Organizations are susceptible to a significant physical data security incident or data breach if physical data and media containing sensitive data (e.g., PII, PHI, confidential, other non-public data) is not appropriately protected while in transit.
Even though physical media use is declining as electronic data transfers become more commonplace, any existing physical data and media should be protected if being transferred outside of the organization’s control. This protection is the focus of pitfall #47 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Media containing information needs to be protected against unauthorized access, misuse, and corruption during transportation beyond the organization’s physical boundaries. Media should be encrypted prior to being moved off-site. A list of authorized couriers, approved by management, should be maintained. Contractual requirements with transport providers should incorporate the necessary risk-based controls, including processes to check the identification of courier personnel.
Controls should be in place to protect information from unauthorized disclosure or modification, including at least one of the following protective measures:
- The use of locked containers
- Delivery by hand
- Tamper-evident packing that reveals any attempt to gain access
- Splitting the consignment into segments and dispatching delivery by different routes
A complete inventory of all physical data and media that is transferred outside of the organization should be maintained. If an off-site archiving or long-term storage provider is being used, your organization should require the provider to submit an inventory of your media on a recurring basis. Additionally, the security controls in place at the provider’s facility should be tested at least annually.
An independent attestation of the effectiveness of controls for the provider should be documented in an annual report. This annual report should be provided to your organization upon request to ensure physical media remains protected. This should be included as part of your organization’s due diligence program for vendors and providers.