Control 1277
Procedures for handling assets should be developed and implemented in accordance with the 1278
information classification scheme adopted by the organization. 1279
Implementation guidance 1280
Procedures should be drawn up for handling, processing, storing and communicating information 1281
consistent with its classification (see 8.2.1). 1282
The following items should be considered: 1283
a) access restrictions supporting the protection requirements for each level of classificatio n; 1284
b) maintenance of a formal record of the authorized recipients of assets; 1285
c) protection of temporary or permanent copies of information to a level consistent with the 1286
protection of the original information; 1287
d) storage of IT assets in accordance with manufacturers’ specifications; 1288
e) clear marking of all copies of media for the attention of the authorized recipient. 1289
The classification scheme used within the organization may not be equivalent to the schemes used 1290
by other organizations, even if the names for levels are similar; in addition, information moving 1291
between organizations can vary in classification depending on its context in each organization, 1292
even if their classification schemes are identical. 1293
Agreements with other organizations that include information sharing should include procedures 1294
to identify the classification of that information and to interpret the classification labels from other 1295
organizations. 1296
8.3 Media handling
1297
Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.
8.3.1 Management of removable media
1298
Control 1299
Procedures should be implemented for the management of removable media in accordance with 1300
the classification scheme adopted by the organization. 1301
Implementation guidance 1302
The following guidelines for the management of removable media should be considered: 1303
a) if no longer required, the contents of any re-usable media that are to be removed from the 1304
organization should be made unrecoverable; 1305
b) where necessary and practical, authorization should be required for media removed from 1306
the organization and a record of such removals should be kept in order to maintain an audit 1307
trail; 1308
c) all media should be stored in a safe, secure environment, in accordance with manufacturers’ 1309
specifications; 1310
d) if data confidentiality or integrity are important considerations, cryptographic techniques 1311
should be used to protect data on removable media; 1312
e) to mitigate the risk of media degrading while stored data are still needed, the data should 1313
be transferred to fresh media before becoming unreadable; 1314 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
f) multiple copies of valuable data should be stored on separate media to further reduce the 1315
risk of coincidental data damage or loss; 1316
g) registration of removable media should be considered to limit the opportunity for data loss; 1317
h) removable media drives should only be enabled if there is a business reason for doing so; 1318
i) where there is a need to use removable media the transfer of information to such media 1319
should be monitored. 1320
Procedures and authorization levels should be documented. 1321
The media protection policy and procedures are consistent with applicable laws, directives, 1322
policies, regulations, standards, and guidance. The media protection policy can be included as 1323
part of the general information security policy for the organization. Media protection procedures 1324
can be developed for the security program in general, and for a particular IACS, when required. 1325
8.3.2 Disposal of media
1326
Control 1327
Media should be disposed of securely when no longer required, using formal procedures. 1328
Implementation guidance 1329
Formal procedures for the secure disposal of media should be established to minimize the risk of 1330
confidential information leakage to unauthorized persons. The procedures for secure disposal of 1331
media containing confidential information should be proportional to the sensitivity of that 1332
information. The following items should be considered: 1333
a) media containing confidential information should be stored and disposed of securely, e.g. 1334
by incineration or shredding, or erasure of data for use by another application within the 1335
organization; 1336
b) procedures should be in place to identify the items that might require secure disposal; 1337
c) it may be easier to arrange for all media items to be collected and disposed of securely, 1338
rather than attempting to separate out the sensitive items; 1339
d) many organizations offer collection and disposal services for media; care should be taken 1340
in selecting a suitable external party with adequate controls and experience; 1341
e) disposal of sensitive items should be logged in order to maintain an audit trail. 1342
When accumulating media for disposal, consideration should be given to the aggregation effect, 1343
which can cause a large quantity of non-sensitive information to become sensitive. 1344
Other Information 1345
Damaged devices containing sensitive data may require a risk assessment to determine whether 1346
the items should be physically destroyed rather than sent for repair or discarded (see 11.2.7). 1347
8.3.3 Physical media transfer
1348
Control 1349
Media containing information should be protected against unauthorized access, misuse or 1350
corruption during transportation. 1351
Implementation guidance 1352
The following guidelines should be considered to protect media containing information being 1353
transported: 1354
a) reliable transport or couriers should be used; 1355
b) a list of authorized couriers should be agreed with management; 1356 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
c) procedures to verify the identification of couriers should be developed; 1357
d) packaging should be sufficient to protect the contents from any physical damage likely to 1358
arise during transit and in accordance with any manufacturers’ specifications, for example 1359
protecting against any environmental factors that may reduce the media’s restoration 1360
effectiveness such as exposure to heat, moisture or electromagnetic fields; Physical and 1361
technical security measures for the protection of digital and non-digital media are approved 1362
by the organization, commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚
𝑡𝑎𝑟𝑔𝑒𝑡 categorization of the information
1363
residing on the media, and consistent with applicable laws, directives, policies, regulations, 1364
standards, and guidance. Cryptographic mechanisms can provide confidentiality and/or 1365
integrity protections depending upon the mechanisms used. 1366
e) logs should be kept, identifying the content of the media, the protection applied as well as 1367
recording the times of transfer to the transit custodians and receipt at the destination. 1368
f) The organization employs an identified custodian at all times to transport IACS media. 1369
Organizations establish documentation requirements for activities associated with the 1370
transport of IACS media in accordance with the organizational assessment of risk. 1371
IACS media includes both digital media (e.g., diskettes, tapes, removable hard drives, flash/thumb 1372
drives, compact disks, digital video disks) and non-digital media (e.g., paper, microfilm). A 1373
controlled area is any area or space for which the organization has confidence that the physical 1374
and procedural protections provided are sufficient to meet the requirements established for 1375
protecting the information and/or IACS. This requirement also applies to portable and mobile 1376
computing and communications devices with information storage capability (e.g., notebook 1377
computers, personal digital assistants, cellular telephones) that are transported outside of 1378
controlled areas. Telephone systems are also considered IACS and may have the capability to 1379
store information on internal media (e.g., on voicemail systems). Since telephone systems do not 1380
have, in most cases, the identification, authentication, and access control mechanisms typically 1381
employed in other IACS, organizational personnel exercise extreme caution in the types of 1382
information stored on telephone voicemail systems that are transported outside of controlled areas. 1383
An organizational assessment of risk guides the selection of media and associated information 1384
contained on that media requiring protection during transport. Organizations document in policy 1385
and procedures, the media requiring protection during transport and the specific measures taken 1386
to protect such transported media. The rigor with which this requirement is applied is 1387
commensurate with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚
𝑡𝑎𝑟𝑔𝑒𝑡 categorization of the information contained on the media. An
1388
organizational assessment of risk also guides the selection and use of appropriate storage 1389
containers for transporting non-digital media. 1390
Other Information 1391
Information can be vulnerable to unauthorized access, misuse or corruption during physical 1392
transport, for instance when sending media via the postal service or via courier. In this control, 1393
media include paper documents. 1394
When confidential information on media is not encrypted, additional physical protection of the 1395
media should be considered. 1396