Media Protection (MP 01) 11.2-1

Introduction/Purpose

It is SVSU’s policy to encourage employees to use ITS provided measures for data storage (company approved shared drives or cloud-based storage solutions or protected hard drives on company issued devices). The use of portable media devices (memory cards, USB sticks, other mobile storage devices) is discouraged.

Policy

Acceptance of Security Related Policies
SVSU identifies, develops, and maintains a set of security related policies. These policies are provided to faculty, staff, and each new employee.

Annual Review and Update of Security Related Policies
SVSU keeps all security-related policies updated. At least annually, an Information Technology Services (ITS) leader or individuals assigned by ITS leadership review all security related policies. If updates are recommended, the Executive Director of Information Technology Services approves updates to these policies. SVSU will communicate updates to its employees.

MP 02 - Media Access

SVSU restricts access to digital media to authorized individuals using organization-defined security measures (see AC – Access Control).

MP 04 - Media Storage

Information on paper documents

SVSU ensures that sensitive information, especially information containing personal or financial data, is not printed on paper documents unless it is an absolute necessity to conduct SVSU’s business.

Sensitive information contained on paper documents is kept in SVSU’s archives and/or office areas, access is controlled. Documents with sensitive information are stored in file cabinets that are supervised or locked during business hours and locked after business hours.

Information on electronic media

Sensitive information processed and stored in the production environment is maintained on media managed by ITS. This includes production storage (hard drives, SSDs, etc.) and media used for back-ups. Media is not accessible unless authorized.

Storage media for backups is encrypted.

SVSU discourages the use of portable media to store sensitive information.

If non-authorized means of data storage are used, it is the responsibility of the user to safeguard the information.

The following guidelines need to be adhered to:

• Storage of sensitive data on any non-authorized storage device or media is discouraged unless approved by the Information Systems Security Manger.
• Auto forwarding of emails to external accounts is prohibited by faculty and staff to prevent data leakage unless there is a business case disclosing residual risk.

MP 06 - Media Sanitization

SVSU ensures that data and data media that is no longer needed or functional is disposed of in a way that sensitive information is irretrievable.

Information on paper documents

Sensitive information contained on paper documents is kept in SVSU’s office area, access is controlled. Documents containing sensitive information (i.e., SVSU or customer confidential information, SVSU financial data) should not be printed. If a document contains sensitive information special care needs to be taken for storage and disposal of documents.
 
Documents to be disposed of need to be shredded or disposed in locked bins and picked up by a certified document disposal service.

For remote workstations, every employee is responsible for adhering to similar measures as outlined above (avoid printing, shredding of documents, etc.)

Information on electronic media

Sensitive information that is stored on devices and drives is managed by SVSU, including drives on workstations and laptops used by SVSU employees. All office laptops and desktops issued by SVSU have hard drives encrypted. Academic lab computers are not encrypted but use a device freeze/snapshot utility to preserve the image (which will not retain captured or collected data).  If a hard drive or other media with readable sensitive information is not in employee use, the devices and media are collected for later reuse or later disposal. If disposal becomes necessary, storage media will be sanitized by either degaussing, software overwrites consistent with guidelines outlined within NIST SP 800 – 88, mechanically destroyed or otherwise made unavailable for retrieval attempts. A qualified third-party certifying destruction of media may be used.

If media is re-used, sanitization of portable, removable storage devices must be completed prior to connecting such devices to the information system.

For cloud-based services: Storage media that is not physically managed by SVSU is managed by the cloud provider according to contractual obligations. Media provided by the cloud provider to host SVSU’s servers and data is destroyed at end-of-life following NIST 800-88 procedures or similar secure procedures.

Secure Deletion in Servers (Unix/Linux)

At SVSU, for secure deletion of servers with OS Linux, and according to NIST 800-88 “Guidelines for Media Sanitization” drives are destroyed with a press at the end of the lifecycle.

MP 07 - Media Use

Sensitive information should be stored on removable media only when required in the performance of assigned duties.  When sensitive information is stored on removable media, the user must ensure that encryption is used, and the media device is kept safe.

Appendix:
NIST 800.53 - Security and Privacy Controls for Information Systems and Organizations
NIST 800-88 Guidelines for Media Sanitization