Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

mp-7

media use

assessment objective:

Determine if the organization:

mp-7[1]

defines types of information system media to be:

mp-7[1][a]

restricted on information systems or system components; or

mp-7[1][b]

prohibited from use on information systems or system components;

mp-7[2]

defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:

mp-7[2][a]

restricted; or

mp-7[2][b]

prohibited;

mp-7[3]

defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; and

mp-7[4]

restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards.

potential assessment methods and objects:

Examine: [select from: Information system media protection policy; system use policy; procedures addressing media usage restrictions; security plan; rules of behavior; information system design documentation; information system configuration settings and associated documentation; audit records; other relevant documents or records].

Interview: [select from: Organizational personnel with information system media use responsibilities; organizational personnel with information security responsibilities; system/network administrators].

Test: [select from: Organizational processes for media use; automated mechanisms restricting or prohibiting use of information system media on information systems or system components].