Information stored in physical media may be disclosed to or altered by unauthorized parties while being physically transported.
The organization:
a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel.
The agency employee protection mechanisms during the transportation of media, such locks, secured bins, etc.
No statewide control
Obtain information system media protection policy; procedures addressing media transport; physical and environmental protection policy and procedures; audit records; access control policy and procedures; security plan; list of organization-defined personnel authorized to transport information system media outside of controlled areas; information system media; information system media transport records; information system audit records; other relevant documents or records and ascertain if :
(I)the organization identifies personnel authorized to transport information system media outside of controlled areas.
(ii)the organization documents, in policy and procedures, the media requiring protection during transport and the specific measures taken to protect such transported media.
(iii)the organization protects and controls information system media during transport outside of controlled areas.
(iv)the organization restricts the activities associated with transport of information system media to authorized personnel.
(v)the organization defines in the security plan, explicitly or by reference, a system of records for documenting activities associated with the transport of information system media.
(vi)the organization documents, where appropriate, activities associated with the transport of information system media using the organization-defined system of records.
(vii)the organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
