Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

mp-4

media storage

assessment objective:

Determine if the organization:

mp-4(a)

mp-4(a)[1]

defines types of digital and/or non-digital media to be physically controlled and securely stored within designated controlled areas;

mp-4(a)[2]

defines controlled areas designated to physically control and securely store organization-defined types of digital and/or non-digital media;

mp-4(a)[3]

physically controls organization-defined types of digital and/or non-digital media within organization-defined controlled areas;

mp-4(a)[4]

securely stores organization-defined types of digital and/or non-digital media within organization-defined controlled areas; and

mp-4(b)

protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

potential assessment methods and objects:

Examine: [select from: Information system media protection policy; procedures addressing media storage; physical and environmental protection policy and procedures; access control policy and procedures; security plan; information system media; designated controlled areas; other relevant documents or records].

Interview: [select from: Organizational personnel with information system media protection and storage responsibilities; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for storing information media; automated mechanisms supporting and/or implementing secure media storage/media protection].