MP - Media Protection

  • Controls Count: 3
  • Controls IDs: MP-6 (1), MP-6 (2), MP-6 (3)

Controls

MP-6 (1): Review, Approve, Track, Document, and Verify

Review, approve, track, document, and verify media sanitization and disposal actions.

Organizations review and approve media to be sanitized to ensure compliance with records retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken and personnel who performed the verification, and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal.

media sanitization and disposal actions are reviewed;

media sanitization and disposal actions are approved;

media sanitization and disposal actions are tracked;

media sanitization and disposal actions are documented;

media sanitization and disposal actions are verified.

System media protection policy

procedures addressing media sanitization and disposal

records retention and disposition policy

records retention and disposition procedures

media sanitization and disposal records

review records for media sanitization and disposal actions

approvals for media sanitization and disposal actions

tracking records

verification records

system audit records

system security plan

privacy plan

other relevant documents or records

Organizational personnel with system media sanitization and disposal responsibilities

organizational personnel with records retention and disposition responsibilities

organizational personnel with information security and privacy responsibilities

system/network administrators

Organizational processes for media sanitization

mechanisms supporting and/or implementing media sanitization

mechanisms supporting and/or implementing verification of media sanitization

MP-6 (2): Equipment Testing

Test sanitization equipment and procedures organization-defined frequency to ensure that the intended sanitization is being achieved.

Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers.

sanitization equipment is tested frequency with which to test sanitization equipment is defined; to ensure that the intended sanitization is being achieved;

sanitization procedures are tested frequency with which to test sanitization procedures is defined; to ensure that the intended sanitization is being achieved.

System media protection policy

procedures addressing media sanitization and disposal

procedures addressing testing of media sanitization equipment

results of media sanitization equipment and procedures testing

system audit records

records retention and disposition policy

records retention and disposition procedures

system security plan

privacy plan

other relevant documents or records

Organizational personnel with system media sanitization responsibilities

organizational personnel with records retention and disposition responsibilities

organizational personnel with information security and privacy responsibilities

Organizational processes for media sanitization

automated mechanisms supporting and/or implementing media sanitization

automated mechanisms supporting and/or implementing media sanitization procedures

sanitization equipment

MP-6 (3): Nondestructive Techniques

Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: circumstances requiring sanitization of portable storage devices are defined;.

Portable storage devices include external or removable hard disk drives (e.g., solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices.

non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under circumstances requiring sanitization of portable storage devices are defined;.

System media protection policy

procedures addressing media sanitization and disposal

information on portable storage devices for the system

list of circumstances requiring sanitization of portable storage devices

media sanitization records

audit records

system security plan

other relevant documents or records

Organizational personnel with system media sanitization responsibilities

organizational personnel with information security responsibilities

Organizational processes for media sanitization of portable storage devices

mechanisms supporting and/or implementing media sanitization