Policies Section
  1. Controls List
  2. Access Controls
  3. Training controls
  4. Audit Controls
  5. Certification
  6. Configuration Management
  7. Contingency Planning
  8. Authentication
  9. Incident Response
  10. Maintenance Controls
  11. Media Protection
  12. Physical Controls
  13. Security Planning
  14. Personnel Security
  15. Risk Assessment
  16. Acquisition
  17. Protection
  18. Integrity
  19. Actions and Controls
Policies Section

Media Protection Controls (from NIST)

This media protection control list and description are meant to tie media protection controls to an activity or behavior. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.

  • Media protection policy and procedures - Roles, responsibilities, scope and compliance are addressed in media protection policy and procedures covering media access, labeling, storage, transport, information removal and/or destruction or disposal. The policy should cover all media including backup tapes or other media. (low)
  • Media access - Only authorized users are allowed to have access to specific media depending on need and data sensitivity level. (low)
  • Media labeling - Labeling must indicate the limits to distribution and how the media should be handled. The labeling may indicate the maximum level of data sensitivity on the media. It should be difficult or impossible to switch labels on media or the areas that media of different sensitivy are stored must be secured against those without the same access level as the highest access level of the media. (moderate)
  • Media storage - The media is stored and controlled based on the highest security category recorded on the label of the media. (moderate)
  • Media transport - Only authorized personnel should be able to transport the media. (moderate)
  • Media sanitization - Media sanitation is the permanent erasure of data on the media. The erasure must ensure that the data cannot be recovered even using advanced technologies. Labels on the media are removed. Sanitation equipment or software must be periodically tested and media sanitation is verified and documented. (moderate)
  • Media destruction and disposal - Media that is to be disposed of containing any sensitive data must be sanitized or destroyed using a method that will prevent the reading of any data on the media. (low)