Back

Establish, implement, and maintain media protection procedures.


CONTROL ID
14062
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a media protection policy., CC ID: 14029

This Control has the following implementation support Control(s):
  • Disseminate and communicate the media protection procedures to interested personnel and affected parties., CC ID: 14186


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is necessary to store important printed forms in designated places. The forms used in the event of failure or disaster are preferably stored in a proper cabinet with a lock and key in a fire preventive section. If no fire preventive section is available, store data files in a fireproof safe or fi… (P68.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Media is handled in a manner suitable for its sensitivity or classification. (Control: ISM-0831; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Media is only used with systems that are authorised to process, store or communicate its sensitivity or classification. (Control: ISM-0337; Revision: 6, Australian Government Information Security Manual, June 2023)
  • Media is handled in a manner suitable for its sensitivity or classification. (Control: ISM-0831; Revision: 5, Australian Government Information Security Manual, September 2023)
  • Media is only used with systems that are authorised to process, store or communicate its sensitivity or classification. (Control: ISM-0337; Revision: 6, Australian Government Information Security Manual, September 2023)
  • Documented. (9.1.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Kept up to date. (9.1.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • In use. (9.1.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation and interview personnel to verify that security policies and operational procedures identified in Requirement 9 are managed in accordance with all elements specified in this requirement. (9.1.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Kept up to date. (9.1.1 Bullet 2, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (9.1.1 Bullet 3, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (9.1.1 Bullet 1, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (9.1.1 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (9.1.1 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (9.1.1 Bullet 3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (9.1.1 Bullet 1, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (9.1.1 Bullet 2, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (9.1.1 Bullet 3, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (9.1.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (9.1.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (9.1.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (9.1.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (9.1.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (9.1.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (9.1.1 Bullet 1, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (9.1.1 Bullet 2, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (9.1.1 Bullet 3, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Media protection procedures [Assignment: organization-defined frequency]. (MP-1b.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Media protection procedures [Assignment: organization-defined frequency]. (MP-1b.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Media protection procedures [Assignment: organization-defined frequency]. (MP-1b.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Media protection procedures [Assignment: organization-defined frequency]. (MP-1b.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Media protection policy and procedures shall be documented and implemented to ensure that access to digital and physical media in all forms is restricted to authorized individuals. Procedures shall be defined for securely handling, transporting and storing media. (§ 5.8 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; (§ 5.8 MP-1a.2., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Procedures at least annually and following any security incidents involving digital and/or non-digital media. (§ 5.8 MP-1c.2., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Media protection procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. (MP-1b.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Media protection procedures [FedRAMP Assignment: at least annually]. (MP-1b.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Media protection procedures [FedRAMP Assignment: at least annually]. (MP-1b.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; (MP-1a.2., FedRAMP Security Controls High Baseline, Version 5)
  • Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (MP-1c.2., FedRAMP Security Controls High Baseline, Version 5)
  • Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; (MP-1a.2., FedRAMP Security Controls Low Baseline, Version 5)
  • Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (MP-1c.2., FedRAMP Security Controls Low Baseline, Version 5)
  • Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; (MP-1a.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (MP-1c.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; (MP-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; (MP-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (MP-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (MP-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; (MP-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; (MP-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (MP-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; (MP-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (MP-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (MP-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; (MP-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (MP-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; (MP-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Media protection procedures [Assignment: organization-defined frequency]. (MP-1b.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Media protection procedures [Assignment: organization-defined frequency]. (MP-1b.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Media protection procedures [Assignment: organization-defined frequency]. (MP-1b.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Media protection procedures [Assignment: organization-defined frequency]. (MP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Media protection procedures [Assignment: organization-defined frequency]. (MP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Media protection procedures [Assignment: organization-defined frequency]. (MP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Media protection procedures [Assignment: organization-defined frequency]. (MP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (MP-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; (MP-1a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (MP-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; (MP-1a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Media protection procedures [Assignment: organization-defined frequency]. (MP-1b. ¶ 1 1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2., TX-RAMP Security Controls Baseline Level 1)
  • Media protection procedures [TX-RAMP Assignment: at least annually]. (MP-1b.2., TX-RAMP Security Controls Baseline Level 1)
  • Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and (MP-1a.2., TX-RAMP Security Controls Baseline Level 2)
  • Media protection procedures [TX-RAMP Assignment: at least annually]. (MP-1b.2., TX-RAMP Security Controls Baseline Level 2)