1., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (MP-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] media protection policy that: (MP-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (MP-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (MP-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] media protection policy that: (MP-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (MP-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (MP-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (MP-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] media protection policy that: (MP-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (MP-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (MP-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] media protection policy that: (MP-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] media protection policy that: (MP-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (MP-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (MP-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (MP-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] media protection policy that: (MP-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (MP-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (MP-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] media protection policy that: (MP-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (MP-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Media protection policy [Assignment: organization-defined frequency]; and (MP-1b.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Media protection policy [Assignment: organization-defined frequency]; and (MP-1b.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Media protection policy [Assignment: organization-defined frequency]; and (MP-1b.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Media protection policy [Assignment: organization-defined frequency]; and (MP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Media protection policy [Assignment: organization-defined frequency]; and (MP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Media protection policy [Assignment: organization-defined frequency]; and (MP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Media protection policy [Assignment: organization-defined frequency]; and (MP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (MP-1c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] media protection policy that: (MP-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (MP-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (MP-1c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] media protection policy that: (MP-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (MP-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Media protection policy [Assignment: organization-defined frequency]; and (MP-1b. ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1., TX-RAMP Security Controls Baseline Level 1)
  • Media protection policy [TX-RAMP Assignment: at least every 3 years]; and (MP-1b.1., TX-RAMP Security Controls Baseline Level 1)
  • A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (MP-1a.1., TX-RAMP Security Controls Baseline Level 2)
  • Media protection policy [TX-RAMP Assignment: at least every 3 years]; and (MP-1b.1., TX-RAMP Security Controls Baseline Level 2)