Procedure for Media Management

Details

DateVersionStatusInformation ClassificationDocument Template IDDocument No
03-12-20191.0ApprovedInternalAMS DOCAMS-SP-33

Revision History

DateVersionDescriptionAuthorReviewed byApproved byApproved date
25-10-20191.0Initial VersionShailaAMFSuresh Kumar B V03-12-2019

Acronym Used

AcronymExpanded Form

Introduction

This procedure defines the security controls to be implemented for the management of removable computer media.  The security controls to be adopted while the media is in transit are also described in the ensuing procedure.

Scope

This procedure is applicable to the following types of removable computer media:

  • USB

  • CD-ROMs

  • DVD-ROMs

  • Hard disks

  • Tapes

This procedure details the steps to be followed for:

  • Management of Information and Media on customer account closure.

  • Media in transit when there is a need to move backup media from one location to another and hard disks send to vendor for maintenance.

The details regarding the management of Backup tapes are described in the Procedure for Backup.

ISO27001 Control Reference

  • A.8.3.1 Management of removable media

  • A.8.3.2 Disposal of media

  • A.8.3.3 Physical media transfer

Key practices &Responsibility

The key practices and responsibilities are as follows:

Srl.Key PracticeResponsibility
Media managementHead - IT
Management of Information on Resource ReleaseFunction Head, Head - IT
Management of Project Information and Media on Project ClosureHead-BD/ Head - IT
Management of media in transitHead - IT
Disposal of mediaHead - IT

Key Practice Details

Media Management

  • The IT support team has to ensure that the requirements of the Information Security Policy are adhered in the implementation of controls for removable computer media.

  • The Head -IT is responsible for ensuring that all systems are in compliance with the requirements identified for the different types of media.

Management of USB Devices

  • USB ports on all desktops will be disabled. 

  • USB ports on laptops will be disabled.

  • As an exception it is enabled only for CRM team to carry out their business activities

Management of CD-ROMs

  • CD/DVD ROM drives on all desktops will be removed. 

  • No CD/DVD burning will be entertained for business information or any other requirements.

  • CD/DVD will be used only for Archival Purposes.

    • A service request will be raised by the individual for CD burning and approved by the function head.

    • After the form is duly authorized, it is the responsibility of the IT department will burn the requested data into the CD/DVD or tapes (based on the size of backup)

  • In addition CD/DVD burning for Finance function for regulatory purposes will be permitted and handed over to Head-Finance.

  • On exceptional cases based on business requirements, with approval from CISO, CD/DVD burning will be permitted.

  • If users require material from a CD-ROM, it must be given to the IT department.  The IT personnel will scan the CD-ROM using a virus scanner before copying the data.

  • The data to be copied from the CD-ROM will be transferred to a designated location on the function/project common server. 

Management of Hard Disks

  • In the event of hard disk failure, a service request will be raised and submitted to the IT support team.  The individual must also inform the IT support team on the sensitivity of the information stored on the hard disk.  Based on this information IT support team will be responsible for exercising the relevant controls to ensure the confidentiality and integrity of the data.

  • Hard disks containing "Confidential" information will be removed by the IT personnel only after authorization from the function head

Management of Information on Resource Release

  • Function head will ensure that on release of a resource, backup is taken and all the work related information and data on released resource's workstation are deleted.

  • The IT team will format the disks prior to allocating such workstations to other employees.

Management of Customer Information and Media on Customer Account Closure

  • Head-BD will ensure that on closure of customer account, backup/archival is taken and all the customer information and data from servers and workstations are deleted.

  • The Head-BD will ensure to return any customer's data as per the contract, to the customer's designated contact and obtain a confirmation for the same.

  • The Head-BD will hand over the hardware and software provided to the customer to the IT team. The IT team will update the asset allocation information in Assets Tracking Inventory or tool  .

  • The IT team will format the disks prior to allocating such servers/workstations to other groups.

Management of Media in Transit

Security of Backup Media in Transit

  • In case a third party, such as a document management company, or a courier service is used for transport of backup media, ASL will enter into a confidentiality agreement with the third party to ensure that unauthorized access is prevented.

  • The backup media in transit will be properly packed and transited using turtle boxes to prevent damage. 

  • The turtle box will be locked during the transit and the key will not be carried during the transit. Keys will maintained both at backup and offsite storage location

  • The keys for opening the turtle boxes at the offsite location will be maintained by the physical security. A log will be maintained during the issue of the keys for opening the turtle boxes.

  • A Media Register will be maintained for tracking the sending and receiving of media.

  • The Media Register will be updated by the concerned personnel as and when the media is sent or received.

Security of Media in Transit

  • Appropriate packaging will be done to prevent damage to the media in transit.

  • Head - IT approval will be obtained on the returnable gate pass that is issued to the vendor.  A copy of the gate-pass will be maintained by the IT department.

  • In the event of a hard disk failure the hard disk will be sent to the vendor only after appropriate approval is obtained from Head - IT.

  • A monthly reconciliation report for returnable and non- returnable materials will be sent by Admin team for IT review and tracking purpose.

  • Head - IT is responsible for ensuring that a record exists of all hard disks that are issued to vendors for maintenance activities.

Disposal of Media

  • The disposal of media containing information assets will be done based on the classification level as detailed in the Procedure for Information Classification and Handling.

  • In addition, hard disks must be formatted in the following conditions:

    • Disposing of old workstations or servers

    • Issuing workstation or laptop to new users

    • Closure of customer account.

References

Srl.Document/Section Name
Procedure for Backup and Recovery