compliance controls are associated with this Policy definition 'Restrict media use' (6122970b-8d4a-7811-0278-4c6c68f61e4f)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
MP-7 |
FedRAMP_High_R4_MP-7 |
FedRAMP High MP-7 |
Media Protection |
Media Use |
Shared |
n/a |
The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].
Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4.
References: None. |
link |
4 |
| FedRAMP_High_R4 |
MP-7(1) |
FedRAMP_High_R4_MP-7(1) |
FedRAMP High MP-7 (1) |
Media Protection |
Prohibit Use Without Owner |
Shared |
n/a |
The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
Supplemental Guidance: Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion). Related control: PL-4. |
link |
4 |
| FedRAMP_Moderate_R4 |
MP-7 |
FedRAMP_Moderate_R4_MP-7 |
FedRAMP Moderate MP-7 |
Media Protection |
Media Use |
Shared |
n/a |
The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].
Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4.
References: None. |
link |
4 |
| FedRAMP_Moderate_R4 |
MP-7(1) |
FedRAMP_Moderate_R4_MP-7(1) |
FedRAMP Moderate MP-7 (1) |
Media Protection |
Prohibit Use Without Owner |
Shared |
n/a |
The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
Supplemental Guidance: Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion). Related control: PL-4. |
link |
4 |
| hipaa |
0301.09o1Organizational.123-09.o |
hipaa-0301.09o1Organizational.123-09.o |
0301.09o1Organizational.123-09.o |
03 Portable Media Security |
0301.09o1Organizational.123-09.o 09.07 Media Handling |
Shared |
n/a |
The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media are used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. |
|
14 |
| hipaa |
0302.09o2Organizational.1-09.o |
hipaa-0302.09o2Organizational.1-09.o |
0302.09o2Organizational.1-09.o |
03 Portable Media Security |
0302.09o2Organizational.1-09.o 09.07 Media Handling |
Shared |
n/a |
The organization protects and controls media containing sensitive information during transport outside of controlled areas. |
|
6 |
| hipaa |
0303.09o2Organizational.2-09.o |
hipaa-0303.09o2Organizational.2-09.o |
0303.09o2Organizational.2-09.o |
03 Portable Media Security |
0303.09o2Organizational.2-09.o 09.07 Media Handling |
Shared |
n/a |
Digital and non-digital media requiring restricted use, and the specific safeguards used to restrict their use are identified. |
|
6 |
| hipaa |
0304.09o3Organizational.1-09.o |
hipaa-0304.09o3Organizational.1-09.o |
0304.09o3Organizational.1-09.o |
03 Portable Media Security |
0304.09o3Organizational.1-09.o 09.07 Media Handling |
Shared |
n/a |
The organization restricts the use of writable removable media and personally-owned removable media in organizational systems. |
|
8 |
| hipaa |
0305.09q1Organizational.12-09.q |
hipaa-0305.09q1Organizational.12-09.q |
0305.09q1Organizational.12-09.q |
03 Portable Media Security |
0305.09q1Organizational.12-09.q 09.07 Media Handling |
Shared |
n/a |
Media is labeled, encrypted, and handled according to its classification. |
|
7 |
| hipaa |
0429.01x1System.14-01.x |
hipaa-0429.01x1System.14-01.x |
0429.01x1System.14-01.x |
04 Mobile Device Security |
0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization prohibits the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting). |
|
7 |
| hipaa |
0916.09s2Organizational.4-09.s |
hipaa-0916.09s2Organizational.4-09.s |
0916.09s2Organizational.4-09.s |
09 Transmission Protection |
0916.09s2Organizational.4-09.s 09.08 Exchange of Information |
Shared |
n/a |
The information system prohibits remote activation of collaborative computing devices and provides an explicit indication of use to users physically present at the devices. |
|
7 |
| hipaa |
1022.01d1System.15-01.d |
hipaa-1022.01d1System.15-01.d |
1022.01d1System.15-01.d |
10 Password Management |
1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Password policies, applicable to mobile devices, are documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and prohibit the changing of password/PIN lengths and authentication requirements. |
|
8 |
| hipaa |
19142.06c1Organizational.8-06.c |
hipaa-19142.06c1Organizational.8-06.c |
19142.06c1Organizational.8-06.c |
19 Data Protection & Privacy |
19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Guidelines are issued by the organization on the ownership, classification, retention, storage, handling and disposal of all records and information. |
|
9 |
| ISO27001-2013 |
A.8.1.2 |
ISO27001-2013_A.8.1.2 |
ISO 27001:2013 A.8.1.2 |
Asset Management |
Ownership of assets |
Shared |
n/a |
Assets maintained in the inventory shall be owned. |
link |
7 |
| ISO27001-2013 |
A.8.2.3 |
ISO27001-2013_A.8.2.3 |
ISO 27001:2013 A.8.2.3 |
Asset Management |
Handling of assets |
Shared |
n/a |
Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
link |
26 |
| ISO27001-2013 |
A.8.3.1 |
ISO27001-2013_A.8.3.1 |
ISO 27001:2013 A.8.3.1 |
Asset Management |
Management of removable media |
Shared |
n/a |
Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. |
link |
6 |
|
mp.info.6 Backups |
mp.info.6 Backups |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
mp.si.3 Custody |
mp.si.3 Custody |
404 not found |
|
|
|
n/a |
n/a |
|
27 |
|
mp.si.4 Transport |
mp.si.4 Transport |
404 not found |
|
|
|
n/a |
n/a |
|
24 |
|
mp.si.5 Erasure and destruction |
mp.si.5 Erasure and destruction |
404 not found |
|
|
|
n/a |
n/a |
|
9 |
| NIST_SP_800-171_R2_3 |
.8.7 |
NIST_SP_800-171_R2_3.8.7 |
NIST SP 800-171 R2 3.8.7 |
Media Protection |
Control the use of removable media on system components. |
Shared |
Microsoft is responsible for implementing this requirement. |
In contrast to requirement 3.8.1, which restricts user access to media, this requirement restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical controls (e.g., policies, procedures, and rules of behavior) to control the use of system media. Organizations may control the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may control the use of portable storage devices based on the type of device, prohibiting the use of writeable, portable devices, and implementing this restriction by disabling or removing the capability to write to such devices. |
link |
4 |
| NIST_SP_800-171_R2_3 |
.8.8 |
NIST_SP_800-171_R2_3.8.8 |
NIST SP 800-171 R2 3.8.8 |
Media Protection |
Prohibit the use of portable storage devices when such devices have no identifiable owner. |
Shared |
Microsoft is responsible for implementing this requirement. |
Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code). |
link |
4 |
| NIST_SP_800-53_R4 |
MP-7 |
NIST_SP_800-53_R4_MP-7 |
NIST SP 800-53 Rev. 4 MP-7 |
Media Protection |
Media Use |
Shared |
n/a |
The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].
Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4.
References: None. |
link |
4 |
| NIST_SP_800-53_R4 |
MP-7(1) |
NIST_SP_800-53_R4_MP-7(1) |
NIST SP 800-53 Rev. 4 MP-7 (1) |
Media Protection |
Prohibit Use Without Owner |
Shared |
n/a |
The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
Supplemental Guidance: Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion). Related control: PL-4. |
link |
4 |
| NIST_SP_800-53_R5 |
MP-7 |
NIST_SP_800-53_R5_MP-7 |
NIST SP 800-53 Rev. 5 MP-7 |
Media Protection |
Media Use |
Shared |
n/a |
a. [Selection: Restrict;Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and
b. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner. |
link |
4 |
|
op.exp.1 Asset inventory |
op.exp.1 Asset inventory |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
op.pl.2 Security Architecture |
op.pl.2 Security Architecture |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |