MP-1 MEDIA PROTECTION POLICY AND PROCEDURES
Control
The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, media protection policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the media protection policy and associated media protection controls.
Supplemental Guidance
The media protection policy and procedures are consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. The media protection policy can be included as part of the general information security policy for the organization. Media protection procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures.
Control Enhancements
None.
LOW
MOD
MP-1
HIGH
MP-1
MP-2 MEDIA ACCESS
Control
The organization ensures that only authorized users have access to information in printed form or on digital media removed from the information system.
Supplemental Guidance
None.
Control Enhancements
(1) Unless guard stations control access to media storage areas, the organization employs automated mechanisms to ensure only authorized access to such storage areas and to audit access attempts and access granted.
LOW
MP-2
MOD
MP-2
HIGH
MP-2 (1)
MP-3 MEDIA LABELING
Control
The organization affixes external labels to removable information storage media and information system output indicating the distribution limitations and handling caveats of the information. The organization exempts the following specific types of media or hardware components from labeling so long as they remain within a secure environment: [Assignment: organization-defined list of media types and hardware components].
Supplemental Guidance
The organization marks human-readable output appropriately in accordance with applicable policies and procedures. At a minimum, the organization affixes printed output that is not otherwise appropriately marked, with cover sheets and labels digital media with the distribution limitations, handling caveats, and applicable security markings, if any, of the information.
Control Enhancements
None.
LOW
Not Selected
MOD
MP-3
HIGH
MP-3
MP-4 MEDIA STORAGE
Control
The organization physically controls and securely stores information system media, both paper and digital, based on the highest FIPS 199 security category of the information recorded on the media.
Supplemental Guidance
The organization protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. The organization protects unmarked media at the highest FIPS 199 security category for the information system until the media are reviewed and appropriately labeled.
Control Enhancements
None.
LOW
Not Selected
MOD
MP-4
HIGH
MP-5 MEDIA TRANSPORT
Control
The organization controls information system media (paper and digital) and restricts the pickup, receipt, transfer, and delivery of such media to authorized personnel.
Supplemental Guidance
None.
Control Enhancements
None.
LOW
Not Selected
MOD
MP-5
HIGH
MP-5
MP-6 MEDIA SANITIZATION
Control
The organization sanitizes information system digital media using approved equipment, techniques, and procedures. The organization tracks, documents, and verifies media sanitization actions and periodically tests sanitization equipment/procedures to ensure correct performance.
Supplemental Guidance
Sanitization is the process used to remove information from digital media such that information recovery is not possible. Sanitization includes removing all labels, markings, and activity logs. Sanitization techniques, including degaussing and overwriting memory locations, ensure that organizational information is not disclosed to unauthorized individuals when such media is reused or disposed. The National Security Agency maintains a listing of approved products at http://www.nsa.gov/ia/government/mdg.cfm with degaussing capability. The product selected is appropriate for the type of media being degaussed. NIST Special Publication 800-36 provides guidance on appropriate sanitization equipment, techniques and procedures.
Control Enhancements
LOW
Not Selected
MOD
MP-6
HIGH
MP-6
MP-7 MEDIA DESTRUCTION AND DISPOSAL
Control
The organization sanitizes or destroys information system digital media before its disposal or release for reuse, to prevent unauthorized individuals from gaining access to and using the information contained on the media.
Supplemental Guidance
The organization: (i) sanitizes information system hardware and machine-readable media using approved methods before being released for reuse; or (ii) destroys the hardware/media. Media destruction and disposal should be accomplished in an environmentally approved manner. The National Security Agency provides media destruction guidance at http://www.nsa.gov/ia/government/mdg.cfm. The organization destroys information storage media when no longer needed in accordance with organization-approved methods and organizational policy and procedures. The organization tracks, documents, and verifies media destruction and disposal actions. The organization physically destroys nonmagnetic (optical) media (e.g., compact disks, digital video disks) in a safe and effective manner. NIST Special Publication 800-36 provides guidance on appropriate sanitization equipment, techniques and procedures.
Control Enhancements
None.
LOW
MP-7
MOD
MP-7
HIGH
PEOPLE FIND THIS PAGE BY THIS WORDS:
media protection policy and procedures;
{ 3 comments… read them below or add one }
i had my 1TB hard drive crashed and data recovery was horrendously expensive;~,
of course data entry services are very expensive that is why always make a backup of your files .:*
You absolutely right.. always backup your data to DVD and other media regularly, but it easy to say hard to do..