Mike Wills - The Official (ISC)2 SSCP CBK Reference

Marking media might become complicated, depending on the media used. For instance, it might be possible to include a significant amount of information on the label of a 3.5" floppy disk, but much, much more difficult to put that same information on the label of a USB flash drive that is the size of a thumbnail. Quite often, it's much more effective to use color schemes as a visible part of media security marking, when the media itself can be readily purchased in a range of colors suitable for your organization's security labeling needs. Many media vendors can also prelabel the physical media itself to meet your needs.

Consistent with the least privilege and separation of duties concepts discussed previously, your organization should restrict access to and usage of removable media to specifically authorized staff members who need it for their daily duties, based on their specific roles.

To do this, there must be an element of physical protection and storage that is commensurate with the sensitivity and classification of the data on the media. Here are a few examples, illustrating different levels of protection:

Backup copies of audit logs are kept in a locked desk drawer or cabinet, where the key is available only to administrators who may need to review the logs.

Signed hard-copy health insurance forms are in a locked file cabinet in a room restricted to HR staff via proximity-badge access.

An external hard drive with classified data on it is fully encrypted and is in a locked safe in a protected area, accessible only to users with appropriate security clearance and need to know. The encrypted files can be decrypted only on systems that are cleared for using information at that level and then only when being used by a user with matching privileges.

As you can see in the examples, different layers of both physical and logical access control can and should be provided to media to meet your information security needs. There are additional measures to consider, based on the sensitivity and criticality of your media. You may need to create redundant copies of critical media to mitigate accidental damage or loss. Suitable encryption and other techniques can protect the classified data while it is at rest (stored on the media) and in motion between the media and the systems that are processing it (and making it available to users). Remember, too, that all storage media and technologies suffer degradation over time, resulting in data loss. Your data integrity, availability, and retention needs may drive you to establish a media rotation strategy, which periodically moves the files (the in-use set and the backup copies) to new, fresh media. (Data centers have been doing this since the 1960s, as they discovered that reels of magnetic tape quite literally saw bits flaking off when they hung in storage for too long.) Finally, you should treat the collection of all of your sensitive, critical information and the media it is stored on as a library of assets and define formal processes for periodically verifying your inventory of media, for formally authorizing users to check media in and out of the media library, and for leaving an audit trail. These processes should be followed until the media is either sanitized and then downgraded for uncontrolled use (not recommended—it's a false economy!) or destroyed for disposal, using approved equipment and methods in either case.

Your organization needs to have a defined set of procedures for protecting media when it is transported outside of controlled or restricted areas. These procedures should define the check-in and checkout accountability mechanisms used for transport, as well as the documentation requirements of the transportation activities. You should also explicitly define what information must be captured or logged upon checkout, during transport, and upon check-in of media, which might include details such as who requested the transport and who was responsible for the media during transport.

Any staff or courier transporting media should clearly understand the restrictions applied to the transport (such as approved travel methods, routes) as well as special handling and packaging considerations, based on media type, to protect it from hazards such as moisture, temperature, and magnetic fields. This also includes when, whether, and how encryption should be used during transport. Couriers should also understand your rules on deviations from procedures in the event of unforeseen circumstances encountered during such transport.

Transport procedures should be clear as to when appointed custodians are necessary, who the approved custodians or couriers are, and how to verify identity if external couriers are used. Consideration should also be given to when and how the responsibilities of the custodian can be transferred to another, as well as specific points of contact to whom the media can be transferred at arrival.

The topics of media sanitization and disposal overlap and are interrelated. There is a time in the information lifecycle when certain data is no longer needed, and having this data sitting on media for no reason presents an unacceptable risk. If there is no benefit, why accept even the slightest risk that the media could be compromised? At that point, the information must be destroyed by sanitizing or zeroizing the media; the media may be returned to your library as reformatted, empty, but suitable for reuse with information at a security level consistent with the media's marking or destroyed if the media is past its economically useful life as well. So, what are the differences between the two?

The first difference is the reuse scenario. According to NIST 800-53, media should be sanitized “prior to disposal, release out of organizational control, or release for reuse.” Disposal of media doesn't acknowledge a need to reuse the media, but sanitization does. Blank, new media might cost $50 to $3,000 or more apiece, so it may be worthwhile to have effective reuse and sanitization strategies in place. With the rapidly increasing capacity and decreasing cost of solid-state drives and flash media, many organizations choose verifiable destruction rather than risk an incomplete sanitization of such media. Destruction can also be done faster and at less cost in most cases.

The next difference is in the methods. The sanitization methods are less physically destructive than disposal methods. For example, sanitizing nondigital media, such as paper documents, is accomplished by removing sensitive pages or entire sections or by redacting or obscuring specific text. In contrast, disposal of paper documents would entail cross-shredding, pulping, or burning the papers entirely. Sanitizing digital media, such as hard drives, would mean overwriting each sector and byte of the drive many times with random characters. (The NSA has been known to call this process zeroization , even though it doesn't actually recommend writing nothing but zeros to the media; this would risk a missed block or sector being completely readable.) Disposal of hard drives, in contrast, entails either degaussing the drive, physically abrading or chemically corroding the surface of the disk platters, or breaking the entire drive in a powerful shredder. Even when degaussed or abraded, disposal of sanitized media may be constrained by local laws, including any limitations on the search of trash disposal sites with or without a search warrant.

NOTEDegaussing does not work on a solid-state drive (SSD) or optical disk.