Level 2
Description:
In contrast to requirement 3.8., which restricts user access to media, this requirement restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical controls (e.g., policies, procedures, and rules of behavior) to control the use of system media. Organizations may control the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may control the use of portable storage devices based on the type of device, prohibiting the use of writeable, portable devices, and implementing this restriction by disabling or removing the capability to write to such devices.
Priority: High
Domain: MEDIA PROTECTION (MP)
Category: Personnel Security
Services Associated with AWS:
- AWS Systems Manager, AWS IAM, AWS Security Hub
Services Associated with Azure:
- Azure Security Center
- Azure Information Protection
- Azure Policy
- Azure Active Directory (Azure AD)
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Administrative: supporting documentation of role-based security training being performed
- Administrative: supporting documentation to demonstrate how Data Loss Prevention (DLP) is implemented, if applicable
- Technical: screenshot of DLP technology, if applicable
- Technical: screenshot of configuration settings, if applicable
Possible Technology Considerations :
- Secure Baseline Configurations (SBC)
- Data Classification Solution
What needs to be answered :
Is the use of writable, removable media restricted on the system? Are removable media allowed?
Checks for AWS
- Control of Removable Media Usage
Description: This check ensures that organizations have implemented controls to control the use of removable media on system components. Removable media, such as flash drives or external hard disk drives, can pose security risks if used inappropriately or without proper authorization. Organizations employ technical and non-technical controls, such as policies, procedures, and rules of behavior, to restrict or prohibit the use of certain types of media on systems. This control helps mitigate the risk of unauthorized data transfer, introduction of malware, or data leakage through removable media.
Checks for Azure
- CUI at Rest Encryption Check
Description: This policy ensures that CUI is stored securely when at rest by verifying that cryptographic mechanisms, such as Azure Disk Encryption or Azure Storage Service Encryption, are enabled on storage resources where CUI is stored. These mechanisms help protect data confidentiality by encrypting data at rest. - Secure Offline Storage for CUI Check
Description: This policy ensures that organizations use secure offline storage for CUI when adequate online protection cannot be achieved. It verifies that CUI is not stored in publicly accessible locations and is adequately protected, even when offline. Secure offline storage could include solutions like Azure Data Box or Azure Backup Vaults. - Continuous Monitoring for CUI at Rest Check
Description: This policy ensures that continuous monitoring mechanisms are in place to identify potential threats to CUI at rest. Organizations can use Azure Security Center or Azure Sentinel for continuous monitoring and threat detection. The policy checks that these monitoring solutions are configured and active. - File Share Scanning for CUI Check
Description: This policy verifies that file share scanning mechanisms are used to detect and protect CUI at rest in Azure file shares. It ensures that scanning is performed regularly, and any suspicious activities or unauthorized access attempts related to CUI are identified and addressed promptly. - Network Security Group (NSG) Restrictions for CUI Check
Description: This policy ensures that network security groups are configured to restrict access to resources containing CUI. It checks that only authorized networks or specific IP ranges have access to the resources storing CUI, helping to prevent unauthorized access from the internet or other untrusted sources.
More Details:
Removable media policies in place for all users. All users go through training regarding removable media.