MP-07 Media Use
a. mp-07_odp.02 the use of mp-07_odp.01 on mp-07_odp.03 using mp-07_odp.04 ; and
b. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.
|mp-07_odp.01||types of system media|
|mp-07_odp.03||systems or system components|
System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to MP-2 , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.
- FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
- SP 800-111 Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111.
Control Enhancements 2
- MP-07(01) Prohibit Use Without Owner
- MP-07(02) Prohibit Use of Sanitization-resistant Media L M H P
Related controls 6
- AC-19 Access Control for Mobile Devices L M H P
- AC-20 Use of External Systems L M H P
- PL-04 Rules of Behavior L M H P
- PM-12 Insider Threat Program L M H P
- SC-34 Non-modifiable Executable Programs L M H P
- SC-41 Port and I/O Device Access L M H P