Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/MP/Low

Template:Doc:NIST SP 800-53r3 Appendix F/MP-1

Determine if: (i) the organization develops and formally documents media protection policy; (ii) the organization media protection policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented media protection policy to elements within the organization having associated media protection roles and responsibilities; (iv) the organization develops and formally documents media protection procedures; (v) the organization media protection procedures facilitate implementation of the media protection policy and associated media protection controls; and (vi) the organization disseminates formal documented media protection procedures to elements within the organization having associated media protection roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Media protection policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media protection responsibilities].

Determine if: (i) the organization defines the frequency of media protection policy reviews/updates; (ii) the organization reviews/updates media protection policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of media protection procedure reviews/updates; (iv) the organization reviews/updates media protection procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Media protection policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media protection responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-2

Determine if: (i) the organization defines: digital and non-digital media requiring restricted access; individuals authorized to access the media; security measures taken to restrict access; and (ii) the organization restricts access to organization-defined information system media to organization-defined authorized individuals using organization-defined security measures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media access; access control policy and procedures; physical and environmental protection policy and procedures; media storage facilities; access control records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media protection responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-6

Determine if: (i) the organization sanitizes information system media both digital and non-digital prior to: disposal; release out of organizational control; or release for reuse; and (ii) the organization employs sanitization mechanisms with strength and integrity commensurate with the classification or sensitivity of the information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media sanitization and disposal; media sanitization records; audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities].