← Controls / MP

MP-05 Media Transport

Media Protection

Low Moderate High

Description

The organization protects and controls information system media during transport outside of controlled areas and restricts the activities associated with transport of such media to authorized personnel.

Supplemental Guidance

Information system media includes both digital media (e.g., diskettes, tapes, removable hard drives, flash/thumb drives, compact disks, digital video disks) and non- digital media (e.g., paper, microfilm). A controlled area is any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system. This control also applies to portable and mobile computing and communications devices with information storage capability (e.g., notebook computers, personal digital assistants, cellular telephones) that are transported outside of controlled areas. Telephone systems are also considered information systems and may have the capability to store information on internal media (e.g., on voicemail systems). Since telephone systems do not have, in most cases, the identification, authentication, and access control mechanisms typically employed in other information systems, organizational personnel exercise extreme caution in the types of information stored on telephone voicemail systems that are transported outside of controlled areas. An organizational assessment of risk guides the selection of media and associated information contained on that media requiring protection during transport. Organizations document in policy and procedures, the media requiring protection during transport and the specific measures taken to protect such transported media. The rigor with which this control is applied is commensurate with the FIPS 199 security categorization of the information contained on the media. An organizational assessment of risk also guides the selection and use of appropriate storage containers for transporting non-digital media. Authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service).

Compliance Mappings

ISO 27001:2022

A.7.10A.7.9

ISO 27002:2022

5.147.107.9

COBIT 2019

APO14BAI09

CIS Controls v8

CIS 3CIS 3.9

NIST CSF 2.0

PR.DS-01

PCI DSS v4.0.1

9.4

CSA CCM v4

DCS-02DCS-04

CSA AICM v1

DCS-02DCS-04

FINOS CCC

CCC-C16

ISO 42001:2023

A.4.3

PRA Operational Resilience

SS2/21-11.1

MAS TRM

11

ANSSI

Hygiene.19SecNumCloud.9.2

FINMA Circular 2023/1

IV.C(63)IV.D(78)IV.D(81)

OSFI B-13

B-13.3.2

EU GDPR

Art.32(1)(a)Art.44Art.5(1)(f)

EU DORA

Art.9(4)(a)Art.9(4)(b)

BIO2

5.147.107.9

RBI CSF

Annex1.12

FISC Security Guidelines

FISC.F4

LGPD + BCB 4893

BCB.Art.14LGPD.Art.33-36

HKMA TM-E-1

TME1.6.5TME1.7.2TME1.9.2

MLPS 2.0

8.1.10.18.1.4.8

EU CRA

CRA.I.2eCRA.I.2m

SWIFT CSCF

SWIFT.2.5A

SAMA CSF

3.9

NCA ECC

2-62-72-9

UAE IA

T4

CBB TM

TM-9

Qatar NIA

AM

CBUAE

CR-5

CBE CSF

CTO-2

SA JS2

JS2-8.2

CBN CSF

Part3.4

BoG CISD

CISD-V

BCBS 239

Principle 11

FFIEC IS

II.C.13II.C.13(c)II.C.13(d)

NYDFS 500

500.15

HIPAA Security Rule

§164.308(a)(7)(ii)(A)§164.310(d)(1)§164.310(d)(2)(iii)

ECB CROE

CROE.2.3.3

SEBI CSCRF

PR.DS

BOT Cyber Resilience

Ch2.3

CMMC 2.0

MP

CBEST

CBEST.9

Lloyd's Minimum Standards

MS8.7

NAIC Insurance Data Security

4-encryption

HITRUST CSF v11

07.b09.f

ISO 27799

12.313.2

NHS DSPT

NDG-1.1

CCSS v9.0

1.01.4

Basel SCO60

SCO60.61SCO60.63

BSSC Standards

KMS-05KMS-10

SEC Custody (Digital Assets)

SEC-CD-06

ISO 17799 (legacy)

10.8.3

COBIT 4.1 (legacy)

DS11.4DS11.6