MUSC Information Security Standards: Device and Media Controls

Author: Richard Gadsden
Contact: gadsden@musc.edu
Version: 0.4
Date: 26 Jul 2005
Status: DRAFT

Contents

1. Purpose and Scope

These standards apply to the disposal, re-use, and movement of all hardware devices and all electronic media that have been used to store protected information.

2. Applicable MUSC Policies

3. Standards

3.1. Responsibility

If an MUSC workstation or other system contains (or has ever contained) protected information, then the designated Owner of the system is responsible for implementing appropriate device and media controls for the system.

3.2. Applicability

Device and media controls are required for hardware and media that have been used to store protected information.

Protected information is defined in the Information Security policy as “information that, because of its criticality, its sensitivity, and/or legal or regulatory requirements, requires special safeguards.”

The erasure of data from electronic media requires special tools that physically over-write the bit patterns recorded on the media. Routine file deletion and media re-formatting operations do not provide this required functionality.

3.3. Standards for Device and Media Disposal

Any protected information that has been recorded on a device/media that is slated for disposal or surplus must first be erased from the device/media. If erasure is not possible, then the device/media must be destroyed.

3.4. Standards for Device and Media Re-Use

Any device/media that is slated for re-use in a different system must first be erased, if the device/media has been used to store protected information. If the device/media is being re-used in the same system, then erasure is required if the device/media will be used in a different manner, or in an application with different requirements for access control, than it was previously.

3.5. Standards for Device and Media Movement

The physical security of devices and media containing protected information must be maintained during movement and/or off-site storage. All movements must be logged (in and out), logs and inventories must be regularly reviewed, and any inventory discrepancies must be reported as a security incident.

If a device/media is slated for movement, and it contains the only copy of protected information whose availability must be assured, then one or more backup copies of the protected information must be created prior to the movement of the device/media. In the case of portable devices, copies of any protected information that originates with the device must be uploaded to more permanent storage with sufficient frequency to provide reasonable and appropriate protection against loss of the information.

Whenever movement and/or off-site storage of a device/media containing protected information is anticipated, encryption of the information stored on the device/media should be considered as part of the risk assessment process.

3.6. Standards for Service Contracts and Repairs

If a storage device has been used to store protected information, and if the device is covered by a service or maintenance contract that provides for the repair or replacement of the device, then the contract must address the contractor's obligation to protect the security and confidentiality of any information that may still be present on the storage device during its repair, or after its replacement.

  • If the device is repaired on-site, while the customer (MUSC) retains custody of the device, then the contractor's personnel will protect the security and confidentiality of any customer information on the device, if incidental exposure of this information to the contractor's personnel occurs during repair.
  • If the device is replaced, and if the malfunctioning device must be surrendered to the custody of the contractor without the opportunity to erase its contents per Section 3.3, then the contractor's personnel will protect the security and confidentiality of any customer information present on the device, for as long as the device remains in the contractor's custody. Furthermore, the contractor will ensure that neither the device, nor any part of the device, will ever be released from the contractor's custody, if it still contains recoverable customer information.

No malfunctioning storage device that still contains protected information may be surrendered to a service or maintenance contractor, for repair or replacement, without contractual assurances that the security and confidentiality of the information will be protected.

3.7. Documentation Standards

The documented security policies and procedures for any system that contains protected information must address the issues of device and media disposal, re-use, and movement.