PR.PT-P1: Removable media is protected and its use restricted according to policy
CSF v1.1 References:
Threats Addressed:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Note: This Privacy Framework Subcategory is identical to the Cybersecurity Framework Subcategory.
Related Controls
NIST Special Publication 800-53 Revision 5
MP-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] media protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation…
MP-2: Media Access
Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].
MP-3: Media Marking
Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and Exempt [Assignment: organization-defined types of system media] from marking if the media remain within [Assignment: organization-defined controlled areas].
MP-4: Media Storage
Physically control and securely store [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
MP-5: Media Transport
Protect and control [Assignment: organization-defined types of system media] during transport outside of controlled areas using [Assignment: organization-defined controls]; Maintain accountability for system media during transport outside of controlled areas; Document activities associated with the transport of system media; and Restrict the activities associated with the transport of system media to authorized personnel.
MP-7: Media Use
[Assignment: Restrict, Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.
MP-8: Media Downgrading
Establish [Assignment: organization-defined system media downgrading process] that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information; Verify that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential…
Cloud Controls Matrix v3.0.1
DSI-04: Handling / Labeling / Security Policy
Policies and procedures shall be established for the labeling, handling, and security of data and objects which contain data. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.
DCS-04: Off-Site Authorization
Authorization must be obtained prior to relocation or transfer of hardware, software, or data to an offsite premises.
HRS-11: Workspace
Policies and procedures shall be established to require that unattended workspaces do not have openly visible (e.g., on a desktop) sensitive documents and user computing sessions are disabled after an established period of inactivity.
MOS-08: Device Eligibility
The BYOD policy shall define the device and eligibility requirements to allow for BYOD usage.
MOS-10: Device Management
A centralized, mobile device management solution shall be deployed to all mobile devices permitted to store, transmit, or process customer data.
MOS-11: Encryption
The mobile device policy shall require the use of encryption either for the entire device or for data identified as sensitive on all mobile devices, and shall be enforced through technology controls.
Critical Security Controls Version 8
3: Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
10: Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
NIST Special Publication 800-53 Revision 4
MP-1: Media Protection Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and Reviews and updates the current: Media protection policy…
MP-2: Media Access
The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].
MP-3: Media Marking
The organization: Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas].
MP-4: Media Storage
The organization: Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
MP-5: Media Transport
The organization: Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; Maintains accountability for information system media during transport outside of controlled areas; Documents activities associated with the transport of information system media; and Restricts the activities associated with the transport of information…
MP-7: Media Use
The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].
MP-8: Media Downgrading
The organization: Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization-defined strength and integrity]; Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded…
Critical Security Controls Version 7.1
8: Malware Defenses
Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
13: Data Protection
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.