Ensuring the secure transportation of physical media is a critical component of an organization's overall security posture. Establishing, documenting, and regularly reviewing policies and procedures for handling physical media throughout its lifecycle is essential. From secure packaging and delivery, to tracking chain of custody, a comprehensive approach is required.
Where did this come from?
This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26 which can be downloaded at https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The CCM provides a framework of security controls that cover key aspects of cloud computing. Datacenter security, including secure media transportation, is one domain addressed by the CCM. For more background, refer to the CSA's Overview and Methodology document: https://cloudsecurityalliance.org/artifacts/ccm-overview-and-methodology/
Who should care?
Several roles within an organization should be keenly aware of this control:
- Data center managers with responsibility for physical media inventory and chain of custody
- Compliance officers with oversight of data handling procedures
- Information security analysts with focus on data loss prevention
- Executives with accountability for overall security risk management
What is the risk?
Failure to properly secure physical media during transportation opens the door to several adverse events:
- Unauthorized access to sensitive data if media is lost or stolen in transit
- Compliance violations and regulatory fines if data handling procedures are found inadequate
- Reputational damage if customers or partners lose confidence in the organization's ability to protect their data
The secure media transportation control helps prevent unauthorized access by ensuring media is packaged securely. It helps detect anomalies through chain of custody tracking. And it helps manage incidents by providing an audit trail if issues occur.
What's the care factor?
For organizations that store and transport large volumes of physical media containing sensitive data, this control should be a high priority. The consequences of a data breach due to mishandling of media can be severe - financially and reputationally. Even if the likelihood of an incident seems low, the impact justifies a robust approach. For a small business with minimal physical media, this may be a lower priority.
When is it relevant?
This control is highly relevant for:
- Data center migrations or consolidations that involve transporting media
- Offsite media vaulting and rotation of backup tapes
- Bulk transfer of media between departments or office locations
- Decommissioning and disposal of media-containing devices
It is less relevant for organizations that primarily use cloud storage and do not maintain their own physical media.
What are the trade-offs?
Implementing secure media transportation has several costs to consider:
- Packaging materials for secure cases, crates, or envelopes
- Logistics of engaging bonded couriers or armored transport
- Time and labor to maintain chain of custody records
- Secure storage locations at sending and receiving sites
- Training personnel on media handling procedures
These costs need to be balanced against the sensitivity of the data and the risk exposure.
How to make it happen?
- Inventory all media types and lifecycle stages involving transportation
- Classify media based on data sensitivity
- Define secure packaging standards for each media type/classification
- Establish approved transportation providers and channels
- Implement chain of custody procedures with access logging
- Utilize tamper-evident packaging seals and integrity checks
- Encrypt media contents for high-risk scenarios
- Train personnel on media handling procedures
- Test procedures with drills and audits
- Review and update based on incidents or annually at minimum
What are some gotchas?
- Media encryption may require specific hardware/software compatibility
- Transportation personnel may require background checks and special training
- Customs requirements may apply for international shipments
- Environmental factors like temperature and humidity need to be controlled
- Policies need to cover both originals and any copies made
What are the alternatives?
Where feasible, using secure network transfer instead of physical media transportation can reduce the risk exposure. Cloud-based storage with robust encryption can obviate the need to physically ship media.
Explore Further
- NIST SP 800-53 includes guidelines on media protection: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
- ISC2 CISSP CBK covers media lifecycle security: https://www.isc2.org/Certifications/CISSP
- CIS Control 13 addresses Data Protection: https://www.cisecurity.org/controls/data-protection/
