MP-7 Media Use

Description

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm.

This Control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers).

In contrast to MP-2, which restricts user access to media, this Control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives.

Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media.

Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices.

Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned.

Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.

Applicability

This Control applies to all removable computer media containing restricted or confidential university data.

The data trustee, or designee, is responsible for ensuring that the measures described in this Control are implemented.

Implementation

TAMU-CC shall protect confidential and controlled media types on portable media and media devices using encryption. TAMU-CC restricts the use of mobile devices with information storage capability, based on documented risk management decisions. All removable computer media containing restricted or confidential information shall have a clearly designated owner, accountable for ensuring all applicable security controls are met.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket