Media Protection Program

Similar documents
Security Awareness, Training, And Education Plan

Password Standard Version 2.0 October 2006

Information Technology Standards

Virginia Commonwealth University School of Medicine Information Security Standard

Identity Theft Prevention Policy

Data Backup and Contingency Planning Procedure

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

CNSS Advisory Memorandum Information Assurance December 2010 Advisory Memorandum

Red Flags Program. Purpose

PII SPOT CHECK DOCUMENTATION

What is a Breach? 8/28/2017

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

Employee Security Awareness Training Program

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Breaches and Remediation

Data Protection Policy

Executive Order 13556

PS 176 Removable Media Policy

GM Information Security Controls

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

IDENTITY THEFT PREVENTION Policy Statement

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Data Compromise Notice Procedure Summary and Guide

INFORMATION ASSET MANAGEMENT POLICY

SAC PA Security Frameworks - FISMA and NIST

Outline. Other Considerations Q & A. Physical Electronic

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Information Security Policy

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Clear Desk, Clear Screen Policy

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

SYSTEMS ASSET MANAGEMENT POLICY

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Information Security Policy for Associates and Contractors

Document No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy

SECURITY & PRIVACY DOCUMENTATION

HIPAA and HIPAA Compliance with PHI/PII in Research

Access to University Data Policy

UTAH VALLEY UNIVERSITY Policies and Procedures

Red Flags/Identity Theft Prevention Policy: Purpose

01.0 Policy Responsibilities and Oversight

UCOP ITS Systemwide CISO Office Systemwide IT Policy

Information Classification & Protection Policy

HIPAA Federal Security Rule H I P A A

DATA STEWARDSHIP STANDARDS

Privacy and Security Basics for CDSME Data Collection. Updated October 2016

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

ENCRYPTION STANDARDS FOR PUBLIC CLOUD ENVIRONMENTS

Southern Adventist University Information Security Policy. Version 1 Revised Apr

HIPAA Privacy and Security Training Program

Information Technology Security Plan (ITSP)

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

IAM Security & Privacy Policies Scott Bradner

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

University of North Texas System Administration Identity Theft Prevention Program

EXHIBIT A. - HIPAA Security Assessment Template -

Putting It All Together:

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Breaches and Remediation

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

PHYSICAL AND ENVIRONMENTAL SECURITY

Policies and Procedures Date: February 28, 2012

Data Encryption Policy

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Mobile Working Policy

Standard: Electronic Data Disposition

Overview of Presentation

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

UNIVERSITY OF WISCONSIN MADISON POLICY AND PROCEDURE

Enviro Technology Services Ltd Data Protection Policy

FTC SAFEGUARDS RULE. Gramm-Leach-Bliley Act Effective 5/23/2003

Federal Breach Notification Decision Tree and Tools

CCC Data Management Procedures DCL3 Data Access

Apex Information Security Policy

Acceptable Use Policy

HIPAA & Privacy Compliance Update

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Chapter 9 Section 3. Digital Imaging (Scanned) And Electronic (Born-Digital) Records Process And Formats

SPRING-FORD AREA SCHOOL DISTRICT

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Information Privacy Statement

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

ANNUAL SECURITY AWARENESS TRAINING 2012

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Computerized Central Records System

Ohio Supercomputer Center

Information Security Management Criteria for Our Business Partners

COMPUTER & INFORMATION TECHNOLOGY CENTER. Information Transfer Policy

HIPAA Security and Privacy Policies & Procedures

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

HIPAA FOR BROKERS. revised 10/17

Virginia Commonwealth University School of Medicine Information Security Standard

Transcription:

Media Protection Program Version 1.0 November 2017

TABLE OF CONTENTS 1.1 SCOPE 2 1.2 PRINCIPLES 2 1.3 REVISIONS 3 2.1 OBJECTIVE 4 3.1 PROGRAM DETAILS 4 3.2 MEDIA STORAGE AND ACCESS 4 3.3 MEDIA TRANSPORT 4 3.4 MEDIA SANITIZATION 4 3.5 REMOVABLE MEDIA 5 4.1 MANDATORY CONTROLS 5 5.1 DISCRETIONARY CONTROLS 6 6.1 REFERENCES 6 7.1 DEFINITIONS 6 Effective Date: 11/27/2017 Last Review: 11/27/2017 Next Review: 11/2018 Page 1

1.1 SCOPE This program applies to all users of and information technology (IT) resources owned, operated, or provided by the University of Tennessee at Martin (UTM) including its remote centers. Users includes but is not limited to students, faculty, staff, contractors, agents, representatives, and visitors accessing, using, or handling the university s information technology resources. Information transmitted or stored on University IT resources is the property of the University unless it is specifically identified as the property of other parties. 1.2 PRINCIPLES UTM has chosen to adopt the policy principles established in the National Institute of Standards and Technology (NIST) 800 series of publications, and this program is based on those guidelines. Specifically, this program is based on the Media Protection Control Family principles found in NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. The Chancellor or equivalent at each Campus must designate an individual or functional position responsible for information security at their Campus (Position of Authority and/or Campus Authority). The Position of Authority should be at a high enough organizational level to allow him/her to speak with authority on and for the Campus. UTM must develop or adopt and adhere to a program that demonstrates compliance with related policies and standards. This program is the responsibility of the Position of Authority. Each User of University resources is required to be familiar and comply with University policies. Acceptance University policy is assumed if a User accesses, uses, or handles University IT resources. Effective Date: 11/27/2017 Last Review: 11/27/2017 Next Review: 11/2018 Page 2

1.3 REVISIONS Date Action Name 11/10/2014 Created (0.1) Will Turner 11/14/2014 Revised (0.2) 11/20/2014 Reformatted University template (0.3) 01/16/2015 Reformatted to new University template (0.4) 01/20/2015 Made corrections per Amy (0.5) 03/10/2015 Changed wording (0.6) 06/22/2016 Reformatted to newer UTSA template; wording (0.7) Brian Stubblefield 07/27/2016 Changed title, added reference to sanitization policy (0.8) 11/28/2016 Recommendations by Mark, new template, layout, contents (0.9) 02/03/2017 Finalize contents for review (0.10) 8/22/2017 Multiple changes to content and/or formatting (0.11) 8/23/2017 Recommended changes, CoP updates (0.12) 09/18/2017 Updates to controls, wording, and document versioning (0.13) 10/25/2017 Suggested changes from Amy (0.14) 11/07/2017 Changed definition for PII (0.15) 11/27/2017 Approved (1.0) Effective Date: 11/27/2017 Last Review: 11/27/2017 Next Review: 11/2018 Page 3

2.1 OBJECTIVE The purpose of this program is to manage risks from media access, media storage, media transport, and media protection through the establishment of an effective Media Protection Program (MP-1). This program allows UTM to comply with University requirements as well as ensures the effective management of all media containing sensitive information (from inception through disposal). 3.1 PROGRAM DETAILS This program provides reasonable assurance, in proportion to the sensitivity of the data, that media containing Sensitive Information is protected from unauthorized access, and is sanitized or destroyed before disposal, reuse, or release out of organizational control. All policy-related standards and procedures must be consistent with applicable laws, regulations, and guidance. This program and all associated standards and procedures as well as their implementation effectiveness must be reviewed annually and updated as needed (MP-1). 3.2 MEDIA STORAGE AND ACCESS All departments must physically control and securely store Sensitive Media within secure areas using physical security controls and safeguards until the media is destroyed or sanitized (MP-4). Sensitive Media should never be left unattended (ex. on a desk or printer, in a lab, etc.). Access to Sensitive Media must be restricted to authorized personnel (MP-2). 3.3 MEDIA TRANSPORT Strong encryption is required to protect the confidentiality and integrity of Sensitive Media during transport outside of controlled areas. Activities associated with the transport of such media must be restricted to authorized personnel (MP-5). 3.4 MEDIA SANITIZATION All UTM departments and affiliates must sanitize Sensitive Media, both digital and non-digital, prior to disposal, reuse, or release from organizational control using approved recommendations and methods (MP-6). Recommendations and methods are established in the Media Sanitization Standard. Effective Date: 11/27/2017 Last Review: 11/27/2017 Next Review: 11/2018 Page 4

3.5 REMOVABLE MEDIA The use of removable/portable media devices may be restricted on campus, when necessary. Methods of restriction include but are not limited to disabling or physically blocking ports, approved devices, and device types (MP-7). Unknown Removable Media should never be connected to or inserted into any system. It should be treated as malicious until verified. Personally Identifiable Information (PII) should never be stored on removable media. If PII is required to be stored on removable media for official University business, strong encryption must be used and validated. 4.1 MANDATORY CONTROLS Mandatory security controls are university-wide controls that are required to be consistently designed, implemented, monitored, and assessed. Policy and Procedures (MP-1): Each Campus must develop or adopt and maintain a media protection program that includes the implementation of this policy and associated controls, and an annual review of that program. Media Access Restrictions (MP-2): Each Campus must restrict access to Sensitive Media, both digital and non-digital, that contains Sensitive Information (information classified as Moderate or High per University Policy IT0115, Classification). Media Storage (MP-4): Each Campus must store all Sensitive Media within secured, access-controlled areas and secure that media until destroyed or sanitized using approved equipment, techniques, and procedures. Media Transport (MP-5): Each Campus must protect Sensitive Media during transport outside of controlled areas and restrict the activities of such media to authorized personnel. Media Sanitization (MP-6): All Campuses must sanitize Sensitive Media, both digital and non-digital, prior to disposal, reuse, or release out of organizational control. Media Use (MP-7): UTM may restrict the use of portable storage devices: o by using physical means to prohibit access to certain external ports or disabling/removing the ability to insert, read or write to such devices; o to only approved devices, including but not limited to those provided by the University or other approved organizations and that are not personally owned; o based on the type of device by disabling or removing the capability to write to such devices. Effective Date: 11/27/2017 Last Review: 11/27/2017 Next Review: 11/2018 Page 5

5.1 DISCRETIONARY CONTROLS Discretionary Controls are security controls whose scope is limited to a specific campus, institution, or other designated organizational component. Discretionary Controls are designed, implemented, monitored, and assessed within that organizational component. Discretionary controls must not conflict with or lower the standards established by Mandatory Controls. 6.1 REFERENCES NIST SP 800-53 Revision 4 - Recommended Security Controls for Federal Information Systems and Organizations NIST SP 800-88 Revision 1 - Guidelines for Media Sanitization Media Sanitization Standard 7.1 DEFINITIONS Access-controlled areas - Areas in which organizations provide sufficient physical and procedural safeguards necessary to protect information and/or information systems. Digital media - Includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team. Encryption - The process of converting information or data into a special form to prevent unauthorized access. Medium (pl. Media) - Material, both digital and non-digital, on which information may be stored. Non-digital media - Includes, for example, paper and microfilm. Restricting nondigital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Effective Date: 11/27/2017 Last Review: 11/27/2017 Next Review: 11/2018 Page 6

Personally Identifiable Information (PII) - Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual s identity, such as name, social security number, date and place of birth, mother s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Removable Media - Any type of storage device that can be inserted and removed from a computer while the system is running; This includes but is not limited to USB flash drives, external hard drives, optical discs (CD, DVD, Blu-ray), memory cards (Secure Digital (SD), microsd, Memory Stick, compact flash), floppy or zip disks, and other storage devices (digital camera, mobile phone, multimedia player). Sanitization - A process to render access to Target Data on the media infeasible for a given level of effort. Clear, Purge, and Destroy are actions that can be taken to sanitize media. Secure storage - Includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. Sensitive Information - Information that is protected against unwarranted disclosure. Protection of sensitive information may be required for legal, ethical, privacy, or proprietary considerations. Sensitive information includes all data which contains: Personally Identifiable Information, Protected Health Information, student education records, card holder data, or other information that is protected by applicable laws, regulation, or policies. Sensitive Media - Digital or non-digital media that contains Sensitive Information. Strong Encryption - An encryption method utilizing a very large number (greater than or equal to 256 bits) as its cryptographic key. Unknown Removable Media - Removable media of unknown origin and contents Effective Date: 11/27/2017 Last Review: 11/27/2017 Next Review: 11/2018 Page 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback