Back

Establish, implement, and maintain removable storage media controls.


CONTROL ID
06680
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain physical security controls for distributed assets., CC ID: 00718

This Control has the following implementation support Control(s):
  • Control access to restricted storage media., CC ID: 04889
  • Physically secure all electronic storage media that store restricted data or restricted information., CC ID: 11664
  • Separate duplicate originals and backup media from the original electronic storage media., CC ID: 00961
  • Treat archive media as evidence., CC ID: 00960
  • Log the transfer of removable storage media., CC ID: 12322
  • Establish, implement, and maintain storage media access control procedures., CC ID: 00959
  • Control the storage of restricted storage media., CC ID: 00965
  • Serialize all removable storage media., CC ID: 00949


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • There should be secure storage of media. Controls could include physical and environmental controls such as fire and flood protection, limiting access by means like physical locks, keypad, passwords, biometrics, etc., labelling, and logged access. Management should establish access controls to limit… (Critical components of information security 15) v., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information. (Security Control: 0457; Revision: 5, Australian Government Information Security Manual, March 2021)
  • The organization should control removable media and portable media as part of its data loss prevention strategy. (Mitigation Strategy Effectiveness Ranking 29, Strategies to Mitigate Targeted Cyber Intrusions)
  • The entity has policies and procedures in place that address the physical protection of information and system and data storage devices and removable media. The policies and procedures include the handling and secure operation of such devices, and their removal from service, the removal of informati… (S7.2 Physical protection of information on storage media, Privacy Management Framework, Updated March 1, 2020)
  • Physically secure all media. (9.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Verify that procedures for protecting cardholder data include controls for physically securing all media (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes). (9.5, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the secure transportation of physical media. Review and update the policies and procedures at least annually. (DCS-04, Cloud Controls Matrix, v4.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location. The relocation or transfer request requires the written or cryptographically verifiable autho… (DCS-02, Cloud Controls Matrix, v4.0)
  • The organization's removable media and mobile devices are protected and use is restricted according to policy. (PR.PT-2.1, CRI Profile, v1.2)
  • Removable media is protected and its use restricted according to policy. (PR.PT-2, CRI Profile, v1.2)
  • The organization's removable media and mobile devices are protected and use is restricted according to policy. (PR.PT-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. (AC-20(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. (AC-20(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. (MP-7 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should verify that controls exist to create, transfer, store, and dispose of backup and recovery media that contains personal information. (Table Ref 8.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Is there a removable media policy or program (compact disks, digital video disks, tapes, disk drives) that has been approved by management? (§ G.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Control the use of removable media on system components. (MP.2.121, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Control the use of removable media on system components. (MP.2.121, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Limit use of portable storage devices on external systems. (AC.2.006, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Control the use of removable media on system components. (MP.2.121, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Control the use of removable media on system components. (MP.2.121, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Limit use of portable storage devices on external systems. (AC.2.006, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Limit use of portable storage devices on external systems. (AC.L2-3.1.21 Portable Storage Use, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Control the use of removable media on system components. (MP.L2-3.8.7 Removable Media, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Restrict the use of digital and non-digital media on agency owned systems that have been approved for use in the storage, processing, or transmission of criminal justice information by using technical, physical, or administrative controls (examples below); and (§ 5.8 MP-7a., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Secures or removes external drives and portable media from system consoles, terminals, or PCs running terminal emulations, residing outside of physically secure locations. (App A Objective 6.21.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. (AC-20(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. (MP-7 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. (AC-20(2) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. (MP-7 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. (MP-7 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions]. (AC-20(2) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and (MP-7a., FedRAMP Security Controls High Baseline, Version 5)
  • [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and (MP-7a., FedRAMP Security Controls Low Baseline, Version 5)
  • Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions]. (AC-20(2) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and (MP-7a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions]. (AC-20(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and (MP-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and (MP-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions]. (AC-20(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and (MP-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Removable media is protected and its use restricted according to policy (PR.PT-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Removable media is protected and its use restricted according to policy (PR.PT-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Removable media is protected and its use restricted according to policy. (PR.PT-2, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. (AC-20(2) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. (AC-20(2) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. (MP-7 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. (MP-7 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. (MP-7 Control: Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Removable media is protected and its use restricted according to policy. (PR.PT-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization must control the use of writeable, removable media. (SG.AC-17 Requirement Enhancements 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Limit use of organizational portable storage devices on external information systems. (3.1.21, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Control the use of removable media on information system components. (3.8.7, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Control the use of removable media on system components. (3.8.7, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Limit use of organizational portable storage devices on external systems. (3.1.21, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Control the use of removable media on system components. (3.8.7, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Limit use of portable storage devices on external systems. (3.1.21, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization should limit the use of organization-controlled portable storage media by authorized individuals on external information systems. (App F § AC-20(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should restrict the use of writable, removable media in Information Systems. (App F § AC-19(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should prohibit the use of removable media in Information Systems when the media owner is not identifiable. (App F § AC-19(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should not be allowed to introduce removable media into the system. (App F § SI-3(5), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization {restricts or prohibits} the use of organization-controlled portable storage devices by authorized individuals on external information systems. (AC-20(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization {restricts or prohibits} the use of {organizationally documented types of information system media} on {organizationally documented information systems or system components} using {organizationally documented security safeguards}. (MP-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization {restricts or prohibits} the use of organization-controlled portable storage devices by authorized individuals on external information systems. (AC-20(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization {restricts or prohibits} the use of {organizationally documented types of information system media} on {organizationally documented information systems or system components} using {organizationally documented security safeguards}. (MP-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization {restricts or prohibits} the use of {organizationally documented types of information system media} on {organizationally documented information systems or system components} using {organizationally documented security safeguards}. (MP-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization {restricts or prohibits} the use of organization-controlled portable storage devices by authorized individuals on external information systems. (AC-20(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization {restricts or prohibits} the use of {organizationally documented types of information system media} on {organizationally documented information systems or system components} using {organizationally documented security safeguards}. (MP-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. (AC-20(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. (MP-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. (MP-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. (AC-20(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. (MP-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. (AC-20(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. (MP-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions]. (AC-20(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and (MP-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems. (AC-20(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions]. (AC-20(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and (MP-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems. (AC-20(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. (MP-7 Control, TX-RAMP Security Controls Baseline Level 1)
  • The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. (AC-20(2) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. (MP-7 Control, TX-RAMP Security Controls Baseline Level 2)