Overview:
Limit access to CUI on information system media to authorized users.
Action Items:
3.8.2[a]
Determine if: access to CUI on system media is limited to authorized users.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: System media protection policy; procedures addressing media storage; physical and environmental protection policy and procedures; access control policy and procedures; system security plan; system media; designated controlled areas; other relevant documents or records].
2
Interview: Personnel with system media protection and storage responsibilities; personnel with information security responsibilities].
3
Test: Organizational processes for storing media; mechanisms supporting or implementing secure media storage and media protection].
Related Documents (document name and content will vary by organization):
1) System media protection policy
2) procedures addressing media storage
3) physical and environmental protection policy and procedures
4) access control policy and procedures
5) system security plan
6) system media
7) designated controlled areas
8) other relevant documents or records
Additional Guidance:
System media includes digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external or removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library.
Article ID: 170
Created: September 26, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-media-access-3-8-2-170.html