OVERVIEW (MP-1)

This document addresses the procedures and standards set forth to implement the family of Media Protection controls.

MEDIA ACCESS (MP-2)

Removable media takes many forms today (jump drives, flash memory storage, portable storage devices, etc.). Removable media is personal, removable, and portable which introduces risk into the organization whenever it is used to store sensitive information. Aside from the chance for loss and theft, removable media format storage is a well-known source of malware infections and has been directly tied to the loss of information.

This policy is established to minimize the risk of loss or exposure of sensitive data as well as reducing exposure to external sources of malware and virus exploits.

The Change Management Process shall be used to request use of removable media (See Exception Policy below).

MEDIA SANITIZATION (MP-6)

The organization sanitizes all removable media prior to disposal, release out of organizational control, or release for reuse using deep delete tools (Reference NIST SP 800-88) in accordance with applicable federal and organizational standards and policies.

MEDIA USE (MP-7)

Rules:

  • Removable media storage of any kind of are disallowed in any form or function within our server environment.
  • Removable media shall not be used (e.g. attached to work computers for storage of any customer information).
  • Exceptions to this policy shall be considered only in unique and rare cases. These requests shall require written approval of the CISO (Chief Information Security Officer) and be granted only for justifiable business purposes.

Exception Policy

  • Removable media shall be scanned for malware/viruses prior to use.
  • A support ticket shall be logged specifying the length of time that the required media can be used. If additional time is required, written approval must be obtained from the CISO.
  • Prior to closing the exception ticket, data from the removable media must be deep deleted (using commercially recognized means).
  • Removable media (used for the exception) may never be connected to, or used, in personal or home computers.
  • Data files shall be password protected before transfer to removable media (whenever possible)
  • When in transit, sensitive data stored on removable media must not be left unattended and must remain in an authorized employee’s physical control at all times.

AUDIT

  • Annual Management Review (MR002) includes review of this policy.