Information in the form of data must be stored in digital media or in hard printed copies. Based on the requirements of the law and based on corporate policies, data needs to be retained even after its useful life. Data is also retained in media as a backup and used in business continuity and disaster recovery scenarios.
Data security also concerns the physical protection of equipment as well as addressing security requirements pertaining to the media where the data is stored.
Storage media, such as hard disks, backup tapes, CDs, and diskettes, need additional security measures so as to ensure the security of the data they contain. Controls should ensure the prevention of data disclosure and modification by unauthorized entities.
The following controls need to be considered for media security:
Storage controls are the primary means to protect the data in storage media, such as hard disks, magnetic tapes, CDs, and so on. The primary consideration should be controlling access to the data, which is usually achieved by encrypted keys. Additional security considerations are required when the backup media is stored offsite.
Maintenance is a regular process to ensure that the data in the storage media is not corrupted or damaged. Media handling procedures are used to ensure this.
The users and operators should be provided with the proper usage instructions to handle the media.
Media usage should be in accordance with the established policies and procedures.
Data destruction is done by way of formatting the media. One time formatting may not completely delete all the data. Formatting the media seven times for complete data destruction is recommended by some of the standards.
Theft is one of the most common threats that need to be addressed for personal computers, laptops, or media protection.
The following controls need to be considered for protection from theft:
The information people possess in their memories also needs to be controlled and data protection measures are applicable. Operational procedures, such as not discussing confidential or personally identifiable information in public places or transmitting information through publicly accessible mediums, should be discouraged.