| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1433 - Media Transport | ||
| Id | 5b879b41-2728-41c5-ad24-9ee2c37cbe65 | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Media Protection control | ||
| Additional metadata |
Name/Id: ACF1433 / Microsoft Managed Control 1433 Category: Media Protection Title: Media Transport - Protection During Transport Ownership: Microsoft Description: The organization: Protects and controls Digital media assets (see inventory) during transport outside of controlled areas using SafeNet KeySecure to manage cryptographic keys using a FIPS 140-2 Level 3 validated encryption module (cert# 1694) and HSM (cert#1178) to secure AES 256-bit encrypted data on the magnetic tapes; Requirements: Digital media at Azure datacenters consist of servers, network devices, and magnetic tapes. Azure datacenters do not use non-digital media. Azure utilizes secure transport and data deletion to protect media that is being transported outside the datacenter. All media being transported from Azure datacenters require accurate tracking. Tickets are created to arrange and track the transportation of media. Azure has contracted with several approved vendors to provide secure shipping services. Secure Transport begins with an accurate inventory and chain of custody. Authorized asset managers are required to manage the exchange of assets. Assets are inventoried at the time of delivery to the transporter. Requirements for transporting an asset are defined according to their asset classification and data classification. If data is required to be intact, an approved policy exception request is required. The asset manager must witness the container being locked and a tamper proof seal applied. Secure Transport could have additional requirements such as a dedicated transport for only Microsoft assets, GPS tracking, and only stopping at Microsoft locations. In cases of longer transport routes, the requirement could be that there are multiple drivers and trucks with sleeping quarters to provide for non-stop delivery. At the delivery location, the transport company’s approved personnel must be present to witness the removal of the tamper proof seal and unlocking of the container. The receiving personnel inventories the shipment and send a message confirming the receipt of the assets. This inventory is validated by the Microsoft asset manager. Azure contracts with a vendor to provide equipment destruction. All assets are required to be destroyed onsite. Azure assets are cleansed/purged with methods consistent with NIST SP 800-88 prior to reuse. Prior to cleansing or destruction, an inventory is created by Datacenter Logistics. If a vendor is used for destruction, the vendor provides a certificate of destruction for each asset destroyed, which is validated by the asset manager. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|