Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

mp-2

media access

assessment objective:

Determine if the organization:

mp-2[1]

defines types of digital and/or non-digital media requiring restricted access;

mp-2[2]

defines personnel or roles authorized to access organization-defined types of digital and/or non-digital media; and

mp-2[3]

restricts access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles.

potential assessment methods and objects:

Examine: [select from: Information system media protection policy; procedures addressing media access restrictions; access control policy and procedures; physical and environmental protection policy and procedures; media storage facilities; access control records; other relevant documents or records].

Interview: [select from: Organizational personnel with information system media protection responsibilities; organizational personnel with information security responsibilities; system/network administrators].

Test: [select from: Organizational processes for restricting information media; automated mechanisms supporting and/or implementing media access restrictions].