MEDIA PROTECTION POLICY

[Company Name]

Document Owner:
Effective Date:
Updated:

Disclaimer: This sample policy has been provided by Apptega, Inc. as a generic document to support the
development of your compliance program. It is unlikely to be complete for your organization without
customization. This document is not legal advice and Apptega is not a registered CPA firm.
Media Protection Policy
Version 1.0
[Updated Date]

[Company Name]
Media Protection Policy
Effective Date: Document Owner:
Revision History
Revision Rev. Date Description Prepared By Reviewed By Date Approved By Date
1.0

1. Overview.............................................................................................................................................1
2. Purpose................................................................................................................................................2
3. Scope...................................................................................................................................................2
4. Policy...................................................................................................................................................2
4.1............................................................................................................................................................2
4.2............................................................................................................................................................2
4.3............................................................................................................................................................2
4.4............................................................................................................................................................2
4.5............................................................................................................................................................2
4.6............................................................................................................................................................2
4.7............................................................................................................................................................2
4.8............................................................................................................................................................3
4.9............................................................................................................................................................3
5. Audit Controls and Management........................................................................................................3
6. Enforcement........................................................................................................................................3
7. Distribution..........................................................................................................................................3
8. Related Standards, Policies, and Processes.........................................................................................3
9. Related Sub controls............................................................................................................................3
10. Definitions and Terms......................................................................................................................4

1. Overview
Media protection addresses the security measures relating to the protection of
<Company> owned media both digital and non-digital. Media protections should be

CONFIDENTIAL
Media Protection Policy
Version 1.0
[Updated Date]

capable of restricting access to only authorized personnel. Additional it should describe

the proper procedures for handling any media containing sensitive materials.

2. Purpose
This policy provides procedures and protocols supporting an effective management of
configurations for all company devices and systems.

3. Scope
This policy applies to all company officers, directors, employees, agents, affiliates,
contractors, consultants, advisors or service providers. It is the responsibility of all the
above to familiarize themselves with this policy and ensure adequate compliance with
it.

4. Policy
4.1
It is the responsibility of <Company> to physically control and securely store any
paper and/or digital media.

4.2
Access to CUI on system media is to be limited to authorized users.

4.3
Media containing CUI must be sanitized prior to disposal or re-use.

4.4
Media containing CUI is to be marked with applicable CUI markings, and
distribution limitation markings.

4.5
Access to media containing CUI is to be controlled, and accountability for media
during transport outside of controlled areas is to be maintained.

4.6
Cryptographic mechanisms should be implemented to protect the confidentiality
of CUI stored on any digital media during transport. Alternatively physical
safeguards may be used instead.

4.7
<Company> controls the use of removable media on system components.

CONFIDENTIAL
Media Protection Policy
Version 1.0
[Updated Date]

 <Provide location of, or outline policy addressing this use of removable

media>

4.8
The use of portable storage devices are prohibited when the device owner cannot be
identified.

4.9
Any media backups containing CUI is to be protected at storage locations under
strict confidentiality.

5. Audit Controls and Management

On-demand documented procedures and evidence of practice should be in place for this
operational policy. Satisfactory examples of evidence and compliance are outlined in the
Audit and Accountability Policy.

6. Enforcement
Staff members found in policy violation may be subject to disciplinary action, up to and
including termination.

7. Distribution
This policy is to be distributed to all staff.

8. Related Standards, Policies, and Processes

 Asset Labeling Procedure
 Removable Media Policy
 Media Transfer Policy
 Media Storage and Accessibility Policy
 Policy Addressing Use of Removable Media on External Systems

9. Related Sub controls

Control Code Control
3.8.1 Media Storage
3.8.2 Media Access
3.8.3 Media Disposal and Reuse
3.8.4 Media Marking
3.8.5 Physical Media Transfer
3.8.6 Safeguarding Media in Transit
3.8.7 Media Use

CONFIDENTIAL
Media Protection Policy
Version 1.0
[Updated Date]

3.8.8 Authorized Media Use

3.8.9 Secure Backups

10. Definitions and Terms

The following definitions are not all-inclusive and should be updated as new information
is made available:
Term Definition

Digital Media Media stored in a computer accessible format such as:

Non-digital Media
Media Sanitization
discs, hard drives, flash drives, etc..
Physical media readable by people such as: paper,
microfilm, or hard copy documents
Actions taken to render data written on media
unrecoverable by both ordinary and, for some forms of
sanitization, extraordinary means. Process to remove
information from media such that data recovery is not
possible. It includes removing all classified labels, markings,
and activity logs.

CONFIDENTIAL