Policy Reference

Category IT  Asset and Risk Management
Approval Date  01-29-2010
Scope All Personnel

Purpose

To maintain data asset audit trails and ensure proper protection of electronic media, particularly portable electronic storage media.

Policy

  1. City owned data will not be transferred to portable media devices unless pre-authorized by the owner of the data or by ITS.
  2. Personnel will maintain a media inventory of all fixed and removable storage systems containing city owned data.   This includes but is not limited to hard disks, portable hard drives, flash drives, USB storage devices, CD/DVD's, memory cards.
  3. Authorized personnel responsible for the media will be required to maintain the inventory records for all related media and provide them as needed for audit purposes.
  4. The city will Inventory and then physically secure all paper and electronic archival media that contains official records, ensuring that inventory and secure storage practices are maintained during off site storage.
  5. Department personnel must maintain strict control over the internal or external distribution of confidential media, ensuring that only authorized users will have access to the media.
  6. Personnel must ensure that management approves all transit or distribution requests for media that is moved from a secure area.
  7. Personnel must maintain strict control over the storage and accessibility of media that contains confidential information.
  8. Personnel must label all confidential and sensitive media so it can be identified as such and the label indicates the distribution limitations and handling caveats of the information.
  9. Personnel must send all confidential media through  a delivery mechanism that allows accurate media location tracking
  10. Personnel must ensure continued conformance to records retention policies when managing portable media.
  11. Personnel must ensure that all hard copy materials and media containing confidential or sensitive information to be destroyed are done so in accordance with adopted city standards and guidelines.

Compliance

  1. The organization must maintain inventories of all media and ensure the inventories are reviewed at least annually.
    Review the media inventory log to verify media inventories are performed on an annual basis.     § 9.9.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2
  2. The organization must maintain inventories of all media and ensure the inventories are reviewed at least annually.   § 9.9.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2
  3. Moving sensitive physical media from one site to another should be accomplished in a secure manner, that is, with reputable couriers and protective packaging. The distribution of sensitive media should be limited to authorized personnel. Sensitive media should be clearly marked with the identity of the authorized recipient. CB2.6.2(b), CI3.1.4(b), CI3.1.4(c), CI3.2.8, UE6.4.4(b), The Standard of Good Practice for Information Security