1 hour 27 minutes

Video Description

This lesson covers Domain 10 which is media protection and covers items such as USB devices, basically anything containing confidential information. This is something that is often overlooked; discussed in this lesson are basic security requirements 3.8.1, 3.8.2 and 3.8.3 as well as derived security requirements: • 3.8.4 • 3.8.5 • 3.8.6 • 3.8.7 • 3.8.8 • 3.8.9

Video Transcription

all right now remain 10 which is immediate protection, and this is something that's often overlooked. And, you know, in your environment you might have USB devices disabled. But there's still lots of other types of media that we have to make sure that we protect.
So when we look at the basic security requirements for immediate protection,
we have to make sure that we have physical security. Ah, and that any sort of media securely stored. And we also have to keep in mind that confidential but unclassified information
might not always be digitalis wells. We want to really make sure that we limit access to our information
whether it's, you know, an Elektronik format or not. But the physical controls really important. We also wanna limit access information, sitting it system, media toe authorized users. That should just be a giving right. You have to have the authorization credentials in order to access these resource is
but importantly here. Limiting access means that we have to have a very at active
access control mechanism,
and here's one that I see overlooked, sanitized or destroy media containing see why, before disposal or release for reuse it, cleansing the media you know, it was a while back after one of the political campaigns here in the area.
It was the McCain Palin
team that after the election,
they basically got their Blackberrys back from their staff, put him in a box with the box in storage and then took the blackberries out six months later and sold him to the general public. While the step that they missed was sanitizing the data from those devices so that when they sold them, it was quite an embarrassment because,
um, full numbers, dates, notes and all those things were just made available.
So obviously, we're looking at sensitive information. We've got to remove any sort of remnants of data. Now that can mean dig housing for magnetic media. It could mean zero ization, which is overriding with ones and zeros. Might be physical destruction, depending on the significance of the information.
All right, now, from here to the derived limitations or requirements rather so making sure that the media is labeled so that, um, we make sure that we protect that media to the upper degree off the classification of data so that we know when we look at that media. What it contains and have a protective.
We're gonna make sure that it is documented the second bullet point. We're gonna control all that access
and document who has what when. So that we make sure that if that media leaves a controlled, protected environment, know where it is and how it's being secured,
implement cryptography to protect the confidentiality of data stored on media. Absolutely, you know, as a matter of fact, using things like Crypto Locker for good. You know, if you're familiar with Clip Crypto Locker, it was ransomware, and basically the Attackers would encrypt someone's hard drive. And
only if you paid them ransom. Would you get the key.
So I'm not saying use that software but that idea, you know, protect your information, lock it down in such a way that it can't be compromised, even if we do lose the device. As a matter of fact, that's as good a means of
protection in some elements. Is serialization rendering data unreadable?
All right, uh, control the use of removable media on information system components. That's why many organizations limit or exclude the use of thumb drives. You know it's a way to bring, uh,
that information on sort of a way to bring mount where in, but it's also a way to remove sensitive information, so we want to lock that down. We have to think about being
complete in our decisions, though, because if I lock thumb drives down but still allow users the ability to access Devi arms and they can still write information that's still bring it in,
that's not really complete solution.
Prohibit the use of portable storage devices when they have no identifiable owner. Yeah, get rid of things that you can't trace back to someone and hold accountable for.
And then also, don't forget that if it's confidential information, we protect the backup as well, right? We don't just have this file that we protect with their lives and then send it to tape backup that it's stored in somebody's trunk, right? So we make sure that we protect in a comprehensive and complete manner.
Don't forget,
protect the media. The media is important, as is important for protection because that's the access to the death

Up Next

NIST 800-171 Controlled Unclassified Information Course

The Cybrary NIST 800-171 course covers the 14 domains of safeguarding controlled unclassified information in non-federal agencies. Basic and derived requirements are presented for each security domain as defined in the NIST 800-171 special publication.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor