MP-1: Media Protection – Policy and Procedures
NIST Baseline: Low
Privacy Baseline: Yes
DIR Required By: 07/20/2023
Review Date: 07/24/2024
Purpose –
The Media Protection Policy and associated controls document the minimum standards required to protect the data stored or processed by Tarleton State University (Tarleton). All information resources that process, store, transmit, or otherwise impact the confidentiality, integrity, or accessibility of Tarleton data must meet the Media Protection Policy and security controls. Media includes both electronic media (e.g., hard drives, mobile devices including portable storage media such as USB memory sticks and portable computing and communications devices (e.g., laptop computers, tablets, smartphones, digital cameras, audio recording devices) and non-electronic media (e.g., paper).
Scope and Roles –
This policy applies to information resources owned or managed by Tarleton. The intended audience includes all individuals involved in the handling of media that stores or processes data at Tarleton.
Compliance –
Media Protection controls are implemented to ensure compliance with the Texas A&M University System (TAMUS) Records Retention Schedule; Texas Government Code §441.187, Destruction of State Records; Texas Administrative Code §6.97, Final Disposition of Electronic State Records by Transfer to State Archives or Destruction; the Texas Department of Information Resources (DIR) Security Control Standards Catalog as required by Title 1 Texas Administrative Code §202.76; and TAMUS Regulation 29.01.03, Information Security.
Implementation –
- The Tarleton CISO, in coordination with information resource owners and custodians, shall develop, document, and disseminate a policy and set of controls that addresses the Media Protection Policy for information resources. These controls and policy should:
- Address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Be consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
- Information resource owners and custodians are responsible for any procedures to facilitate the implementation of the Media Protection Policy and associated controls in order to ensure the proper protection and storage of Tarleton data;
- The CISO, or their designee, shall review and update the Media Protection Policy and associated controls as necessary.