Information resource owners and custodians shall ensure all media containing live, or erased but un-sanitized, Agency data is protected to a level commensurate with the highest classification of data stored on the media, as prescribed by the TAMUS Data Classification Standard.
Users of Agency-owned information resources shall utilize network and cloud-based file storage services to the extent possible, minimize the use of portable media to prevent inadvertent compromise due to ineffective handling procedures, and exercise care in the storage of sensitive information on workstations without a copy residing on Agency-owned enterprise file storage.
Under no circumstances may confidential information be stored on portable media without: (a) Agency-approved at-rest encryption, and (b) a duplicate copy of the information residing on Agency-owned enterprise file storage. Information resource owners shall be responsible for ensuring confidential information entrusted to their care is protected in accordance with this control catalog.
Media (e.g., documents, computer media (e.g. tapes, disks), input/output data, system documentation) is compromised by unauthorized parties due to ineffective handling procedures.
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency].
The organization has written, documented media protection policies and procedures in place.
The state organization has a policy that addresses media protection controls.
Obtain media protection policy and procedures; other relevant documents or records and ascertain if :
(I)the organization develops and documents media protection policy and procedures.
(ii)the organization disseminates media protection policy and procedures to appropriate elements within the organization.
(iii)responsible parties within the organization periodically review media protection policy and procedures.
(iv)the organization updates media protection policy and procedures when organizational review indicates updates are required.
(v)the media protection policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.
(vi)the media protection policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance.
(vii)the media protection procedures address all areas identified in the media protection policy and address achieving policy-compliant implementations of all associated media protection controls.
