Media handling controls should be implemented to protect organizations from the risks associated with the loss of confidentiality, integrity, or availability of media.
These controls should be implemented based on the organization’s asset classification process. The handling and protection of media is the focus of pitfall #25 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Even with the overall use of physical media for many organizations being reduced by the implementation of electronic data transfer solutions, legacy media may still exist. Access to and use of media should be restricted to only authorized personnel. Your organization should ensure that controls for the management of removable media, including on laptops, are established and enforced. This should include restrictions on the types of media that are permitted to be used, along with acceptable use requirements.
Media that contains sensitive or protected information (e.g., PII, PHI, CUI, FCI, or other non-public data) should be securely stored at all times. This media should be encrypted in accordance with internal security controls and regulatory requirements until the media are destroyed or sanitized. Media containing sensitive or encrypted data should be documented in the asset inventory.
Media should be physically controlled and securely stored within organization-controlled areas. During transport outside of controlled areas, media must be protected using security safeguards defined by policy requirements. Activities associated with the transport of media should be documented and limited to only authorized personnel. System media should be marked with appropriate classification markings to indicate pre-defined distribution limitations, handling requirements, and applicable security controls (if any) of the information. Media may be exempted from this marking if the media always remains within the organization. Your organization should keep business continuity or recovery sites in mind when addressing these control requirements for media.
To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.