3.8.3 has a weight of -5 points
(Media Protection Family) 3/9
Sanitize or destroy system media containing CUI before disposal or release for reuse.
Video:
Example of Sysytem Security Plan (SSP):
Organization’s Data Destruction Policy and Implementation SSP
Objective: Our primary objective was to implement guidelines for data destruction that strictly align with DoD standards, thus ensuring the security, confidentiality, and integrity of CUI throughout the organization.
Scope: The policy and its subsequent implementation covered all employees, contractors, and third parties responsible for handling, processing, storing, or disposing of organizational data.
Implemented Standards for Data Destruction:
-
NIST 800-88 Compliance: All sanitization processes were executed In Accordance With (IAW) NIST 800-88 Guidelines for Media Sanitization. This ensured data was thoroughly sanitized before media disposal or reuse.
-
Non-Digital Media: Non-digital media no longer in use was destroyed using a paper shredder, ensuring data was rendered irrecoverable.
-
Digital Media: a. All digital media containing sensitive data was appropriately erased. b. Outdated devices, post-erasure, were not returned to use. Instead, they were physically destroyed to prevent any potential data breaches. c. CUI data retention on digital devices, particularly laptops, was strictly prohibited.
-
Laptop Hard Drives: All laptop hard drives were re-imaged upon the departure of company personnel. This ensured no residual data, especially CUI, remained on the device.
Post-Implementation Measures & Responsibilities:
-
Awareness and Training: We trained all personnel on the data destruction procedures. Regular training sessions have been scheduled to keep the workforce updated.
-
Monitoring: Our IT and Security teams have been actively monitoring the data destruction processes. This includes regular audits, checks, and reviews.
-
Reporting: Protocols have been set for immediate reporting of any instances of non-compliance or potential breaches to the IT and Security departments.
Review: We have scheduled an annual review of our Data Destruction Policy Implementation to ensure its continued relevance and effectiveness.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action and Milestones (POA&M)
Objective: Implement a comprehensive data destruction policy in alignment with DoD standards to ensure the protection of Controlled Unclassified Information (CUI).
Milestone 1: Preliminary Assessment
- Task: Conduct a preliminary assessment to determine current data destruction methods and identify gaps.
- Responsible Party: IT and Security teams
- Completion Date: October 10, 2023
- Resources Needed: Assessment tools, team time
- Status: Not Started
Milestone 2: Drafting the Policy
- Task: Draft a detailed data destruction policy based on DoD standards and findings from the preliminary assessment.
- Responsible Party: Policy Drafting Committee
- Completion Date: November 1, 2023
- Resources Needed: NIST 800-88 Guidelines, preliminary assessment report
- Status: Not Started
Milestone 3: Hardware Acquisition
- Task: Purchase appropriate paper shredders for non-digital media destruction.
- Responsible Party: Procurement Department
- Completion Date: November 15, 2023
- Resources Needed: Budget allocation, vendor contacts
- Status: Not Started
Milestone 4: Policy Approval & Dissemination
-
Task: Seek approval of the drafted data destruction policy from senior management.
- Responsible Party: Policy Drafting Committee and Senior Management
- Completion Date: November 20, 2023
- Resources Needed: Time from senior management, policy document
- Status: Not Started
-
Task: Disseminate the approved policy to all relevant stakeholders and departments.
- Responsible Party: HR and Communications teams
- Completion Date: November 30, 2023
- Resources Needed: Internal communication channels, training materials
- Status: Not Started
Milestone 5: Training & Implementation
-
Task: Conduct training sessions for all personnel on the new data destruction policy.
- Responsible Party: Training Department in collaboration with IT and Security teams
- Completion Date: December 15, 2023
- Resources Needed: Training materials, venue or virtual platform, trainers
- Status: Not Started
-
Task: Implement the policy across all departments.
- Responsible Party: Department Heads with oversight from IT and Security teams
- Completion Date: January 5, 2024
- Resources Needed: IT support, paper shredders, digital erasure tools
- Status: Not Started
Milestone 6: Review & Feedback
-
Task: Gather feedback on the implementation of the policy.
- Responsible Party: Quality Assurance Team
- Completion Date: February 1, 2024
- Resources Needed: Feedback forms, focus groups
- Status: Not Started
-
Task: Conduct a review to assess the effectiveness of the policy and identify any potential improvements.
- Responsible Party: IT, Security, and Quality Assurance teams
- Completion Date: March 1, 2024
- Resources Needed: Review tools, team time
- Status: Not Started
Example of equipment with memory components:
Various office equipment can have integrated hard drives or memory components that store data, either temporarily or permanently. Here’s a list of such equipment:
- Printers, Copiers, and Multifunction Machines: Modern printers, especially networked ones, and multifunction machines (that can scan, print, and copy) often have internal hard drives that store a cache of recent documents. This is especially true for business-grade printers and copiers that handle large print jobs and may cache job data for efficiency and recovery purposes.
- Fax Machines: Some modern fax machines have built-in memory to store incoming and outgoing faxes, especially if they offer a “print later” feature.
- Computers and Workstations: The most obvious office equipment to store data. This includes desktops, laptops, and servers.
- Network Routers and Switches: High-end routers and switches, especially those used in business environments, may have local storage for logging, firmware, and configuration backups.
- Phones and VoIP Equipment: Modern office phones, especially VoIP (Voice over IP) phones, can have internal memory or storage for call logs, voicemails, and configuration data.
- Video Conferencing Systems: Equipment used for video conferencing can store meeting data, call logs, and configurations.
- Point-of-Sale (POS) Systems: These systems, used for transaction processing in retail or service environments, have memory for transaction logs, customer data, and other relevant info.
- Digital Signage and Interactive Displays: Such systems might store multimedia content, usage logs, and user interactions.
- Security Systems and Cameras: Security cameras, especially those with features like motion detection, might have onboard storage for video footage. Access control systems might also have memory for logs and user access data.
- External Storage Devices: This includes USB drives, external hard drives, and network-attached storage (NAS) devices.
- Mailroom Equipment: Some advanced mailroom machines that sort, stamp, or manage mail might have memory components for job data and configurations.
It’s essential for businesses to recognize that these devices can store sensitive data, even if temporarily. Proper decommissioning, which might include data wiping or physical destruction of the storage component, is crucial when replacing or discarding such equipment.
RELEVANT INFORMATION:
This requirement applies to all system media, digital and non-digital, subject to disposal or reuse. Examples include: digital media found in workstations, network components, scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media such as paper and microfilm. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is released for reuse or disposal. Organizations determine the appropriate sanitization methods,
recognizing that destruction may be necessary when other methods cannot be applied to the media requiring sanitization. Organizations use discretion on the employment of sanitization techniques and procedures for media containing information that is in the public domain or publicly releasable or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing CUI from documents, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing the words or sections from the document. NARA policy and guidance control sanitization processes for controlled unclassified information. [SP 800-88] provides guidance on media sanitization.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.